08/21/2006 lspp Meeting Minutes:
===============================
Attendees
Robin Redden (IBM) - RR
George Wilson (IBM) - GW
Michael Thompson (IBM) - MT
Thiago Bauermann (IBM) - TB
Al Viro (Red Hat) - AV
Irina Boverman (Red Hat) - IB
Lisa Smith (HP) - LMS
Amy Griffis (HP) - AG
Matt Anderson (HP) - MA
Joe Nall - JN
Bill O'Donnel (SGI) - BO
Dan Walsh (Red Hat) - DW
Debora Velarde (IBM) - DV
Lenny Bruzanak - LB
Ted Toth - TT
Linda Knippers (HP) - LK
Forgive me if any names are mis-spelled or statements attributed to the
wrong voice. :)
Tentative Agenda:
Kernel / Rawhide update
SELinux base update
MLS policy issues
Audit userspace
Print
CIPSO
IPsec
xinetd
ipsec-tools: SPD dump and racoon base + MLS
Single-user mode
Self tests
VFS polyinstantiation
Cron, tmpwatch, mail, etc.
Bugs / remaining tasks
Final cutoff date
Announcements
-------------
GW: Janak Desai has left the project. He has taken a new opportunity
within IBM. There should be some backfill. Farewell Janak :)
Kernel / Rawhide update
-----------------------
AV: Steve Grubb and Al's stuff got into mainline (should take care of
some line items). Rawhide should see these changes in a few days,
mainline has, and MM will get once Andrew rebases.
GW: Can we mix beta and rawhide?
SG: Yes, for a while, no major changes so in some cases you should be
able to interchange.
GW: Seen a problem on fc5+rawhide where root can't change his or
other's passwords. Haven't tested on beta yet.
DV: Seen this on alpha with rawhide layered
GW: We need to retry this on the beta
AV: For syscall classes, andrew added support for ppc/ppc64/s390x.
Probably want to carefully test these. This doesn't differ much
on amd64 and the like since they already have the change.
GW: yes, we need to retest carefully
DW: Changing passwords works ok for me on beta
GW: ok, that's probably an alpha bug
SG: Bugzilla re: ppc shared memory values problem, don't have access
to a ppc machine to do any real debug work.
GW: Try to work with IBM kernel developers?
MT: ok
SG: Confirmed that ppid seems to be backwards (= != flipped) and
needs to be looked into
AV: Interesting...
GW: Is that code dustin wrote?
LK: Are there bugzillas for this stuff that we can see?
GW: Yes, but it's usually painful. We have to add to a confidential
group which makes difficult for others to find/see them.
Can we change this with RH's bugzilla?
IB: We can change that... maybe not
GW: RHIT bugs are now opaque to us
SG: We've talked about these bugs on IRC, and we need to start
looking into them. These are only bugs that we're tracking with
the audit system.
AV: I'm looking at ppc code right now... don't see any difference
MT: Seen this on both ppc and x86_64
AV: Audit pid works correctly
SG: MT: AV: what the heck...
SG: for ppc shared mem, can't really work on, no hardware
GW: we need to leverage our internal hands
IPsec
-----
JN: Confused about IPsec, it seems IPsec not doing what people think
it should intuitively. What are the plans for all the
reconsilliation patches? Is IPsec going to be usefl from an
application developer prospective?
GW: I thought the upshot of that email thread was joy and venkat
finding a bug
LK: I would appriciated a big picture of whats going on
GW: I think its bug fixes, Joy could tell us more
LK: I think Venkat took patches to the list... don't know whats
missing if these patches don't make it, etc
JN: I think he reposted those patches, am putting a system together
to run Joshua Brendal's test
GW: I need to get in touch with Venkat and Joy
GW: Joy to produce write up (not seen yet) to clarify setup and
produce some example policy. Joy claims testing in enforcing mode
and complete label flow. Suspects Joshua had setup problems or
found a bug... thinks might be a bug.
LK: This all might be unrelated to Venkat's patches
GW: Yes, she wouldn't e testing with those patches, she was just
testing with IPsec stress and she found memmv memcpy bugs on ppc
Hoping that she can do write up now that she's done. Will get in
touch with Venkat and Joy to follow up.
JN: Any intent to update racoon to negotiate the labels for
automation?
GW: Venkat has given joy this patch, but Joy hit the oops so she
couldn't continue testing.
JN: That's this patch?
GW: Yes, I think that's one of the patches Venkat produced. Need to
get a handle on Joy and Venkat's status about this. Think Joy was
supposed to send on Venkat's pathes for integrated patches to
netdev
SELinux base update
-------------------
DW: 2 things, 1 been mucking around trying to get rpm and yum working
right. Right now, when we run rpm, when it runs post install its
also running at sysadm_r, which is not sufficient. i.e. yum
update will get scriplet failures trying to get sysadm_r to
automatically transition to system_r, but its difficult to do
this due to run_init.
DW: Thinking we should make users run "rpm" under run_init, but this
is going to be a usability nightmare (reauthentication)
MA: Isn't run_init like newrole? can't we have a "root OK" style
confirm?
DW: Not sure
MA: Getting password prompt to authenticate on newrole to sysadm_r
DW: This might work. Going to restrict rpm to run_init only, to allow
for easy transitions
DW: Issue 2 is cron is running as user_cron_t, which means its
filling up sys logs with AVC messages. cron patch probably
not right, since its running scripts with the wrong context.
DW: Infamous boot to single mode on failure, will go to single user.
We have a patch in place. Using a flag that we're not cleaning
up.
SG: Few things for SELinux: secmark looks like later this week
initial patches will be going into iptabels, but won't be the
complete patch. People can start experimenting.
SG: Are we going to start testing the scripts and stuff from
policycoreutils?
GW: We're focusing on certification testing
SG: What kind of testing coverage is going to be given to SELinux?
Like setenforce and sestatus?
GW: Security relevant will be more throughly tested than
informational
SG: But like restorecon etc
GW: yes, those will be heavily test, like semanage, etc all the
important ones. They will receive fairly extensive testing
needs to be done to meet CC testing requirements
SG: Linda, what about you guys? are you looking into policycoreutils
and libselinux?
LK: My answer is like George's
GW: We don't want to ship broken code, but we can't afford to spend
that bandwidth. We want to get as much FVT as we can, but we
can't do it all
SG: Wondering if other packages will get the same attention as audit
GW: Philosophy has to be low-level testing, not necessarily at the
higher levels
SG: I would like to see restorecon tested heavily
LK: You'll see test caeses written around tools listed in the config
guide
LK: We could use instructions on how to take RHEL5 beta and how to
get it into enforcing mode correctly
GW: We're using rawhide packages on top of the beta
LK: Not seeing any issues?
GW: I don't think so, but that password problem might be related. As
Steve said, if thinks haven't moved too far, should be OK.
LK: If we find a problem in the beta with rawhide packages, who do we
label it against?
SG: If you file against rawhide, we'll fix rawhide but we need to
remember to port to beta
LK: Didn't see an MLS policy in the beta
GW: Key thing is to CC Irina, Dan and Steve
GW: Question, will there be an update repo from the beta or do we
keep pulling from rawhide?
IB: I think we're planning a repo which would be refreshed once a
week
GW: Good, we need that package confidence
IB: Bugs against rawhide usually need to be opened twice, I'll try to
keep track of these
DW: Open these against RHEL5, esp. if in the policy tool chain
Audit userspace
---------------
SG: No news
GW: Should we drop this from the agenda?
SG: I'll have stuff going in, mostly normal bugs and audit parse
library
GW: Will leave a generic audit related item in the agenda
Print
-----
GW: Matt, how is print going?
MA: Not too bad, have had feedback regarding audit messages, working
on this suggestion was a user banner, final banner override field
in messages lprm only doing DAC check, and cancel is going on the
same code path need to get an new version out that has MLS check.
MA: Posted re: what just works means for MCS. think MCS if no
category, then leave label off, assume sysadm didn't want a label
applied because user operating without categories thats about it
GW: Hope you get feedback from the post
CIPSO
-----
LK: Paul on travel, no news on CIPSO
JN: Wrote a pretty complicated policy that seems to be working. Send
me (Joe Nall) an email if you want a copy of this.
LK: Glad to see tools made it into extras
JN: What happens right now if you turn netlabel on, your not able to
access the net because those packets are unlabeled
xinetd
------
TT: Have extended internally to use. So far so good
SG: xinetd has ability to relay between networks, will disable in
favor of iptables
TT: Should xinetd use pam_namespaces to get things to the right
namespace? Am concerned with multi-level stuff.
SG: No, xinetd tries to stay out of pam, but not hard to write a
program that creates the "pam-ified" environment.
TT: So that's what we should do?
SG: Yeah, a program called "pam tester", available at freshmeat,
which launches a bunch of utils
TT: We have a bunch of internal apps which launch though xinetd, and
most of them rely on polyinstantiated /tmp and trying to figure
out how to best recreate that, will look at pam_test and let you
know what I find.
Selftest
--------
SG: Disable prelink
GW: Recommended ripping out and using 8?
SG: Possibly, if it does show up in beta2, do that, but don't do that
work yet.
SG: James will hook it up with the audit system so if we find a
mismatch then we can send messages to audit.
GW: One of the problems I found was RPM misclassifying things, like
config files not being noted as such
SG: Not every config file is labeled that way, because its a note to
RPM to not overwrite this file
GW: Would be nice if I had a real integrety checker to call into
SG: That's the hope
VFS polyinstantiation & cron
----------------------------
GW: Janak will try to help out here, but his time is re-allocated.
We'll try to pick up the slack, but we're - 1(janak).
Bugs / remaining tasks
----------------------
GW: Keep testing and filing bugs, need to test integration, esp in
networking. Need focus on IPsec rather desperately need to flush
out how things should be set up and how to write tests, and we
need the integration test.
GW: For communication on the bugs, if they are not confidential,
should we posting the bug abstract to the list?
LK: Yes, that would be nice. Paul has done this before.
GW: If we could share abstracts, it would be beneficial if Red Hat is
OK with this?
IB: Yes, should be ok
LK: I think I've seen bugs where IBM, RH, HP and Klaus are all
working together
IB: I can set a bug to be IBM and HP confidential, so I can do that
and it can be seen by both
GW: If we don't check confidential boxes, it should be public yes?
IB: Yes, that's what I thought
IB: I will see if its OK to post the list of bugs to the LSPP list
GW: Yes, that's the preferable approach rather than us deciding
confidential or not
Final cutoff date
-----------------
GW: What is the final cut-off date?
IB: I don't think we know, think Oct 4th is the 2nd beta date, but
that's not finalized
IB: I would encourage people to do as much as they can in the next
2-3 weeks
~Fin
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
