From mboxrd@z Thu Jan 1 00:00:00 1970 From: Evgeniy Polyakov Subject: Re: Is TCP over IPsec broken in 2.6.18? Date: Sat, 30 Sep 2006 18:42:29 +0400 Message-ID: <20060930144229.GA18438@2ka.mipt.ru> References: <20060925103836.GA13966@2ka.mipt.ru> <20060925112754.GA18228@gondor.apana.org.au> <20060925120519.GA19010@2ka.mipt.ru> <20060930111521.GA646@2ka.mipt.ru> <20060930144018.GA16918@2ka.mipt.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Cc: netdev@vger.kernel.org, Stephen Smalley Return-path: Received: from relay.2ka.mipt.ru ([194.85.82.65]:64706 "EHLO 2ka.mipt.ru") by vger.kernel.org with ESMTP id S1751038AbWI3Omk (ORCPT ); Sat, 30 Sep 2006 10:42:40 -0400 To: James Morris Content-Disposition: inline In-Reply-To: <20060930144018.GA16918@2ka.mipt.ru> Sender: netdev-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Sat, Sep 30, 2006 at 06:40:18PM +0400, Evgeniy Polyakov (johnpol@2ka.mipt.ru) wrote: > On Sat, Sep 30, 2006 at 10:36:29AM -0400, James Morris (jmorris@namei.org) wrote: > > On Sat, 30 Sep 2006, Evgeniy Polyakov wrote: > > > > > I need to cofirm that broken system in my setup does have selinux enabled > > > with enforcing mode. > > > I've changed it to permissive mode and it fixed setup (I do not see any > > > warnings in dmesg). > > > > Something better in your case would likely be to rebuild the kernel with > > CONFIG_SECURITY_NETWORK_XFRM=n until it's fixed. > > Well, it is acrypto test machine and I do not care about security there, > so I can even disable selinux completely, but it will not help to resolve > the issue, right? > > So if you have some patches I'm more than happy to test them. And to confirm theory about CONFIG_SECURITY_NETWORK_XFRM I'm compiling kernel without it (and then without selinux at all). -- Evgeniy Polyakov