>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

RE: 2.4.16 release, ipsec, roles and ECHILD errors

From: Westerman, Mark <Mark.Westerman_at_csoconline.com>
Date: Fri, 18 Jan 2002 07:39:17 -0600

The 1.94 version has bugs that make non-usable From: freeswan web page
"While freeswan-1.94 has shipped, there are serious known bugs in it that make it unsuitable for use. You have two choices, use the latest snapshot (snap2001dec25b seems ok) where the show stopper bugs seem fixed or use an older 'stable' release like 1.91 or maybe 1.92 from this "

Try a different version and see if you have the same problem

Mark

-----Original Message-----

From: Paul Krumviede [mailto:pwk@acm.org] Sent: Thursday, January 17, 2002 2:58 PM To: selinux
Subject: 2.4.16 release, ipsec, roles and ECHILD errors

ever since the december 2001 release, i've been running into problems getting frees/wan 1.94 working with the 2.4.16 kernel when selinux is configured in the kernel. after much experimentation i noticed something that seems quite strange.

background: attempts to get automatically keyed IPsec connections to go into the "routed" or "up" states would yield failures with pclose() with errno set to ECHILD. this happens when pluto, the user-space key management daemon, tries to run some of the associated scripts.

by happenstance, things started working a few days ago, and then stopped working. what seemed to make the difference was the role i used to login on the console. if i login with the user_r role, run "newrole -r sysadm_r" and su, then start (using run_init) the ipsec components and attempt to bring an IPsec connection into a useful state (e.g., "ipsec auto --route conn-name"), then things fail as above.

but if i login with the sysadm_r role, su, and then start up the ipsec components the same way, things work. things work if i login as root, in either the user_r or sysadm_r role.

i'm running in permissive mode, so that shouldn't be a problem. if i compile the same kernel without selinux, then there doesn't seem to be any problem getting the IPsec connections up and running.

i took a quick look at some of the ssh code, which also uses pclose(), but it seems to never check the error status, while pluto does.

-paul

--

You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

--

You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 18 Jan 2002 - 10:10:48 EST

This message: [ Message body ]
Next message: Noah silva: "Re: ext3 file system"
Previous message: Shaun Savage: "snort files and policy"
Maybe in reply to: Paul Krumviede: "2.4.16 release, ipsec, roles and ECHILD errors"
Next in thread: Paul Krumviede: "RE: 2.4.16 release, ipsec, roles and ECHILD errors"
Reply: Paul Krumviede: "RE: 2.4.16 release, ipsec, roles and ECHILD errors"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT