diff --git a/netlabel b/netlabel new file mode 100755 index 0000000..4be35bd --- /dev/null +++ b/netlabel @@ -0,0 +1,119 @@ +#!/bin/sh +# +# netlabel Start CIPSO labeled networking +# +# chkconfig: - 09 91 +# description: Starts and stops CIPSO labeled networking +# +# config: /etc/netlabel.rules +# +# Return values according to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - insufficient privilege +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running + +PATH=/sbin:/bin:/usr/bin:/usr/sbin +VAR_SUBSYS_NETLABEL=/var/lock/subsys/netlabel +RULES=/etc/netlabel.rules + +# Source function library. +. /etc/init.d/functions + +# Check that we are root ... so non-root users stop here +test `id -u` = 0 || exit 4 +test -x /sbin/netlabelctl || exit 5 +test -f $RULES || exit 6 + +start() { + ret_val="0" + + # Loop through rules + while read LINE + do + # Skip comments and blank lines + if echo $LINE | egrep '^#|^$' >/dev/null ; then + continue + fi + /sbin/netlabelctl $LINE >/dev/null 2>&1 + ret="$?" + if [ "$ret" != "0" ] ; then + ret_val="$ret" + fi + done < $RULES + touch $VAR_SUBSYS_NETLABEL + return $ret_val +} + +stop() { + rm -f $VAR_SUBSYS_NETLABEL + + # Delete rules + list=`/sbin/netlabelctl cipsov4 list 2>/dev/null` + ret="$?" + if [ x"$list" != "x" ] ; then + for line in "$list" + do + /sbin/netlabelctl cipsov4 del "doi:$line" 2>/dev/null + ret="$?" + done + fi + return $ret +} + +status() { + # Do not print status if lockfile is missing + if [ ! -f "$VAR_SUBSYS_NETLABEL" ]; then + echo $"Netlabel is stopped." + return 7 + fi + + # List rules + /sbin/netlabelctl -p cipsov4 list 2>/dev/null + ret1="$?" + /sbin/netlabelctl -p mgmt list 2>/dev/null + ret2="$?" + + if [ "$ret1" != "0" -o "$ret2" != "0" ] ; then + return 1 + fi + return 0 +} + +restart() { + stop + start +} + +case "$1" in + start) + stop + start + RETVAL="$?" + ;; + stop) + stop + RETVAL="$?" + ;; + restart) + restart + RETVAL="$?" + ;; + condrestart) + [ -e "$VAR_SUBSYS_NETLABEL" ] && restart + ;; + status) + status + RETVAL="$?" + ;; + *) + echo $"Usage: $0 {start|stop|restart|condrestart|status}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/netlabel.rules b/netlabel.rules new file mode 100644 index 0000000..34b0880 --- /dev/null +++ b/netlabel.rules @@ -0,0 +1,9 @@ +# This file contains the rules for the Netlabel subsystem +# Each line contains just the arguments to the netlabel command + +# creates a CIPSO/IPv4 definition using a DOI value of 1 +cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2 categories:0=0,1=1,2=2 + +# tell the NetLabel system to use this CIPSO/IPv4 defintion by default +mgmt add default protocol:cipsov4,1 + diff --git a/netlabel_tools-27_28.patch b/netlabel_tools-27_28.patch new file mode 100644 index 0000000..0a0ae80 --- /dev/null +++ b/netlabel_tools-27_28.patch @@ -0,0 +1,29 @@ +Index: netlabelctl/cipsov4.c +=================================================================== +--- netlabelctl/cipsov4.c (revision 27) ++++ netlabelctl/cipsov4.c (revision 28) +@@ -236,7 +236,7 @@ + printf("STANDARD"); + break; + case CIPSO_V4_MAP_PASS: +- printf("PASS_THROUGH\n"); ++ printf("PASS_THROUGH"); + break; + default: + printf("UNKNOWN(%u)", mtype_list[iter]); +Index: netlabelctl/map.c +=================================================================== +--- netlabelctl/map.c (revision 27) ++++ netlabelctl/map.c (revision 28) +@@ -224,8 +224,10 @@ + printf("UNKNOWN(%u)", domain_p[iter].proto_type); + break; + } +- printf(" "); ++ if (iter + 1 < count) ++ printf(" "); + } ++ printf("\n"); + } + + list_return: diff --git a/netlabel_tools.spec b/netlabel_tools.spec index 8ae3720..98effb8 100644 --- a/netlabel_tools.spec +++ b/netlabel_tools.spec @@ -4,7 +4,7 @@ Summary: Tools to manage the Linux NetLabel subsystem Name: netlabel_tools Version: 0.17 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL Group: System Environment/Daemons URL: %{home_base_url}