Bug 209170 - [FC6] IPSec information leak caused by labeled networking
[FC6] IPSec information leak caused by labeled networking
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
6
All Linux
high Severity high
: ---
: ---
Assigned To: Eric Paris
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-03 14:27 EDT by Eric Paris
Modified: 2007-11-30 17:11 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-12 14:13:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Paris 2006-10-03 14:27:34 EDT
The labeled networking patches in 2.6-net cause a problem with ipsec

http://marc.theaimsgroup.com/?l=linux-netdev&m=115979927305638&w=2

when upstream comes up with a solution it will need to be backported.
Comment 1 James Morris 2006-10-03 14:44:58 EDT
Adding DaveM and Stephen Smalley.

The FC6 fix may be backported from the patch I posted upstream, as the changes
going into the upstream kernel and RHEL5 from TCS to consolidate the labeled
networking stuff will change the logic in that area.  This will reduce the
functionality of xfrm labeling, although it is not feature complete in FC6
anyway, and we cannot add new features at this stage.

It's tempting also, to instead set SECURITY_NETWORK_XFRM=n

AFAIK, people who really need this feature need the RHEL5 patches anyway and
will have to use a different kernel in any case.
Comment 2 James Morris 2006-10-03 22:05:54 EDT
As we have less than 24 hours to resolve this issues, I suggest we proceed with
setting SECURITY_NETWORK_XFRM=n in the kernel configuration to disable the
component causing the problem.

This code is not complete and broken as designed.  The final features and
bugfixes are still being developed upstream.  Users who wish to make use of this
feature are advised to either wait for FC7 or RHEL5, or to try the development
kernels, policies and all related components which would be required for a
functional system, which FC6 will also not have.

Dave, I gather it is simplest if you just do this and commit it to CVS. 
Otherwise let us know.

The compat_net issue is still a critical issue to be resolved -- please advise
of the status of this as soon as possible.
Comment 3 Eric Paris 2006-10-12 14:13:17 EDT
Since we set SECURITY_NETWORK_XFRM=n this is not an issue.  Closing this bug as
it is fixed upstream and so will be fixed for FC6.

Note You need to log in before you can comment on or make changes to this bug.