On Tuesday, February 27 2007 11:11:54 am Loulwa Salem wrote: > Paul Moore wrote: > > On Monday, February 26 2007 7:17:19 pm Loulwa Salem wrote: > > ... > > > Something odd is happening as based on the packet dump the CIPSO option > > is 10 > > bytes long, which for tag type 1 would indicate a lack of categories yet > you are using "c2" which should map to CIPSO category "1" based on your DOI > settings. To further complicate things, assuming I've done my quick math > correctly the ICMP parameter error is pointing at the CIPSO length field in > the tag. It's hard to say for certain at this point, but it kinda looks > like the packet is not being created correctly. > > > Please retry with the following CIPSO DOI configuration: > > > > # netlabelctl cipsov4 add pass doi:1 tags:1 > > The setting above works fine .. that's what I've been using for most of my > test cases. I am able to log in to the system with above setting enabled.
Interesting, that would indicate there is a problem somewhere with the "std" mapping. It will be good to know when this broke, i.e. please report back when you find the kernel rev that worked for you. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
