Bug 202863 - NetLabel socket initialization bug
NetLabel socket initialization bug
Status: CLOSED DUPLICATE of bug 203348
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Morris
Brian Brock
:
Depends On:
Blocks: 203348
  Show dependency treegraph
 
Reported: 2006-08-16 16:24 EDT by Paul Moore
Modified: 2007-11-30 17:11 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-18 20:09:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Correctly initialize the NetLabel fields in sk_security_struct (5.03 KB, patch)
2006-08-16 16:24 EDT, Paul Moore
no flags Details | Diff
Remove unused function prototypes (1.14 KB, patch)
2006-08-16 16:27 EDT, Paul Moore
no flags Details | Diff
Comment corrections (754 bytes, patch)
2006-08-16 16:30 EDT, Paul Moore
no flags Details | Diff
Cleanup ebitmap_import() (2.32 KB, patch)
2006-08-16 16:31 EDT, Paul Moore
no flags Details | Diff
Correctly initialize the NetLabel fields (5.09 KB, patch)
2006-08-29 10:51 EDT, Paul Moore
no flags Details | Diff
Remove unused function prototypes (1.14 KB, patch)
2006-08-29 10:52 EDT, Paul Moore
no flags Details | Diff
Comment corrections (734 bytes, patch)
2006-08-29 10:55 EDT, Paul Moore
no flags Details | Diff
Cleanup ebitmap_import() (2.30 KB, patch)
2006-08-29 10:56 EDT, Paul Moore
no flags Details | Diff
Uninline selinux_netlbl_inode_permission() (3.74 KB, patch)
2006-08-29 10:57 EDT, Paul Moore
no flags Details | Diff
Add some missing #includes to various header files (2.93 KB, patch)
2006-08-29 10:58 EDT, Paul Moore
no flags Details | Diff

  None (edit)
Description Paul Moore 2006-08-16 16:24:21 EDT
Description of problem:
The NetLabel patch in the latest Rawhide kernels needs to be patched to fix
an uninitialized value problem where a NetLabel socket's security class could
be left at zero in some cases.  The attached patches fix this problem as well
as a few other, non-critical, issues in the latest NetLabel patchset.

Version-Release number of selected component (if applicable):
The patches are against linux-2.6.17-1.2548.fc6.

How reproducible:
Every time.

Steps to Reproduce:
1. Enable CIPSO using NetLabel
2. Restart the ssh daemon
3. Try to ssh to localhost
  
Actual results:
The connection is refused by the server.

Expected results:
The connections succeeds.

Additional info:
Hopefully Steve Grubb will be able to issue a new LSPP kernel to test these 
patches against a wider audience.  Assuming no problems with the LSPP kernel I 
will push this patchset to David Miller and netdev for inclusion in his 
net-2.6.19 tree.

This BZ is also loosely related to #202856.

This is part of the HP/RedHat CC LSPP effort and this bug needs to be fixed if
CIPSO is to be part of a LSPP evaluation.
Comment 1 Paul Moore 2006-08-16 16:24:22 EDT
Created attachment 134343 [details]
Correctly initialize the NetLabel fields in sk_security_struct
Comment 2 Paul Moore 2006-08-16 16:27:02 EDT
Created attachment 134344 [details]
Remove unused function prototypes
Comment 3 Paul Moore 2006-08-16 16:30:11 EDT
Created attachment 134345 [details]
Comment corrections
Comment 4 Paul Moore 2006-08-16 16:31:36 EDT
Created attachment 134346 [details]
Cleanup ebitmap_import()
Comment 5 Tim Burke 2006-08-21 09:31:56 EDT
How critical is fixing this initialization issue?  For example, is this bug
completely debilitating, or is it only exhibited in obscure corner cases?
Comment 6 Linda Knippers 2006-08-21 12:41:05 EDT
Paul is on vacation without internet access this week but my experience is
that many things work without this fix (telnet, ftp, r commands) but that ssh/sftp
does not.  Its something that ought to be fixed but I wouldn't hold a beta for 
it, if that's the question.
Comment 7 Tim Burke 2006-08-22 06:38:08 EDT
Thanks, Linda. Yes, the exact question was whether this is a beta blocker or
not.  We are coming down to the wire and have to scrutinize every issue.  We
won't consider this a beta blocker.
Comment 8 Paul Moore 2006-08-29 10:51:26 EDT
Created attachment 135137 [details]
Correctly initialize the NetLabel fields

This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Comment 9 Paul Moore 2006-08-29 10:52:56 EDT
Created attachment 135139 [details]
Remove unused function prototypes

This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Comment 10 Paul Moore 2006-08-29 10:55:10 EDT
Created attachment 135140 [details]
Comment corrections

This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Comment 11 Paul Moore 2006-08-29 10:56:15 EDT
Created attachment 135141 [details]
Cleanup ebitmap_import()

This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Comment 12 Paul Moore 2006-08-29 10:57:24 EDT
Created attachment 135142 [details]
Uninline selinux_netlbl_inode_permission()

This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Comment 13 Paul Moore 2006-08-29 10:58:35 EDT
Created attachment 135143 [details]
Add some missing #includes to various header files

This patch was sent to the SELinux and Netdev mailing lists on 8/29/2006.
Comment 14 James Morris 2006-08-29 13:03:07 EDT
Please don't post patches here until they've been merged upstream, and then any
patches posted here should be backports of the upstream patches which have been
tested with the kernel rpm.
Comment 15 Paul Moore 2006-08-29 13:28:00 EDT
My apologies, wasn't sure what the protocol is for posting fixes.  Assuming
David Miller pulls the patches into his tree would you like me to port them to
the current rawhide kernel or will you be doing the porting as before?
Comment 16 James Morris 2006-08-29 13:44:58 EDT
No worries.  Probably simplest if I do it once the patches are merged upstream.
Comment 17 James Morris 2006-09-18 20:09:37 EDT

*** This bug has been marked as a duplicate of 203348 ***

Note You need to log in before you can comment on or make changes to this bug.