Paul is working on a real fix, but has provided this workaround.
I have tested it, and it appear to fix the problem.
-------- Forwarded Message --------
Subject: Re: TCP issues with netlabel - changed in 3.18
Date: Thu, 05 Feb 2015 17:00:01 -0500
From: Paul Moore <pmoore(a)redhat.com>
Organization: Red Hat
To: Casey Schaufler <casey(a)schaufler-ca.com>
On Thursday, February 05, 2015 04:31:56 PM Paul Moore wrote:
On Thursday, February 05, 2015 01:26:48 PM Casey Schaufler wrote:
> On 2/5/2015 1:05 PM, Paul Moore wrote:
> > FYI, in case you're interested, the problem appears to be that netdev
> > shuffled the order of fields in the skbuff's CB blob, e.g.
> > IPCB()/TCP_SKB_CB(), which means that we can't use IPCB() regardless of
> > where the skb is at in the stack. Technically what NetLabel was doing
> > probably wasn't 100% correct, but it worked :)
> >
> > Now to find a proper solution.
> >
> > For reference, here is the offending commit:
> > commit 971f10eca186cab238c49daa91f703c5a001b0b1
>
> I have just completed bisecting the problem and can confirm that
> this is the offending commit.
>
> Smack is pretty seriously screwed without NetLabel on TCP.
Yeah, I'm working on a fix now. The problem is that it is likely going to
be ugly as we're going to have to parse the IP header each time so we can
find the CIPSO option in the packet. I'm hoping that I'll find some trick
to limit this, or speed it up, but no promises at this point.
Okay, attached is a quick fix. I want to go through all the CIPSO_V4_OPT*()
callers to see if things can be improved, but this patch should at least
correct the regression. Crude testing with SELinux is positive, could you
give this a shot with Smack?
--
paul moore
security @ redhat