Bug 209170

Summary: [FC6] IPSec information leak caused by labeled networking
Product: [Fedora] Fedora Reporter: Eric Paris <eparis>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: high    
Version: 6CC: davej, davem, dwalsh, jmorris, kmacmill, sdsmall, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-12 18:13:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Paris 2006-10-03 18:27:34 UTC 
The labeled networking patches in 2.6-net cause a problem with ipsec

http://marc.theaimsgroup.com/?l=linux-netdev&m=115979927305638&w=2

when upstream comes up with a solution it will need to be backported.
Comment 1 James Morris 2006-10-03 18:44:58 UTC 
Adding DaveM and Stephen Smalley.

The FC6 fix may be backported from the patch I posted upstream, as the changes
going into the upstream kernel and RHEL5 from TCS to consolidate the labeled
networking stuff will change the logic in that area.  This will reduce the
functionality of xfrm labeling, although it is not feature complete in FC6
anyway, and we cannot add new features at this stage.

It's tempting also, to instead set SECURITY_NETWORK_XFRM=n

AFAIK, people who really need this feature need the RHEL5 patches anyway and
will have to use a different kernel in any case.
Comment 2 James Morris 2006-10-04 02:05:54 UTC 
As we have less than 24 hours to resolve this issues, I suggest we proceed with
setting SECURITY_NETWORK_XFRM=n in the kernel configuration to disable the
component causing the problem.

This code is not complete and broken as designed.  The final features and
bugfixes are still being developed upstream.  Users who wish to make use of this
feature are advised to either wait for FC7 or RHEL5, or to try the development
kernels, policies and all related components which would be required for a
functional system, which FC6 will also not have.

Dave, I gather it is simplest if you just do this and commit it to CVS. 
Otherwise let us know.

The compat_net issue is still a critical issue to be resolved -- please advise
of the status of this as soon as possible.
Comment 3 Eric Paris 2006-10-12 18:13:17 UTC 
Since we set SECURITY_NETWORK_XFRM=n this is not an issue.  Closing this bug as
it is fixed upstream and so will be fixed for FC6.