Red Hat Bugzilla – Bug 209170
[FC6] IPSec information leak caused by labeled networking
Last modified: 2007-11-30 17:11:45 EST
The labeled networking patches in 2.6-net cause a problem with ipsec
when upstream comes up with a solution it will need to be backported.
Adding DaveM and Stephen Smalley.
The FC6 fix may be backported from the patch I posted upstream, as the changes
going into the upstream kernel and RHEL5 from TCS to consolidate the labeled
networking stuff will change the logic in that area. This will reduce the
functionality of xfrm labeling, although it is not feature complete in FC6
anyway, and we cannot add new features at this stage.
It's tempting also, to instead set SECURITY_NETWORK_XFRM=n
AFAIK, people who really need this feature need the RHEL5 patches anyway and
will have to use a different kernel in any case.
As we have less than 24 hours to resolve this issues, I suggest we proceed with
setting SECURITY_NETWORK_XFRM=n in the kernel configuration to disable the
component causing the problem.
This code is not complete and broken as designed. The final features and
bugfixes are still being developed upstream. Users who wish to make use of this
feature are advised to either wait for FC7 or RHEL5, or to try the development
kernels, policies and all related components which would be required for a
functional system, which FC6 will also not have.
Dave, I gather it is simplest if you just do this and commit it to CVS.
Otherwise let us know.
The compat_net issue is still a critical issue to be resolved -- please advise
of the status of this as soon as possible.
Since we set SECURITY_NETWORK_XFRM=n this is not an issue. Closing this bug as
it is fixed upstream and so will be fixed for FC6.