Bug 192055 - IPsec does not encrypt some TCP packets when SELinux is enabled
IPsec does not encrypt some TCP packets when SELinux is enabled
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-17 02:00 EDT by Michael Chapman
Modified: 2015-01-04 17:27 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-24 18:17:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Chapman 2006-05-17 02:00:37 EDT
Description of problem:

IPsec is not encrypting some of the packets of a TCP connection when the
connection is being shut down. This occurs only when SELinux is enabled -- when
SELinux is set to permissive mode the problem does not occur.

Version-Release number of selected component (if applicable):

kernel-smp-2.6.16-1.2111_FC5

How reproducible:

Always.

Steps to Reproduce:
1. Set up host-to-host IPsec between two boxes.
2. Ensure SELinux is enabled on both boxes.
3. Run "nc -l 1234" on the server.
4. Run "nc server 1234" on the client.
5. Ctrl+D on the client to close the connection.

Actual results:

The client's nc process blocks (in poll, after shutdown(SHUT_WR)), waiting for
the connection for the EOF that would be caused by the server sending a FIN
packet back. However the FIN packet the server sends back is not being encrypted
by IPsec so it is ignored by the client.

When SELinux is disabled, the connection works correctly.

Expected results:

All packets between the two machines should be encrypted by IPsec.

Additional info:

This tcpdump is between two FC5 machines running kernel-smp-2.6.16-1.2111_FC5,
using IPsec and with SELinux enabled. The trace shows the connection setup
(first 3 packets) immediately followed by the TCP teardown. The FIN+ACK packets
from the server are not being encrypted, so they are being ignored by client.
The client, which remains in FIN_WAIT1 state, continues retrying.

IP client > server: AH(spi=0x0a079d6e,seq=0x30): ESP(spi=0x0df8d965,seq=0x30),
length 76: 46306 > 1234: S 429419284:429419296(12) win 5840 <mss
1460,sackOK,timestamp 48500169 0,nop,wscale 2>
IP server > client: AH(spi=0x04baa8c7,seq=0x5): ESP(spi=0x0e3cf1f4,seq=0x5),
length 76: 1234 > 46306: S 3746983028:3746983040(12) ack 429419285 win 5792 <mss
1460,sackOK,timestamp 44079596 48500169,nop,wscale 2>
IP client > server: AH(spi=0x0a079d6e,seq=0x31): ESP(spi=0x0df8d965,seq=0x31),
length 68: 46306 > 1234: . 1:13(12) ack 1 win 1460 <nop,nop,timestamp 48500169
44079596>
IP client > server: AH(spi=0x0a079d6e,seq=0x32): ESP(spi=0x0df8d965,seq=0x32),
length 68: 46306 > 1234: F 1:13(12) ack 1 win 1460 <nop,nop,timestamp 48501057
44079596>
IP server.1234 > client.46306: F 1:1(0) ack 2 win 1448 <nop,nop,timestamp
44080483 48501057>
IP server.1234 > client.46306: F 1:1(0) ack 2 win 1448 <nop,nop,timestamp
44080534 48501057>
IP client > server: AH(spi=0x0a079d6e,seq=0x33): ESP(spi=0x0df8d965,seq=0x33),
length 68: 46306 > 1234: F 1:13(12) ack 1 win 1460 <nop,nop,timestamp 48501108
44079596>
IP server.1234 > client.46306: . ack 2 win 1448 <nop,nop,timestamp 44080534
48501108,nop,nop,sack 1 {1:2}>
IP server.1234 > client.46306: F 1:1(0) ack 2 win 1448 <nop,nop,timestamp
44080636 48501108>
IP client > server: AH(spi=0x0a079d6e,seq=0x34): ESP(spi=0x0df8d965,seq=0x34),
length 68: 46306 > 1234: F 1:13(12) ack 1 win 1460 <nop,nop,timestamp 48501210
44079596>
IP server.1234 > client.46306: . ack 2 win 1448 <nop,nop,timestamp 44080636
48501210,nop,nop,sack 1 {1:2}>
IP server.1234 > client.46306: F 1:1(0) ack 2 win 1448 <nop,nop,timestamp
44080840 48501210>
IP client > server: AH(spi=0x0a079d6e,seq=0x35): ESP(spi=0x0df8d965,seq=0x35),
length 68: 46306 > 1234: F 1:13(12) ack 1 win 1460 <nop,nop,timestamp 48501414
44079596>
IP server.1234 > client.46306: . ack 2 win 1448 <nop,nop,timestamp 44080840
48501414,nop,nop,sack 1 {1:2}>

etc.

When SELinux is disabled on both boxes, the sequence is correct:

IP client > server: AH(spi=0x00e2e3a8,seq=0x10): ESP(spi=0x0b53f1a5,seq=0x10),
length 76: 47648 > 1234: S 2068515065:2068515077(12) win 5840 <mss
1460,sackOK,timestamp 46854193 0,nop,wscale 2>
IP server > client: AH(spi=0x0c222294,seq=0x3): ESP(spi=0x079fa8e1,seq=0x3),
length 76: 1234 > 47648: S 1088328967:1088328979(12) ack 2068515066 win 5792
<mss 1460,sackOK,timestamp 42433507 46854193,nop,wscale 2>
IP client > server: AH(spi=0x00e2e3a8,seq=0x11): ESP(spi=0x0b53f1a5,seq=0x11),
length 68: 47648 > 1234: . 1:13(12) ack 1 win 1460 <nop,nop,timestamp 46854193
42433507>
IP client > server: AH(spi=0x00e2e3a8,seq=0x12): ESP(spi=0x0b53f1a5,seq=0x12),
length 68: 47648 > 1234: F 1:13(12) ack 1 win 1460 <nop,nop,timestamp 46854944
42433507>
IP server > client: AH(spi=0x0c222294,seq=0x4): ESP(spi=0x079fa8e1,seq=0x4),
length 68: 1234 > 47648: F 1:13(12) ack 2 win 1448 <nop,nop,timestamp 42434258
46854944>
IP client > server: AH(spi=0x00e2e3a8,seq=0x13): ESP(spi=0x0b53f1a5,seq=0x13),
length 68: 47648 > 1234: . 2:14(12) ack 2 win 1460 <nop,nop,timestamp 46854944
42434258>
Comment 1 Dave Jones 2006-10-16 20:51:08 EDT
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.
Comment 2 Dave Jones 2006-11-24 18:17:22 EST
This bug has been mass-closed along with all other bugs that
have been in NEEDINFO state for several months.

Due to the large volume of inactive bugs in bugzilla, this
is the only method we have of cleaning out stale bug reports
where the reporter has disappeared.

If you can reproduce this bug after installing all the
current updates, please reopen this bug.

If you are not the reporter, you can add a comment requesting
it be reopened, and someone will get to it asap.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.