07/24/2006 lspp Meeting Minutes:
===============================
Attendees
Janak Desai (IBM) - JD
George Wilson (IBM) - GW
Loulwa Salem (IBM) - LS
Michael Thompson (IBM) - MT
Thiago Bauermann (IBM) - TB
Nikhil Gabdhi (IBM) - NG
Al Viro (Red Hat) - AV
Irina Boverman (Red Hat) - IB
Dan Walsh (Red Hat) - DW
Lisa Smith (HP) - LMS
Linda Knippers (HP) - LK
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Darrel Goeddel (TCS) - DG
Chad Hanson (TCS) - CH
Venkat Yekkirala (TCS) - VY
Joe Nall - JN
Lenny Bruzanak - LB
Tentative Agenda:
Kernel update
-------------
GW: AL, would you like to give us kernel updates?
AV: not much. No merges, Linus is not back yet, so he hasn't pulled anything
yet. New branches in git tree still consist of fixes and lazy audit
stuff. That will go to mainline as soon as Linus pulls it. We need
testing on lspp kernel, b.23.
GW: great. At this point we don't want anymore news. As for audit were there
some patches that went into a new kernel
LK: I don't think there is any
GW: I know that .45 is the broken one, is there a .46 version? Steve
mentioned he'll have a new kernel.
LK: let me check. I think he was gonna repatch with Amy's patch, but not the
networking stuff. Anyhow, Steve is back tomorrow, we'll check with him.
GW: Also we did put in a formal requirement for inclusion of CIPSO. We are
trying to give it as much a push as we can.
AuditFS/inotify
---------------
LSPP kernel issues
------------------
Audit userspace
---------------
GW: There is not much on audit. Steve would be the one to give us updates on
this.
LK: yeah, he'll be back tomorrow.
Print
------
GW: Matt, anything new regarding print.
MA: print is looking good, I sent a patch to the list. I heard from cups
maintainer (version 1.2.2-4). I did need to do minor updates. There is
an existing issue with way labels are applied. There is work to be done
to ensure labels are getting on properly. There will be updates mostly
to config documents on how to get that done. The core of cups is looking
good at the moment.
GW: good that it went upstream
MA: I seeing an issue on i386, and it could be just on that arch. When I see
it i try to track it down, but I haven't seen it lately
LK: should we file bugzilla on Fedora in this case.
GW: It is probably a good idea. In general we are opening bugs to track all
issues; that was the message we heard from Irena during our last call.
Feel free to correct me Irena if that is not what we need.
IB: yes. It is better to create bugzillas to track issues.
DW: your patch went out in 1.2.2-3?
MA: yes.
DW: there is a -4 available.
GW: so yeah in general we are opening bugs to track them better.
SELinux base update
-------------------
GW: Dan anything you'd like to tell us regarding SELinux?
DW: not many changes to that, maybe small one for MLS policy. I also worked
with package maintainer for crond and came up with alternate solution, I
believe it is under review currently. With Multilevel crond, Janak was
adding extension on file name as to what level it is running at, now the
patch uses environment variables to indicate what level it is running
at. This reduced size of patch, and it is up for review now
JD: yes it is much cleaner, and I am reviewing and testing it
LK: early on, there was dicussion of changing format of cron file. What ever
happened with that?
JD: this is not changing format, but just using environment variables.
DW: selinux basically looks at ownership of crontab and decides which
security context to run. but it never worked with multilevel security,
so we were trying to figure out how to do that. I think this is a good
solution
GW: sounds cleaner
JD: I remember stephen smalley talked about using file names, but now it
seems cleaner to use environment variables
JD: I think Klaus wanted to bring arranged object ...
KW: There was a discussion on RH lspp list that was inconclusive. if you
submit object then users can change context. Easy to fix, try to turn
off ranged object and see what breaks if you do that ...(didn't catch
the remainder of what Klaus said)
GW: need to do policy experiment
KW: In the mailing list I didn't hear anyone needs multilevel objects. We
need to decide if we keep current behavior
DG: Chad is not back, so I am unable to comment on that. Are you wanting to
extend that to higher object and get rid of all ranges we set by default
KW: this is one way, but another can be if you don't specify a level, then
take the lower level object.
DG: what we have left is sockets, range and block devices, character dev,
blocks, and directories.
KW: polyinstantiation should take care of directories and block devices.
Users don't need to do anything with that. but the terminal device may
be a bit tricky
DG: sounds like good experiment
KW: I'll write another note to list to summarize that. one way is to use
existing overrides.
DG: I need to check with Chad, I don't think we have need for it, but I'll
check.
GW: who is appropriate to carry out this experiment?
KW: I'll work on a patch to current policy and see if it works.
GW: Thanks, I can help you if you need help with that
MLS policy issues
-----------------
Roles
-----
GW: any role issues today
MT: nothing, was in class last week. As far as I know, there are no issues
now.
CIPSO
------
GW: we put a requirement to RH formally and pushed it as much as possible,
haven't done any testing like we did for IPSEc. I think we can look and
see what tests are interesting to run particularly in enforcing mode.
Paul, anything you want to say
PM: a few things, I appreciate any testing you guys can do. Is joy on the
phone?
GW: no, she is in class this week.
PM: she was reporting potential problem with cipso, we exchanged emails, but
unfortunately I didn't help with testing alot. last I was waiting on a
response from her.
GW: I think she was trying different policies
PM: yeah, she sounded like she had alot going on, and I couldn't help much.
I'll take a look at that soon
GW: it doesn't seem like policy to me
PM: I know, especially if she was running permissive. anyway, not alot of
progress on cipso stuff. was trying to tighten up some of these loops
that deal with categories if anyone was following the performance
discussion. (2.6.18 rc1 and rc2 are broken on my machine) once we get a
kernel that works on my test machine, I'll resume work on that.
LK: those are opterons, any one has problems with them?
GW: I don't know
PM works on my ppc and cups titanium. once it works, I'll continue test and
release data. I probably not going to do much work on kernel stuff this
week.
GW: Joy and Fernando are both in class this week, not going to do much work
PM: James Morris seems to think david miller is looking positively on the
patch. I expect that 2.6.18 is in better shape now that the door is
shut.
GW: excellent, hope your read is correct on that.
GW: as soon as they get back, we can do some testing and get some results. I
guess there will be controls for nodes .. or are those supposed to be
removed from these stuff
PM: the secmark had a compatibility mode that allows you to use the old
filter check. up to RH if they decide to use that for rhel5. Do you know
Irena?
IB: I don't know, if you need more info, send me a note, and I'll find
people to answer that.
PM: I know in reference policy they have option to use secmark, making it
more easy and convenient
GW: question is where the hooks are going to be?
DG: as far as net compatibility, when policy is loaded, I assume we have
....
IPsec: MLS, UNIX domain secpeer, xinetd
-----------------------------------------
GW: Anything for this?
VY: As far as I am concerned, sent patch to net dev, haven't heard anything
or comments, I am working on configuration stuff, and hope to have patch
by next week
GW: great thanks a lot.
ipsec-tools: SPD dump and racoon base + MLS
---------------------------------------------
GW: I haven't confirmed if unix domain secpeer is in there, need to check on
that.
DG: is that the one with the memory leak?
GW: you know if katherine has any idea about this?
DG: I don't know, will check with her on that
Single-user mode
-----------------
GW: I bypassed it last week, question is will there be configurable option
to drop into single user mode. would you drop on any failure?
LK: are you sure everything is stopped appropriately? what stops, because we
tried it and we have alot of things running
KW: to clarify, when you drop in single user mode, and you reboot that's
when it stops. current path is .... it needs to be improved to make sure
it is reliable. Either have a dirty flag or a config option for that.
GW: I though that Dan implemented this.
DW: we added stuff to relabel into single user mode, but not to drop to it
GW: sounds like dirty file approach is what we end up using, but it's your
call Dan.
DW: The idea is to put something in <some directory>
GW: you put it there at startup, and remove it on a clean shutdown, so if
you crash, then it is there and you drop to single user mode.
KW: you only remove that file on a clean shutdown. if any unexplained panic
or reboot, then it is forced to go in single user mode
GW: this is an RBAC requirement
KW: yes, we can argue if the administrator can reboot into this mode, but I
don't think this really meet requirements.
GW: Dan, is it possible to hack that in
DW: Yes possible; it's just a matter of time
Gw: you think it is difficult at this stage
DW: basically we want a boot flag. I'll talk to .. and we'll do it
GW: thanks much
DW: on a clean boot you delete the flag, with anything wrong it is not
removed.
Self tests
----------
GW: got back on it. I'm going on vacation mid part on this week. I'll work
on an iteration of that. Also next week Janak will be running this
meeting and hopefully I'll be back next week.
VFS polyinstantiation
----------------------
GW: anything you want to tell us about polyinstantiation Janak?
JD: I am reviewing patch for cron. there may be an issue, but I need to
experiment and check something first. The other good news is that mount
and namespace are in rawhide now. I created bugzilla, and got a message
saying it is slated for rhel4 beta. As for namespace, David is cleaning
and rearranging code, so I am reviewing that. also playing with policy.
GW: have we tried device mapper with that on yet?
JD: not yet.
GW: Ok .. great. We are getting there, all the major pieces are in there
GW: Any other issues
LK: I have a random question about policy. Is only mls policy available now
based on strict policy. is there no targeted MLS
GW: you can build it either way
JD: yeah, I've been building from source
LK: what policy is RH supporting?
DW: we are not gonna support that. There is not an MLS targeted, MLS strict
is very similar to targeted policy
LK: but targeted is a lot bigger and more strict
JD: I've been using targeted-mls, which one should I be using?
DW: you should use strict-mls, not sure what is the difference between them,
probably few if-defs
LK: so you get at least mcs
DW: we don't have none mcs versions
GW: yup, that's helpful to know
DW: that way we get testing on that
GW: so we need to be using the policy package and not building our own. ok
any other issues? alright, we'll adjourn the meeting. Thank you all
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
