When using ipsec while selinux is enabled in my kernel,
my racoon daemon fails to establish an SA. I believe the
ACQUIRE sent from kernel has a security context although I
am not using this feature with ipsec. As a result, racoon
fails to establish the SA, because it is looking for a policy
with security context. I noticed the security context contains garbage.
I am using a pseries, power5, ppc64 box, and it appears
that since policy->security structure is not really initialized
or zero'd out when not using, it is possible it may contain garbage
on my pseries and a call such as "if (policy->security)" may
come back as true such that security context is included in
my acquire message although I believe it should not be.
Hopefully, the below patch is acceptable. I have compiled and
tested it.
Regards,
Joy Latten
diff -urpN linux-2.6.17.orig/net/xfrm/xfrm_policy.c
linux-2.6.17.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.17.orig/net/xfrm/xfrm_policy.c 2006-09-19 02:11:33.000000000
-0500
+++ linux-2.6.17.patch/net/xfrm/xfrm_policy.c 2006-09-19 04:33:50.000000000
-0500
@@ -319,6 +319,7 @@ struct xfrm_policy *xfrm_policy_alloc(gf
init_timer(&policy->timer);
policy->timer.data = (unsigned long)policy;
policy->timer.function = xfrm_policy_timer;
+ policy->security = NULL;
}
return policy;
}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
