Venkat, >This doesn't look right since kzalloc would already have zeroed the >structure out. Are you sure you are getting garbage in the acquire >from the kernel? If you are, I strongly doubt that this would be the >one causing it (unless kzalloc on this arch misbehaved). >Or is this a racoon bug?
Yes, you are correct! Thanks for pointing this out to me as I missed it! It is racoon that has the bug. Will fix and post correct fix shortly. Please ignore attached fix as it is incorrect. Again, thanks! Regards, Joy >> When using ipsec while selinux is enabled in my kernel, >> my racoon daemon fails to establish an SA. I believe the >> ACQUIRE sent from kernel has a security context although I >> am not using this feature with ipsec. As a result, racoon >> fails to establish the SA, because it is looking for a policy >> with security context. I noticed the security context >> contains garbage. >> >> I am using a pseries, power5, ppc64 box, and it appears >> that since policy->security structure is not really initialized >> or zero'd out when not using, it is possible it may contain garbage >> on my pseries and a call such as "if (policy->security)" may >> come back as true such that security context is included in >> my acquire message although I believe it should not be. >> >> Hopefully, the below patch is acceptable. I have compiled and >> tested it. >> >> Regards, >> Joy Latten >> >> >> diff -urpN linux-2.6.17.orig/net/xfrm/xfrm_policy.c >> linux-2.6.17.patch/net/xfrm/xfrm_policy.c >> --- linux-2.6.17.orig/net/xfrm/xfrm_policy.c 2006-09-19 >> 02:11:33.000000000 -0500 >> +++ linux-2.6.17.patch/net/xfrm/xfrm_policy.c 2006-09-19 >> 04:33:50.000000000 -0500 >> @@ -319,6 +319,7 @@ struct xfrm_policy *xfrm_policy_alloc(gf >> init_timer(&policy->timer); >> policy->timer.data = (unsigned long)policy; >> policy->timer.function = xfrm_policy_timer; >> + policy->security = NULL; >> } >> return policy; >> } >> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with the words "unsubscribe selinux" without quotes as the message. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
