The labeled networking patches in 2.6-net cause a problem with ipsec http://marc.theaimsgroup.com/?l=linux-netdev&m=115979927305638&w=2 when upstream comes up with a solution it will need to be backported.
Adding DaveM and Stephen Smalley. The FC6 fix may be backported from the patch I posted upstream, as the changes going into the upstream kernel and RHEL5 from TCS to consolidate the labeled networking stuff will change the logic in that area. This will reduce the functionality of xfrm labeling, although it is not feature complete in FC6 anyway, and we cannot add new features at this stage. It's tempting also, to instead set SECURITY_NETWORK_XFRM=n AFAIK, people who really need this feature need the RHEL5 patches anyway and will have to use a different kernel in any case.
As we have less than 24 hours to resolve this issues, I suggest we proceed with setting SECURITY_NETWORK_XFRM=n in the kernel configuration to disable the component causing the problem. This code is not complete and broken as designed. The final features and bugfixes are still being developed upstream. Users who wish to make use of this feature are advised to either wait for FC7 or RHEL5, or to try the development kernels, policies and all related components which would be required for a functional system, which FC6 will also not have. Dave, I gather it is simplest if you just do this and commit it to CVS. Otherwise let us know. The compat_net issue is still a critical issue to be resolved -- please advise of the status of this as soon as possible.
Since we set SECURITY_NETWORK_XFRM=n this is not an issue. Closing this bug as it is fixed upstream and so will be fixed for FC6.