[redhat-lspp] Re: different cipso mapping behavior
Loulwa Salem
loulwas at us.ibm.com
Tue Feb 27 19:23:49 UTC 2007
Paul Moore wrote:
> On Tuesday, February 27 2007 11:11:54 am Loulwa Salem wrote:
>
>>Paul Moore wrote:
>> > On Monday, February 26 2007 7:17:19 pm Loulwa Salem wrote:
>>
>>...
>>
>> > Something odd is happening as based on the packet dump the CIPSO option
>> > is 10
>>
>>bytes long, which for tag type 1 would indicate a lack of categories yet
>>you are using "c2" which should map to CIPSO category "1" based on your DOI
>>settings. To further complicate things, assuming I've done my quick math
>>correctly the ICMP parameter error is pointing at the CIPSO length field in
>>the tag. It's hard to say for certain at this point, but it kinda looks
>>like the packet is not being created correctly.
>>
>> > Please retry with the following CIPSO DOI configuration:
>> >
>> > # netlabelctl cipsov4 add pass doi:1 tags:1
>>
>>The setting above works fine .. that's what I've been using for most of my
>>test cases. I am able to log in to the system with above setting enabled.
>
>
> Interesting, that would indicate there is a problem somewhere with the "std"
> mapping. It will be good to know when this broke, i.e. please report back
> when you find the kernel rev that worked for you.
I traced it back to .63 kernel and it is still broken there .. I don't have
access to anything prior to that. If someone has access to an older system ..
please try it. Paul, were you able to reproduce the problem?
I'll keep trying to get the bottom of this meanwhile.
- Loulwa
More information about the redhat-lspp
mailing list