DO NOT USE THESE KERNELS ON A PRODUCTION SYSTEM! If you go to http://people.redhat.com/eparis/RHEL5_labeled_networking/ you should find a set of kernels based off of the Red Hat RHEL5 source tree. These should include patches for
network labeling support from Venkat netlabel auditing ipsec/secmark secid reconciliation netlabel secid reconciliation I need a very fast response from everyone involved if these kernels A) boot B) run without labeled networking (very very important) C) run with labeled networking If you run across a problem feel free to let me or the list know. You may also feel free to open a bug in bugzilla.redhat.com for the product choose Red Hat Enterprise Linux Public Beta and RHEL5. If you open a bug for this labeled networking you can go ahead and assign it to [EMAIL PROTECTED] so I'm sure to see it and bug the correct people. At this time there is a known ipsec problem with these kernels. I haven't looked at it closely but I believe the problem is that processes which intend to send over an ipsec tunnels but have certain avc denials will actually cause traffic to flow unencrypted. SO PLEASE DO NOT USE THESE ON ANY PRODUCTION SYSTEM!! There is work going on upstream (on linux-netdev not either of these lists) to fix this issue in the 2.6-net tree and when it is finished it will get brought back into RHEL5. (I don't think you will hit this bug with relatively modern policy but it is there and can be a serious security flaw) Before network labeling is completed we still need some work implementing how we plan to audit configuration changes in ipsec labeling decisions. I believe we agreed today that this auditing must be done in kernelspace since we do not have fine grained enough controls on netlink messages to allow for all of the auditing in userspace. DO NOT USE THESE KERNELS ON A PRODUCTION SYSTEM -Eric -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
