Changes to match upstream

netlabel.rules

@@ -1,9 +1,59 @@
-# This file contains the rules for the Netlabel subsystem
+# This file contains the rules for the Netlabel subsystem, for more information
+# please see the netlabelctl(1) man page.
+#
 # Each line contains just the arguments to the netlabel command
 
-# creates a CIPSO/IPv4 definition using a DOI value of 1
-cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2 categories:0=0,1=1,2=2
+####
+# NOTE: By default the kernel sends unlabeled traffic and allows unlabled
+#       traffic into the system, to disable that add the following two lines to
+#       the beginning of your configuration.  However, be warned that you
+#       should only change these settings if you know what you are doing as you
+#       could accidently disable networking with a bad configuration.
+#
 
-# tell the NetLabel system to use this CIPSO/IPv4 defintion by default
-mgmt add default protocol:cipsov4,1
+# Remove the default domain mapping
+#map del default
 
+# Do not accept incoming unlabeled packets
+#unlbl accept off
+
+####
+# Unlabeled examples:
+#
+
+# Enable unlabeled packets
+#unlbl accept on
+
+# Disable unlabeled packets
+#unlbl accept off
+
+
+####
+# CIPSOv4 examples:
+#
+
+# Create a CIPSOv4 DOI definition using a pass-through mapping with a DOI
+# value of 6 and the restricted bitmap tag (CIPSOv4 tag type #1)
+#cipsov4 add pass doi:6 tags:1
+
+# Create a CIPSOv4 DOI definition using a standard mapping with a DOI value
+# of 8 and the restricted bitmap tag (CIPSOv4 tag type #1).  The example
+# below maps MLS sensitivity levels and categories 0 through 2 to the same
+# values for both CIPSO and the Linux LSM
+#cipsov4 add std doi:8 tags:1 levels:0=0,1=1,2=2 categories:0=0,1=1,2=2
+
+
+####
+# LSM mapping examples:
+#
+
+# Create a default mapping for all LSM domains using the unlabeled protocol
+#map add default protocol:unlbl
+
+# Create a default mapping for all LSM domains using the CIPSOv4 protocol
+# with DOI number 6
+#map add default protocol:cipsov4,6
+
+# Create a mapping for the "secret_t" LSM domain and the CIPSOv4 protocol
+# with DOI number 8
+#map add domain:secret_t protocol:cipsov4,8

netlabel_tools-0.17-newlibnl.patch

@@ -0,0 +1,158 @@
+--- netlabel_tools-0.17/libnetlabel/netlabel_comm.c.spc	2008-02-07 08:57:38.000000000 -0600
++++ netlabel_tools-0.17/libnetlabel/netlabel_comm.c	2008-02-07 09:02:01.000000000 -0600
+@@ -8,19 +8,17 @@
+ /*
+  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+  *
+- * This program is free software;  you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of version 2 of the GNU General Public License as
++ * published by the Free Software Foundation.
+  *
+  * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+- * the GNU General Public License for more details.
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
+  *
+  * You should have received a copy of the GNU General Public License
+- * along with this program;  if not, write to the Free Software
+- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  *
+  */
+ 
+@@ -100,7 +98,10 @@
+     goto open_failure;
+ 
+   /* set the netlink handle properties */
+-#if LIBNL_VERSION >= 1006
++#if LIBNL_VERSION >= 1008
++  nl_socket_set_peer_port(hndl->nl_hndl, 0);
++  nl_set_passcred(hndl->nl_hndl, 1);
++#elif LIBNL_VERSION == 1006
+   nl_handle_set_peer_pid(hndl->nl_hndl, 0);
+   nl_set_passcred(hndl->nl_hndl, 1);
+ #endif
+@@ -177,7 +178,11 @@
+    * is waiting to be read from the handle */
+   timeout.tv_sec = nlcomm_read_timeout;
+   timeout.tv_usec = 0;
++#if LIBNL_VERSION >= 1008
++  nl_fd = nl_socket_get_fd(hndl->nl_hndl);
++#else
+   nl_fd = nl_handle_get_fd(hndl->nl_hndl);
++#endif
+   FD_ZERO(&read_fds);
+   FD_SET(nl_fd, &read_fds);
+   ret_val = select(nl_fd + 1, &read_fds, NULL, NULL, &timeout);
+@@ -250,7 +255,11 @@
+    * is waiting to be read from the handle */
+   timeout.tv_sec = nlcomm_read_timeout;
+   timeout.tv_usec = 0;
++#if LIBNL_VERSION >= 1008
++  nl_fd = nl_socket_get_fd(hndl->nl_hndl);
++#else
+   nl_fd = nl_handle_get_fd(hndl->nl_hndl);
++#endif
+   FD_ZERO(&read_fds);
+   FD_SET(nl_fd, &read_fds);
+   ret_val = select(nl_fd + 1, &read_fds, NULL, NULL, &timeout);
+@@ -349,6 +358,6 @@
+ #if LIBNL_VERSION == 1005
+   return nl_send_auto_complete(hndl->nl_hndl, nlbl_msg_nlhdr(msg));
+ #elif LIBNL_VERSION >= 1006
+-  return = nl_send_auto_complete(hndl->nl_hndl, msg);
++  return nl_send_auto_complete(hndl->nl_hndl, msg);
+ #endif
+ }
+--- netlabel_tools-0.17/libnetlabel/netlabel_internal.h.spc	2008-02-07 08:58:27.000000000 -0600
++++ netlabel_tools-0.17/libnetlabel/netlabel_internal.h	2008-02-07 09:02:01.000000000 -0600
+@@ -8,19 +8,17 @@
+ /*
+  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+  *
+- * This program is free software;  you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of version 2 of the GNU General Public License as
++ * published by the Free Software Foundation.
+  *
+  * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+- * the GNU General Public License for more details.
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
+  *
+  * You should have received a copy of the GNU General Public License
+- * along with this program;  if not, write to the Free Software
+- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  *
+  */
+ 
+@@ -37,11 +35,12 @@
+ /* Specify which version of libnl we are using */
+ /*  1.0-pre5 => 1005 */
+ /*  1.0-pre6 => 1006 */
+-#define LIBNL_VERSION           1005
++/*  1.0-pre8 => 1008 */
++#define LIBNL_VERSION           1008
+ 
+ /* XXX - this whole block will most likely go away once libnl supports Generic
+  * Netlink */
+-#if 1 /* Generic Netlink types */
++#if LIBNL_VERSION <= 1006 /* Generic Netlink types */
+ 
+ /* Generic Netlink message header */
+ struct genlmsghdr {
+--- netlabel_tools-0.17/libnetlabel/netlabel_msg.c.spc	2008-02-07 08:57:55.000000000 -0600
++++ netlabel_tools-0.17/libnetlabel/netlabel_msg.c	2008-02-07 09:02:01.000000000 -0600
+@@ -8,19 +8,17 @@
+ /*
+  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+  *
+- * This program is free software;  you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of version 2 of the GNU General Public License as
++ * published by the Free Software Foundation.
+  *
+  * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+- * the GNU General Public License for more details.
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
+  *
+  * You should have received a copy of the GNU General Public License
+- * along with this program;  if not, write to the Free Software
+- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  *
+  */
+ 
+@@ -52,7 +50,11 @@
+   struct genlmsghdr genl_hdr;
+ 
+   /* create the message with a simple netlink header */
++#if LIBNL_VERSION >= 1008
++  msg = nlmsg_alloc();
++#else
+   msg = nlmsg_build_no_hdr();
++#endif
+   if (msg == NULL)
+     goto msg_new_failure;
+ 

netlabel_tools.spec

@@ -1,18 +1,16 @@
-
-%define home_base_url http://free.linux.hp.com/~pmoore/projects/linux_cipso
-
 Summary: Tools to manage the Linux NetLabel subsystem
 Name: netlabel_tools
 Version: 0.17
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPL
 Group: System Environment/Daemons
-URL: %{home_base_url}
-Source0: %{home_base_url}/%{name}-%{version}.tar.gz
+URL: http://netlabel.sf.net/
+Source0: http://downloads.sourceforge.net/netlabel/%{name}-%{version}.tar.gz
 Source1: netlabel
 Source2: netlabel.rules
 Patch1: netlabel_tools-0.17-new-hdrs.patch
 Patch2: netlabel_tools-27_28.patch
+Patch3: netlabel_tools-0.17-newlibnl.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}
 BuildRequires: kernel-headers >= 2.6.18
 BuildRequires: libnl-devel
@@ -31,6 +29,7 @@ configure the kernel subsystem.
 %patch1 -p1
 # Upstream patch.
 %patch2 -p0
+%patch3 -p1
 
 %build
 # Don't use _smp_mflags, it's small and a hand crafted Makefile
@@ -57,6 +56,12 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_mandir}/man8/*
 
 %changelog
+* Thu Feb  7 2008 Steve Conklin <sconklin@redhat.com> - 0.17-6
+- Various fixes to follow upstream
+- Resolves bz#431765 The example configuration file is invalid
+- Resolves bz#431766 The netlabelctl command fails to run due to newer libnl package
+- Resolves bz#431767 The url listed in the netlabel_tools package is wrong
+
 * Mon Oct 16 2006 James Antill <james@and.org> - 0.17-3
 - Add upstream patch.
 - s/p1/p0/ for upstream patch.