Paul is working on a real fix, but has provided this workaround.
I have tested it, and it appear to fix the problem.
-------- Forwarded Message --------
Subject: Re: TCP issues with netlabel - changed in 3.18
Date: Thu, 05 Feb 2015 17:00:01 -0500
From: Paul Moore <pmoore(a)redhat.com>
Organization: Red Hat
To: Casey Schaufler <casey(a)schaufler-ca.com>
On Thursday, February 05, 2015 04:31:56 PM Paul Moore wrote:
> On Thursday, February 05, 2015 01:26:48 PM Casey Schaufler wrote:
> > On 2/5/2015 1:05 PM, Paul Moore wrote:
> > > FYI, in case you're interested, the problem appears to be that netdev
> > > shuffled the order of fields in the skbuff's CB blob, e.g.
> > > IPCB()/TCP_SKB_CB(), which means that we can't use IPCB() regardless of
> > > where the skb is at in the stack. Technically what NetLabel was doing
> > > probably wasn't 100% correct, but it worked :)
> > >
> > > Now to find a proper solution.
> > >
> > > For reference, here is the offending commit:
> > > commit 971f10eca186cab238c49daa91f703c5a001b0b1
> > I have just completed bisecting the problem and can confirm that
> > this is the offending commit.
> > Smack is pretty seriously screwed without NetLabel on TCP.
> Yeah, I'm working on a fix now. The problem is that it is likely going to
> be ugly as we're going to have to parse the IP header each time so we can
> find the CIPSO option in the packet. I'm hoping that I'll find some trick
> to limit this, or speed it up, but no promises at this point.
Okay, attached is a quick fix. I want to go through all the CIPSO_V4_OPT*()
callers to see if things can be improved, but this patch should at least
correct the regression. Crude testing with SELinux is positive, could you
give this a shot with Smack?
security @ redhat
A change to the TCP handling of IP options has broken
all use of CIPSO on the 3.18 and higher kernels. UDP
and UDS are unaffected. I am working with Paul Moore
and the networking groups to resolve this problem.
It affects SELinux, but as they use CIPSO in only limited
cases it does not have the impact that it does for Smack.