LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Ingo Molnar <mingo@elte.hu>, David Miller <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [bisected] Re: [bug] networking broke, ssh: connect to port 22: Protocol error
Date: Wed, 6 Feb 2008 07:58:00 -0800 (PST)	[thread overview]
Message-ID: <657224.72762.qm@web36615.mail.mud.yahoo.com> (raw)
In-Reply-To: <20080206133506.GA21202@elte.hu>


--- Ingo Molnar <mingo@elte.hu> wrote:

> 
> * Ingo Molnar <mingo@elte.hu> wrote:
> 
> > yeah, although various other upstream breakages prevented real long 
> > randconfig series in the past 2-3 days. I'd say it's either in this 
> > pull from your tree:
> 
> ok, i have bisected it down but the result made no sense, so i 
> double-checked it and noticed that the .config mutated during the test.
> 
> the diff below is the diff between the 'good' and 'bad' .config, with 
> this notable detail:
> 
>  @@ -2336,7 +2350,7 @@ CONFIG_SECURITY_NETWORK=y
>   CONFIG_SECURITY_CAPABILITIES=y
>   # CONFIG_SECURITY_FILE_CAPABILITIES is not set
>   # CONFIG_SECURITY_ROOTPLUG is not set
>  -# CONFIG_SECURITY_SMACK is not set
>  +CONFIG_SECURITY_SMACK=y
>   CONFIG_XOR_BLOCKS=m
>   CONFIG_ASYNC_CORE=m
>   CONFIG_ASYNC_MEMCPY=m
> 
> so i disabled CONFIG_SECURITY_SMACK, and viola, just 2 hours of hard 
> work later networking works on my testbox again :-/
> 
> And we have this 1 day old commit:
> 
>   commit e114e473771c848c3cfec05f0123e70f1cdbdc99
>   Author: Casey Schaufler <casey@schaufler-ca.com>
>   Date:   Mon Feb 4 22:29:50 2008 -0800
> 
>       Smack: Simplified Mandatory Access Control Kernel
> 
> that adds SMACK.
> 
> So unlike some other security modules like SELINUX, enabling SMACK 
> breaks un-aware userspace and breaks TCP networking?
> 
> I dont think that's expected behavior - and i'd definitely like to 
> enable SMACK in automated tests to check for regressions, etc.

As Stephen mentions later, Smack uses CIPSO. sshd does not like
any IP options because of traceroute, and must be built with that
check disabled with the current Smack version. I have been looking
at using unlabeled packets for the "ambient" label, it appears that
doing so would make life simpler. I will get right on it.

Application behavior in the presence of IP options isn't
always what I think it ought to be.


Casey Schaufler
casey@schaufler-ca.com

  parent reply	other threads:[~2008-02-06 15:58 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-06 11:38 Ingo Molnar
2008-02-06 11:42 ` David Miller
2008-02-06 12:22   ` Ingo Molnar
2008-02-06 12:32     ` David Miller
2008-02-06 13:11       ` Ingo Molnar
2008-02-06 13:35         ` [bisected] " Ingo Molnar
2008-02-06 13:55           ` Stephen Smalley
2008-02-06 15:58           ` Casey Schaufler [this message]
2008-02-07 11:44             ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=657224.72762.qm@web36615.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=netdev@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --subject='Re: [bisected] Re: [bug] networking broke, ssh: connect to port 22: Protocol error' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).