On 7/6/2016 9:28 AM, David Ahern wrote: > On 7/5/16 6:31 PM, Casey Schaufler wrote: >> On 7/5/2016 5:49 PM, David Ahern wrote: >>> On 7/5/16 5:38 PM, Casey Schaufler wrote: >>>> I have encountered a system hang with my Smack >>>> networking tests that bisects to the change below. >>>> I can't say that I have any idea why the change >>>> would impact the Smack processing, but there appears >>>> to be some serious packet processing going on. The >>>> Smack code is using CIPSO on the loopback interface. >>>> The test is supposed to verify that labels can be >>>> set on the packets using CIPSO. Unlabeled packets >>>> do not appear to be impacted. I do not know if SELinux >>>> is affected, and if not, why not. Smack and SELinux >>>> use CIPSO differently. >>> >>> What are the commands to repeat the test? >>> >> There is a tar file attached with the tests. >> Put the etc/smack/user file into /etc/smack/user. >> In the tools-2012 directory run make to build >> the tools. The test in question is called >> testnetworking.sh and needs to be run as root. >> You will need to configure Smack in the kernel, >> of course. >> > > I understand Paul's point and glad to see the changes are not causing issues > with his SELinux testing. > > I have tried to reproduce the lockup you are seeing but not successful. I am > using a jessie based VM with latest net-next kernel. > > root@kenny-jessie3:~/smack/tools-2012# zcat /proc/config.gz | grep SMACK > CONFIG_SECURITY_SMACK=y > CONFIG_SECURITY_SMACK_BRINGUP=y > CONFIG_SECURITY_SMACK_NETFILTER=y > # CONFIG_DEFAULT_SECURITY_SMACK is not set
CONFIG_DEFAULT_SECURITY_SMACK needs to be set. > > root@kenny-jessie3:~/smack/tools-2012# bash -x ./testnetworking.sh > <no lockup> > > Send me your kernel config. Perhaps I do not have some config enabled. >
