From 380d7b65a04d0e9f6547156da9076e0ca8fe1b7d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 02 2019 16:49:43 +0000
Subject: import netlabel_tools-0.20-5.el7


---

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7b1f33f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/netlabel_tools-0.20.tar.gz
diff --git a/.netlabel_tools.metadata b/.netlabel_tools.metadata
new file mode 100644
index 0000000..ec9707f
--- /dev/null
+++ b/.netlabel_tools.metadata
@@ -0,0 +1 @@
+00d9070a2d60d8cdce2a0bd362c3af8d510d0231 SOURCES/netlabel_tools-0.20.tar.gz
diff --git a/SOURCES/libnetlabel-message_size.patch b/SOURCES/libnetlabel-message_size.patch
new file mode 100644
index 0000000..a894f99
--- /dev/null
+++ b/SOURCES/libnetlabel-message_size.patch
@@ -0,0 +1,26 @@
+commit 8295000fd7d146d2a1eeb75ab2d8fe0c598b8e99
+Author: Paul Moore <pmoore@redhat.com>
+Date:   Wed Jan 15 10:00:27 2014 -0500
+
+    libnetlabel: increase the default message size of 8k
+    
+    In some cases, e.g. a CIPSO DOI definition with a large number of
+    translations, the message would be too large to fit in the default
+    message buffer.  This patch fixes this by increasing the default
+    message size to 8kb.
+    
+    Signed-off-by: Paul Moore <pmoore@redhat.com>
+
+diff --git a/libnetlabel/netlabel_init.c b/libnetlabel/netlabel_init.c
+index 79ba80e..ad2b7f6 100644
+--- a/libnetlabel/netlabel_init.c
++++ b/libnetlabel/netlabel_init.c
+@@ -46,6 +46,8 @@ int nlbl_init(void)
+ {
+ 	int ret_val;
+ 
++	nlmsg_set_default_size(8096);
++
+ 	ret_val = nlbl_mgmt_init();
+ 	if (ret_val < 0)
+ 		return ret_val;
diff --git a/SOURCES/libnetlabel-nla_put_nested_fix.patch b/SOURCES/libnetlabel-nla_put_nested_fix.patch
new file mode 100644
index 0000000..512d595
--- /dev/null
+++ b/SOURCES/libnetlabel-nla_put_nested_fix.patch
@@ -0,0 +1,87 @@
+commit e69d8f8cc7b6418fb290fef993d6c46858391c1e
+Author: Paul Moore <pmoore@redhat.com>
+Date:   Wed Jan 15 09:49:18 2014 -0500
+
+    libnetlabel: check the return code of nla_put_nested()
+    
+    In some cases nla_put_nested() was failing and not being caught by the
+    library which led to some odd error cases.  This patch fixes this by
+    checking for errors and returning them to the caller.
+    
+    Signed-off-by: Paul Moore <pmoore@redhat.com>
+
+diff --git a/libnetlabel/mod_cipsov4.c b/libnetlabel/mod_cipsov4.c
+index abc7cd6..3316118 100644
+--- a/libnetlabel/mod_cipsov4.c
++++ b/libnetlabel/mod_cipsov4.c
+@@ -302,7 +302,9 @@ int nlbl_cipsov4_add_trans(struct nlbl_handle *hndl,
+ 		if (ret_val != 0)
+ 			goto add_std_return;
+ 	}
+-	nla_put_nested(msg, NLBL_CIPSOV4_A_TAGLST, nest_msg_a);
++	ret_val = nla_put_nested(msg, NLBL_CIPSOV4_A_TAGLST, nest_msg_a);
++	if (ret_val != 0)
++		goto add_std_return;
+ 	nlbl_msg_free(nest_msg_a);
+ 	nest_msg_a = NULL;
+ 
+@@ -327,11 +329,16 @@ int nlbl_cipsov4_add_trans(struct nlbl_handle *hndl,
+ 				      lvls->array[iter * 2 + 1]);
+ 		if (ret_val != 0)
+ 			goto add_std_return;
+-		nla_put_nested(nest_msg_a, NLBL_CIPSOV4_A_MLSLVL, nest_msg_b);
++		ret_val = nla_put_nested(nest_msg_a, NLBL_CIPSOV4_A_MLSLVL,
++					 nest_msg_b);
++		if (ret_val != 0)
++			goto add_std_return;
+ 		nlbl_msg_free(nest_msg_b);
+ 		nest_msg_b = NULL;
+ 	}
+-	nla_put_nested(msg, NLBL_CIPSOV4_A_MLSLVLLST, nest_msg_a);
++	ret_val = nla_put_nested(msg, NLBL_CIPSOV4_A_MLSLVLLST, nest_msg_a);
++	if (ret_val != 0)
++		goto add_std_return;
+ 	nlbl_msg_free(nest_msg_a);
+ 	nest_msg_a = NULL;
+ 
+@@ -356,11 +363,16 @@ int nlbl_cipsov4_add_trans(struct nlbl_handle *hndl,
+ 				      cats->array[iter * 2 + 1]);
+ 		if (ret_val != 0)
+ 			goto add_std_return;
+-		nla_put_nested(nest_msg_a, NLBL_CIPSOV4_A_MLSCAT, nest_msg_b);
++		ret_val = nla_put_nested(nest_msg_a, NLBL_CIPSOV4_A_MLSCAT,
++					 nest_msg_b);
++		if (ret_val != 0)
++			goto add_std_return;
+ 		nlbl_msg_free(nest_msg_b);
+ 		nest_msg_b = NULL;
+ 	}
+-	nla_put_nested(msg, NLBL_CIPSOV4_A_MLSCATLST, nest_msg_a);
++	ret_val = nla_put_nested(msg, NLBL_CIPSOV4_A_MLSCATLST, nest_msg_a);
++	if (ret_val != 0)
++		goto add_std_return;
+ 	nlbl_msg_free(nest_msg_a);
+ 	nest_msg_a = NULL;
+ 
+@@ -455,7 +467,9 @@ int nlbl_cipsov4_add_pass(struct nlbl_handle *hndl,
+ 		if (ret_val != 0)
+ 			goto add_pass_return;
+ 	}
+-	nla_put_nested(msg, NLBL_CIPSOV4_A_TAGLST, nest_msg);
++	ret_val = nla_put_nested(msg, NLBL_CIPSOV4_A_TAGLST, nest_msg);
++	if (ret_val != 0)
++		goto add_pass_return;
+ 
+ 	/* send the request */
+ 	ret_val = nlbl_comm_send(p_hndl, msg);
+@@ -539,7 +553,9 @@ int nlbl_cipsov4_add_local(struct nlbl_handle *hndl, nlbl_cv4_doi doi)
+ 	ret_val = nla_put_u8(nest_msg, NLBL_CIPSOV4_A_TAG, 128);
+ 	if (ret_val != 0)
+ 		goto add_local_return;
+-	nla_put_nested(msg, NLBL_CIPSOV4_A_TAGLST, nest_msg);
++	ret_val = nla_put_nested(msg, NLBL_CIPSOV4_A_TAGLST, nest_msg);
++	if (ret_val != 0)
++		goto add_local_return;
+ 
+ 	/* send the request */
+ 	ret_val = nlbl_comm_send(p_hndl, msg);
diff --git a/SOURCES/netlabelctl-addr_parse_fix.patch b/SOURCES/netlabelctl-addr_parse_fix.patch
new file mode 100644
index 0000000..5d586af
--- /dev/null
+++ b/SOURCES/netlabelctl-addr_parse_fix.patch
@@ -0,0 +1,77 @@
+netlabelctl: add additional validation code to the network address parser
+
+From: Paul Moore <pmoore@redhat.com>
+
+It is possible to use network masks with non-integer values or integer
+values greater than the size of the network address, this patch fixes
+this.
+
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+---
+ netlabelctl/main.c |   39 ++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/netlabelctl/main.c b/netlabelctl/main.c
+index 4479bbf..6c4ab7f 100644
+--- a/netlabelctl/main.c
++++ b/netlabelctl/main.c
+@@ -210,7 +210,30 @@ void nlctl_addr_print(const struct nlbl_netaddr *addr)
+ }
+ 
+ /**
+- * Add a domain mapping to NetLabel
++ * Parse an unsigned interger number
++ * @param str the number string
++ * @param num pointer to number to return
++ *
++ * Parse an unsigned integer number string and returns the value in @num.
++ * Returns zero on success, negative values on failure.
++ *
++ */
++static int _nlctl_num_parse(char *str, uint32_t *num)
++{
++	char *spot = str;
++
++	while (*spot != '\0') {
++		if (*spot < '0' || *spot > '9')
++			return -EINVAL;
++		spot++;
++	}
++
++	*num = atoi(str);
++	return 0;
++}
++
++/**
++ * Parse a network address/mask pair
+  * @param addr_str the IP address/mask in string format
+  * @param addr the IP address/mask in native NetLabel format
+  *
+@@ -240,7 +263,12 @@ int nlctl_addr_parse(char *addr_str, struct nlbl_netaddr *addr)
+ 	ret_val = inet_pton(AF_INET, addr_str, &addr->addr.v4);
+ 	if (ret_val > 0) {
+ 		addr->type = AF_INET;
+-		iter_a = (mask ? atoi(mask) : 32);
++		if (mask != NULL) {
++			ret_val = _nlctl_num_parse(mask, &iter_a);
++			if (ret_val < 0 || iter_a > 32)
++				return -EINVAL;
++		} else
++			iter_a = 32;
+ 		for (; iter_a > 0; iter_a--) {
+ 			addr->mask.v4.s_addr >>= 1;
+ 			addr->mask.v4.s_addr |= 0x80000000;
+@@ -253,7 +281,12 @@ int nlctl_addr_parse(char *addr_str, struct nlbl_netaddr *addr)
+ 	ret_val = inet_pton(AF_INET6, addr_str, &addr->addr.v6);
+ 	if (ret_val > 0) {
+ 		addr->type = AF_INET6;
+-		iter_a = (mask ? atoi(mask) : 128);
++		if (mask != NULL) {
++			ret_val = _nlctl_num_parse(mask, &iter_a);
++			if (ret_val < 0 || iter_a > 128)
++				return -EINVAL;
++		} else
++			iter_a = 128;
+ 		for (iter_b = 0; iter_a > 0 && iter_b < 4; iter_b++) {
+ 			for (; iter_a > 0 &&
+ 			       addr->mask.v6.s6_addr32[iter_b] < 0xffffffff;
diff --git a/SPECS/netlabel_tools.spec b/SPECS/netlabel_tools.spec
new file mode 100644
index 0000000..d0d6a0a
--- /dev/null
+++ b/SPECS/netlabel_tools.spec
@@ -0,0 +1,180 @@
+Summary: Tools to manage the Linux NetLabel subsystem
+Name: netlabel_tools
+Version: 0.20
+Release: 5%{?dist}
+License: GPLv2
+Group: System Environment/Daemons
+URL: http://netlabel.sf.net/
+Source0: http://downloads.sourceforge.net/netlabel/%{name}-%{version}.tar.gz
+BuildRoot: %{_tmppath}/%{name}-%{version}
+Requires: kernel >= 2.6.19
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+BuildRequires: kernel-headers >= 2.6.19
+BuildRequires: libnl-devel
+BuildRequires: doxygen
+BuildRequires: systemd
+
+Patch01: netlabelctl-addr_parse_fix.patch
+Patch02: libnetlabel-nla_put_nested_fix.patch
+Patch03: libnetlabel-message_size.patch
+
+%description
+NetLabel is a kernel subsystem which implements explicit packet labeling
+protocols such as CIPSO for Linux.  Packet labeling is used in secure networks
+to mark packets with the security attributes of the data they contain.  This
+package provides the necessary user space tools to query and configure the
+kernel subsystem.
+
+%prep
+%setup -q
+
+%patch01 -p1
+%patch02 -p1
+%patch03 -p1
+
+%build
+./configure --prefix="%{_prefix}" --libdir="%{_libdir}" --enable-systemd
+CFLAGS="%{optflags}" make V=1 %{?_smp_mflags}
+
+%install
+rm -rf "%{buildroot}"
+mkdir -p "%{buildroot}/etc"
+mkdir -p "%{buildroot}/%{_sbindir}"
+mkdir -p "%{buildroot}/%{_unitdir}"
+mkdir -p "%{buildroot}/%{_mandir}"
+make V=1 DESTDIR="%{buildroot}" install
+
+%preun
+%systemd_preun netlabel.service
+
+%postun
+%systemd_postun
+
+%post
+%systemd_post netlabel.service
+
+%files
+%defattr(-,root,root)
+%doc README CHANGELOG LICENSE
+%attr(0644,root,root) %{_mandir}/man8/*
+%attr(0755,root,root) %{_sbindir}/netlabelctl
+%attr(0755,root,root) %{_sbindir}/netlabel-config
+%attr(0644,root,root) %{_unitdir}/netlabel.service
+%attr(0644,root,root) %config(noreplace) /etc/netlabel.rules
+
+%changelog
+* Thu Feb 27 2014 Paul Moore <pmoore@redhat.com> - 0.20-5
+- Build with CFLAGS="${optflags}" (RHBZ #1070780)
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.20-4
+- Mass rebuild 2014-01-24
+
+* Wed Jan 15 2014 Paul Moore <pmoore@redhat.com> - 0.20-3
+- Fix a problem when adding a CIPSO DOI with a large number of translations
+- Remove old patches
+  Resolves: #1053687
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.20-2
+- Mass rebuild 2013-12-27
+
+* Fri Oct 25 2013 Paul Moore <pmoore@redhat.com> - 0.20-1
+- Add input validation on network address masks (#1003909)
+
+* Mon Jun 3 2013 Paul Moore <pmoore@redhat.com> - 0.20-0
+- Version bump to match latest upstream
+- Cleanups in the specfile due to changes in the upstream package
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Jun 17 2010 Peter Vrabec <pvrabec@redhat.com> - 0.19-8
+- fixing return codes (#602291)
+
+* Wed Jun 16 2010 Peter Vrabec <pvrabec@redhat.com> - 0.19-7
+- make initscript LSB compliant (#522818)
+- show version of netlabelctl and libnetlabel in help (#602577)
+
+* Wed Sep 23 2009 Peter Vrabec <pvrabec@redhat.com> 0.19-6
+- make initscript LSB compliant (#522818)
+
+* Wed Sep 23 2009 Peter Vrabec <pvrabec@redhat.com> 0.19-5
+- increase rel. number
+
+* Wed Sep 23 2009 Peter Vrabec <pvrabec@redhat.com> 0.19-4
+- fix license tag in spec (#524310)
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Jan 08 2009 Peter Vrabec <pvrabec@redhat.com> - 0.19-1
+- upgrade (#478903)
+
+* Mon Oct 27 2008 Peter Vrabec <pvrabec@redhat.com> - 0.18-1
+- upgrade (#439833)
+
+* Mon Aug 11 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.17-8
+- fix license tag
+
+* Mon Feb  11 2008 Steve Conklin <sconklin@redhat.com> - 0.17-7
+- New patch for bz#431766 to resolve conflicts
+
+* Thu Feb  7 2008 Steve Conklin <sconklin@redhat.com> - 0.17-6
+- Various fixes to follow upstream
+- Resolves bz#431765 The example configuration file is invalid
+- Resolves bz#431766 The netlabelctl command fails to run due to newer libnl package
+- Resolves bz#431767 The url listed in the netlabel_tools package is wrong
+
+* Mon Oct 16 2006 James Antill <james@and.org> - 0.17-3
+- Add upstream patch.
+- s/p1/p0/ for upstream patch.
+
+* Sat Oct 14 2006 Steve Grubb <sgrubb@redhat.com> - 0.17-3
+- Add init scripts and default rules
+
+* Sun Oct  1 2006 James Antill <james@and.org> - 0.17-2
+- Upgrade to latest upstream.
+
+* Tue Aug 29 2006 James Antill <james@and.org> - 0.16-5
+- Fix install calls for mock.
+
+* Tue Aug 29 2006 James Antill <james@and.org> - 0.16-4
+- Fix more reviewing problems, building on newer kernel-headers.
+- Add URL tag.
+
+* Fri Aug 18 2006 James Antill <james@and.org> - 0.16-3
+- Fix minor review problems.
+- Added BuildRequires for kernel headers (netlink).
+
+* Fri Aug 18 2006 James Antill <james@and.org> - 0.16-2
+- Use root as owner.
+- Contribute to fedora extras.
+
+* Thu Aug  3 2006 Paul Moore <paul.moore@hp.com> 0.16-1
+- Bumped version number.
+
+* Thu Jul  6 2006 Paul Moore <paul.moore@hp.com> 0.15-1
+- Bumped version number.
+
+* Mon Jun 26 2006 Paul Moore <paul.moore@hp.com> 0.14-1
+- Bumped version number.
+- Changes related to including the version number in the path name.
+- Changed the netlabelctl perms from 0750 to 0755.
+- Removed the patch. (included in the base with edits)
+- Updated the description.
+
+* Fri Jun 23 2006 Steve Grubb <sgrubb@redhat.com> 0.13-1
+- Initial build.
+