Description of problem: The NetLabel patch in the latest Rawhide kernels needs to be patched to fix an uninitialized value problem where a NetLabel socket's security class could be left at zero in some cases. The attached patches fix this problem as well as a few other, non-critical, issues in the latest NetLabel patchset. Version-Release number of selected component (if applicable): The patches are against linux-2.6.17-1.2548.fc6. How reproducible: Every time. Steps to Reproduce: 1. Enable CIPSO using NetLabel 2. Restart the ssh daemon 3. Try to ssh to localhost Actual results: The connection is refused by the server. Expected results: The connections succeeds. Additional info: Hopefully Steve Grubb will be able to issue a new LSPP kernel to test these patches against a wider audience. Assuming no problems with the LSPP kernel I will push this patchset to David Miller and netdev for inclusion in his net-2.6.19 tree. This BZ is also loosely related to #202856. This is part of the HP/RedHat CC LSPP effort and this bug needs to be fixed if CIPSO is to be part of a LSPP evaluation.
Created attachment 134343 [details] Correctly initialize the NetLabel fields in sk_security_struct
Created attachment 134344 [details] Remove unused function prototypes
Created attachment 134345 [details] Comment corrections
Created attachment 134346 [details] Cleanup ebitmap_import()
How critical is fixing this initialization issue? For example, is this bug completely debilitating, or is it only exhibited in obscure corner cases?
Paul is on vacation without internet access this week but my experience is that many things work without this fix (telnet, ftp, r commands) but that ssh/sftp does not. Its something that ought to be fixed but I wouldn't hold a beta for it, if that's the question.
Thanks, Linda. Yes, the exact question was whether this is a beta blocker or not. We are coming down to the wire and have to scrutinize every issue. We won't consider this a beta blocker.
Created attachment 135137 [details] Correctly initialize the NetLabel fields This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Created attachment 135139 [details] Remove unused function prototypes This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Created attachment 135140 [details] Comment corrections This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Created attachment 135141 [details] Cleanup ebitmap_import() This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Created attachment 135142 [details] Uninline selinux_netlbl_inode_permission() This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Created attachment 135143 [details] Add some missing #includes to various header files This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Please don't post patches here until they've been merged upstream, and then any patches posted here should be backports of the upstream patches which have been tested with the kernel rpm.
My apologies, wasn't sure what the protocol is for posting fixes. Assuming David Miller pulls the patches into his tree would you like me to port them to the current rawhide kernel or will you be doing the porting as before?
No worries. Probably simplest if I do it once the patches are merged upstream.
*** This bug has been marked as a duplicate of 203348 ***