[redhat-lspp] Re: different cipso mapping behavior
Paul Moore
paul.moore at hp.com
Tue Feb 27 16:20:17 UTC 2007
On Tuesday, February 27 2007 11:11:54 am Loulwa Salem wrote:
> Paul Moore wrote:
> > On Monday, February 26 2007 7:17:19 pm Loulwa Salem wrote:
>
> ...
>
> > Something odd is happening as based on the packet dump the CIPSO option
> > is 10
>
> bytes long, which for tag type 1 would indicate a lack of categories yet
> you are using "c2" which should map to CIPSO category "1" based on your DOI
> settings. To further complicate things, assuming I've done my quick math
> correctly the ICMP parameter error is pointing at the CIPSO length field in
> the tag. It's hard to say for certain at this point, but it kinda looks
> like the packet is not being created correctly.
>
> > Please retry with the following CIPSO DOI configuration:
> >
> > # netlabelctl cipsov4 add pass doi:1 tags:1
>
> The setting above works fine .. that's what I've been using for most of my
> test cases. I am able to log in to the system with above setting enabled.
Interesting, that would indicate there is a problem somewhere with the "std"
mapping. It will be good to know when this broke, i.e. please report back
when you find the kernel rev that worked for you.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list