Bug 216860

LTC Owner is: suzukikp.com
LTC Originator is: loulwa.com


---Problem Description---
netlabelctl command fails without any warning messages when the mgmt option is 
used with the wrong parameters
 
Linux oracer3.ltc.austin.ibm.com 2.6.18-1.2747.2.1.el5.lspp.55 #1 SMP Fri Nov 
10 12:21:43 EST 2006 x86_64 x86_64 x86_64 GNU/Linux
 
Machine Type = x86_64
 
---Steps to Reproduce---
Try the netlablectl command with the mgmt option as follows
#netlabelctl cipsov4 add pass doi:1 tags:1
#netlabelctl mgmt del default
#netlabelctl mgmt add default protocol:cipsov4,1

The last two commands should print some sort of error message since they 
really don't accept these parameters according to the man page.

As per Klaus, security relevant tools should at least print some error message 
when used incorrectly
 
---Base System Tools Component Data---
Userspace tool common name: netlabel_tools

The userspace tool has the following bit modes: both

Userspace rpm: netlabel_tools-0.17-5.fc6
 
*Additional Instructions for loulwa / loulwa.com:
netlabelctl failing silently gave the impression that the command was working 
when it really was not and no cipso labeling was added to the packets.

LSPP bug, please also cc iboverma and sgrubb
This event sent from IssueTracker by sfernand  [Support Engineering Group]
 issue 107064

IBM, can we make this bug public?

Update to issue 107064 by bugzilla
>Action: These changes made by iboverma.
>Bugzilla comment added:
> IBM, can we make this bug public?

>Flag(s) 'rhel-5.0.0?, blocker?, pm_ack+, devel_ack?' added

>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216860 

We have no problem with you making this public.  Stephanie Glass Red Hat 
Project Manager. 


This event sent from IssueTracker by Glen Johnson 
 issue 107064

making it public.

From Paul Moore:

I am still unable to edit the BZ, please add the following response to the BZ entry.

*******************************************************************************
This should be fixed in revision 29 of the netlabel_tools SVN repository.  I'm
not allowed to add attachments to this entry, so I am including the patch below:

Index: CHANGELOG
===================================================================
--- CHANGELOG   (revision 28)
+++ CHANGELOG   (revision 29)
@@ -5,6 +5,8 @@
 ------------------------------------------------------------------------------
 o Fixed some problems when printing CIPSOv4 and map information when not using
   the '-p' flag
+o Always display an error message if an error occurred, based on patch from
+  Klaus Weidner <klaus>

 * Release Release 0.17 (September 28, 2006)
 ------------------------------------------------------------------------------
Index: netlabelctl/main.c
===================================================================
--- netlabelctl/main.c  (revision 28)
+++ netlabelctl/main.c  (revision 29)
@@ -253,8 +253,7 @@
   }
   ret_val = module_main(argc - optind - 1, argv + optind + 1);
   if (ret_val < 0) {
-    if (opt_pretty)
-      fprintf(stderr, MSG_ERR("%s\n"), nlctl_strerror(-ret_val));
+    fprintf(stderr, MSG_ERR("%s\n"), nlctl_strerror(-ret_val));
     ret_val = RET_ERR;
   } else
     ret_val = RET_OK;
*******************************************************************************

-- paul moore linux security @ hp 

 Fixed for RHEL-5 in netlabel_tools-0.17-9.el5.i386

QE ack for RHEL5.

A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.