RE: 2.4.16 release, ipsec, roles and ECHILD errors

[Paul Krumviede <pwk@acm.org>]

--On Friday, 18 January, 2002 07:39 -0600 "Westerman, Mark" 
<Mark.Westerman@csoconline.com> wrote:

> The 1.94 version  has bugs that make non-usable

that is a bit of an overstatement. i've patched the 1.94
version to fix the most egregious bug (the one that
could leave a connection in %hold). and it does work
with kernels that don't have selinux compiled in and
earlier versions of selinux: i can see the IKE exchanges
take place and instantiate the desired tunnel and eroute.
traffic between machines does get routed through the
tunnel (as determined with a sniffer).

> From: freeswan web page
> "While freeswan-1.94 has shipped, there are serious known bugs
> in it that make it unsuitable for use. You have two choices,
> use the latest snapshot (snap2001dec25b seems ok) where the
> show stopper bugs seem fixed or use an older 'stable' release
> like 1.91 or maybe 1.92 from this "
>
> Try a different version and see if you have the same problem

i already tried it with 1.91: same symptoms.

and the failure mode i'm seeing when i login with the
user_r role, use newrole to change to the sysadm_r role,
su to root, and start the ipsec processes is a failure mode
independent of recent frees/wan versions: they all attempt
to invoke the _updown script using popen() and use pclose()
to get the status. the serious bug with 1.94 is in klips, the
kernel stuff, the pclose failure is with pluto.

and the fact that it (pclose) doesn't fail if i login with the
sysadm_r role, then su to root and proceed, implies a
problem somewhere other than in the frees/wan stuff.

-paul


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.