[redhat-lspp] Re: Labeled networking at the end of the day Oct 2, 2006

Paul Moore paul.moore at hp.com
Tue Oct 3 21:17:21 UTC 2006 

Eric Paris wrote:
> Where do we stand with labeled networking today?
> 
> I published a kernel yesterday which is sorta close to having what we
> need for labeled networking.  This kernel includes 3 patch sets.
> 
> 1) netlabel changes to audit configuration changes
> 2) secid reconciliation patch set (9 patches) for secmark/ipsec
> 3) secid reconciliation patch to include netlabel
> 
> to even be close to a usable kernel we still need
> 
> 1) fix for packets intended for ipsec tunnels to not be clear text.
> Venkat indicated he had his own way he wanted to solve this problem on
> Monday but I did not see any updates today.  This is a major problem
> which must get fixed somehow, soon.
> 2) ipsec configuration auditing.  if we can do this in policy all the
> better.  if not, I need a patch.
> 3) fix for netlabel caching race which can cause an opps.  Can be worked
> around by using a sysctl (see the e-mail from paul moore)
> 4) fix for netlabel correctness in the same e-mail from paul he
> mentioned correctness issues in -v3 inside selinux-ip-postroute-last

Updates from the NetLabel side of the house:

I have patches for both #3 and #4 sitting on my disk.  I've got a kernel
(based on the source RPMs you posted this morning) building right now
with the patch for #3, it should be done pretty soon.  I want to let it
run overnight and if everything looks okay I'll post it to the lists.

The fix for patch #4 is probably just going to be a respin, i.e. "v4" of
the NetLabel secid reconciliation patch as I don't think the "v3"
version of the patch has made it into a tree yet (net-2.6 seems to be
missing?).  For those who are curious attached is a diff between the
"v3" and upcoming "v4" patch.  I'll post this once I have pushed out the
patch for #3 and have had time to test this.

-- 
paul moore
linux security @ hp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: secid_netlabel_v3-v4.diff
Type: text/x-patch
Size: 1724 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061003/8326982d/attachment.bin>

More information about the redhat-lspp mailing list