09/25/2006 lspp Meeting Minutes:
===============================
Attendees
George Wilson (IBM) - GW
Loulwa Salem (IBM) - LS
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Thiago Bauermann (IBM) - TB
Irina Boverman (Red Hat) - IB
Steve Grubb (Red Hat) - SG
Dan Walsh (Red Hat) - DW
Lisa Smith (HP) - LMS
Linda Knippers (HP) - LK
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Darrel Goeddel (TCS) - DG
Chad Hanson (TCS) - CH
Venkat Yekkirala (TCS) - VY
Josh Fisher () - JF
Tentative Agenda:
SG: Got email from Al and he might not be able to join us today.
GW: Joy is joining soon, let me IM her. We'll be talking about networking
and will be great to get her input on that.
SG: do you think the right people will be on the phone today to discuss
networking?
GW: good question, do we need people like Stephen Smalley, James Morris on
the call
SG: or Eric Paris. I suggest we schedule a call with those people to discuss
networking soon.
PM: It may be better to have the teleconference next week so those that are
working on code can get it in before code freeze.
SG: I know you got your hands full, but what about the other guys who are
waiting on the networking decisions
PM: if I am the only one busy, then that's fine, I just got the impressions
that there are others who are in a time crunch now as well
DG: I would rather get it done early, so we can get a resolution and get the
code in.
PM: I think it needs to be in by end of this week.
LK: I think it is worth having a conference call soon. With networking, if
you don't pursue it, then it doesn't stand a chance.
DG: I am selfish on that too, cause I don't like to maintain a kernel with
specific code, so I want to see this in the upstream kernel as well.
GW: should I set up a meeting for tomorrow afternoon
SG: we need to poll people's availability first I think
GW: ok, I'll send a note to the list
GW: NSA list?
GW: yes, and RH lspp list and send out an invite to those that respond. I'll
shoot for tomorrow afternoon. I think we need to get this to closure,
and discuss the bigger picture. I hope we can discuss some of that today
as well.
Kernel / Rawhide update
------------------------
GW: any kernel issues?
SG: I rolled out lspp.49 kernel yesterday. it has fixes for ppc issue.
LK: is that the ppid problem
SG: no, that's separate and it needs trouble shooting. Right now ppid is the
only bug we need to still look at
GW: I'll load that kernel on a machine and give it a shot on ppc
SELinux base update
-------------------
GW: Dan, any selinux updates you have for us?
DW: the cron problem seems to have gone away
GW: fixed itself
DW: James seemed to have fixed it on MLS. I also put a lot of fixes in over
the weekend. Mike sent me some fixes that will go out tonight in mls
policy. The autofschk problem is fixed (basically when the machine
crashes)
MA: Dan did you see the problem with the permission denied using the init
scripts on MLS enforcing (version 2.3.14)?
DW: you sent me an email? I think we talked about it on IRC.
LK: Now that you have the AVC message, maybe you can send it to him.
DW: send me what init you get that on, and I'll look at it
MA: I see it on all. I am not convinced it is just my system, but didn't
hear back from anyone if they've seen it.
LK: I am not seeing it but I am running an older policy version and scared
to update.
DW: works for me. Send me what you have and I'll look into it.
MLS policy issues
-----------------
GW: we kinda talked about that, is there anything else to bring up?
DW: Mike brought this up last week, where user add does a service in the
background, there is a discussion now about how to handle this better.
This is the same problem that happens with rpm, when you run rpm it runs
under sysadm_r, we want to come up with a solution so you don't have to
run run-init to get rpm to work. So upstream is looking into that now.
KW: one policy issue. We had an idea about how tcp sessions are handled, tcp
is setup only if you can get the fd. Currently you can establish a
session then check if you can read/write to it; that causes calls to
large number of syscalls.
GW: and we don't want read/write to become security relevant, because then
we
need to audit them. Al talked about it before as performance impact
also.
KW: what is the reason that current policy does not insist on equal MLS
labels to set up TCP connections
GW: Klaus this might be one to take to the list. Joy do you have any
thoughts about that.
KW: I tried this with CIPSO, but not with IPsec, I think they would be the
same
PM: I think netlabel uses it's own object class and permission so it's
separate from others and therefore should be easy to do the check. so
What happened to the xinetd work that we were doing a while ago?
KW: well, according to requirements, it's fine if trusted applications get
MLS override (like mlsfileread/mlsfilewrite) capabilities so that it can
use what TCP connections it wants. only for untrusted users we need to
\
check the MLS labels.
GW: who will make that change to the policy, Paul you want to experiment
with that.
PM: sure, but I am not thinking much about policy, I have lots of deadlines
now. klaus and I have been working on net label policy. I'll look into
that more once the kernel work is done. I can't look at it now, but I
can answer some question if anyone else wants to try it.
KW: I can look into that by end of this week. I can do that for CIPSO, but I
don't have an IPsec setup working.
GW: one thing we ran across also is the role hierarchy using dominance
operator is not working as expected. we think that when a role dominates
another then it is a union of all the roles it dominates. but you
actually have to newrole to get the permissions associated with the
roles.
KW: I would rephrase, you have permission to enter types of other roles, but
type associated with role is what you log in with. You still manually
have to transition into the other type. You need to manually add all the
allow rules to that type. You always have to transition so it's not
helpful if you want to use it to simplify work
GW: I guess the question "is that the way everyone expects hierarchical
roles to work with the dominance operator?"
DW: Stephen Smalley put out a note explaining this a while ago
KW: It would be good to add this in future that when you use dominance
operator you get the rules for the roles added as well.
DW: if we had a tool, it'll be a matter of running a loadable module on the
fly to allow the transition
GW: sounds scary at this point
DW: yes, but it is something we are looking into. we are at RH looking into
policy generation tool
KW: RBAC has requirements for hierarchical roles, so currently we can claim
to fulfill that, it is just a bit ugly.
GW: ok, that's good
Print
-----
GW: any updates for print Matt?
MA: I got sucked into alot of policy problems that delayed my release last
week. I talked to Linda and we came up with better solution to verify
system administrator can do what they need to do. I'll make that change,
and once I get some last policy issues that I am seeing to work, I'll
get the patch out. I'll try very hard to get that to happen this week.
GW: alright, thank you much Matt.
LK: if we don't have bugzillas for these two Matt, then we need to create
some so the fixes will be pulled in
MA: I have one, but I'll create another one and post to the list so people
can keep track of it as well.
Secmark
--------
GW: any read if secmark will make it or not. last week Dan you said you
think it might not make it.
DW: current kernel fixes is in iptables. we are talking in RH to see if that
goes into the release. if you guys want to put a push in to require it,
then you have to do that.
GW: I don't think we want to require it.
DW: my own opinion is turn secmark on and put patches into fc6 and run with
it, but I have concerns
GW: yeah, we are all concerns, a big piece of venkat's work is reconciling
the labels and we'll see the progress on that soon. the question is if
we use the compatibility mode will RH support that?
SG: if secmark is not available then compatibility mode is all we have left
GW: It would be nice to see what is desirable and make that our direction,
but its coming very late is creating the disturbance. And we don't know
if it will be included or not.
SG: I won't know until FC6 is cut
GW: can we make a decision and say we want to support compatibility mode
even if the changes in iptables happen? The good question is if it is
there and secmark rules are generated then how will all this stuff hang
together?
SG: this should be part of our discussion tomorrow afternoon, but if it is a
desirable feature then we probably have to wait until FC6 is cut before
we know one way or another.
GW: so for now we can't set up a final system, since it can go both ways.
CIPSO
------
GW: ok, finally cipso, Paul any updates?
PM: the patches were sent out last week; one of them is a couple of bug
fixes. There is a change in selinux permission use for packets coming
into system. The patches have not been accepted yet, but James Morris
ack'd them. I expect them to go in if not today, then maybe tomorrow. I
am working on a patch to add auditing for security relevant net label. I
had discussion with Steve and I am implementing that. I'll send it to
the list to get comments. I'll send to audit and net-dev, this is
probably going to be this week. whatever time left I'll work on policy
and user space. xinetd has come up as result of label networking
discussion and as far as I know it's the only user. Stephen Smalley
posted some concerns about that. Steve if you are still the xinetd
maintainer, you might want to follow that discussion closely if you have
not been already.
LK: Paul is there a bugzilla for that ack.
PM: no that was sent through a private note, but I'll create one.
SG: I am the xinetd maintainer, but that discussion makes my head spin.
xinetd I think is the only consumer of it, so people don't want to
patch.
PM: yeah, not complaining just bringing the thread to your attention in case
you like to follow it.
SG: I will, thanks
IPsec
-----
GW: So regarding Ipsec, we'll get a good discussion tomorrow hopefully.
Anything you like to report Joy?
JL: I sent out the racoon patches to mailing list; one person responded with
a question, and I need to send him an answer. I also ran racoon patches
against labeled and unlabeled IPsec and it passed ok. as far as labeled
ipsec stuff, I am not really sure until we solve the other issues we'll
talk about tomorrow.
GW: what other issues do you think we still need to address?
JL: The issue has come up to produce more fine grained messages. I think
most of the functionality is there but we were discussing how to
improve that
VY: I was going to send the patch last week, but had few issues come up. it
looks like in next day or so, I'll send a patch out.
JL: if we do that, and produce more finer grained SA then it looks like we
have similarity with cipso and don't see then why we need both of those
together?
KW: Joy and venkat, if you can post to list what the pieces are that we need
to run with. In order to test, it is not clear what needs to be done.
GW: Joy, can you send step by step instructions on what is needed a side
from doing the beta refresh.
JL: you mean how to configure IPsec?
GW: yeah.. that is part of it, maybe also a link to the patch.
JL: In the first two racoon patches I sent, I had a write up with
instructions on how to set it up and use it. I can resend that. but
everything you need to do as far as applying the patch and using the
tool is in that email.
KW: if things are all accurate still then it's fine, but if you can check
to make sure all the steps/versions still apply and accurate that would
help alot.
JL: Ok, I'll check that.
GW: thanks joy for doing that. Has anybody else attempted to set this up? I
want to get gauge to see if there are sufficient instructions on how to
set it up out there.
JL: do you need instructions on how to configure IPsec, or how to use
labeled IPsec?
KW: maybe have instructions from point of a user who is not really
interested in IPsec but wants to use it for labeled transport.
JL: I might not be able to provide that. I can send instructions on how to
add labels to policy, but what I can't provide is what you need to
change on your system, for example policy
KW: what we need is the MLS labels. what you need to do to get MLS rules
enforced?
GW: I would like to see a step by step recipe if anyone actually tries this.
JL: I can do that, but can't do it tomorrow.
GW: I need to do this as well. we need to try end to end with IPsec, xinetd,
sshd, and polyinstantiation. It looks like klaus is the only one
seriously working on that.
KW: at this point we can't expect people to be using both IPsec and cipso at
once.
PM: the strange thing is that they probably work together right now. if you
have both labeled IPsec and net label on the same connection.
GW: that's what everyone is saying is that all pieces are there but the lack
of information is causing us not to know how to set them up; we need to
get that out there. Hopefully one of things that will come up tomorrow
that pieces are there but just need to configure them properly and maybe
write a bit of policy.
xinetd
-------
GW: Any issues with xinetd?
KW: is there already info out there on how to set it up?
SG: I updated the man page. I believe it's a flag that you need to set,
aside from all the policy work. it's basically adding one line to
configurations.
KW: ok, thanks.
Single-user mode
-----------------
GW: not sure if that made it in
SG: Dan had to leave. but I am not sure what the status of that is
Self tests
-----------
GW: I did not do anything on those. Steve, what about the intrusion
detection package that you wanted me to put in? any progress on that?
SG: Not much, I was working on tar; it is important and we need to get that
working before getting to the extra stuff.
GW: is that tar or star?
SG: we fixed tar about 6 weeks ago to include extended attributes, as soon
as James is done with that, then he'll be back working on the intrusion
detection and it will be good enough to use.
VFS polyinstantiation
----------------------
GW: this seems to work for some but not others
KW: if you want to get polyinstantiation working in enforcing mode, it
doesn't allow that. for example unshare requires capp_sysadm
capabilities. does RH have plans to get polyinstantiation or namespace
working out of the box?
DW: I think we want to do that as a boolean if we have it out of the box. I
have no problem putting that in policy, but govern it by boolean.
KW: we can add that to our nice to have list. You need to be able to mount
on fully instantiated directories and it needs to have appropriate
labels to get that to work. that depends on local configurations on how
you want it to work, so might not be reasonable to get that working out
of the box. The next thing is I couldn't get polyinstantiation to work
when login in through sshd; does anyone have that working?
LK: Klaus, clearly you are ahead of where I am on testing. It looks like
you found problems and have work arounds, can you post that somewhere
KW: I can, but it is up to George?
GW: yeah, I think this needs to be shared with the community and I am fully
supportive of that.
LK: Is this the type of info that needs to be in pam_namespace man page.
maybe we need to fix the instructions there too.
KW: who is maintaining pam_namespace now that we can't rely on Janak?
GW: Janak is irreplaceable. I can't volunteer, let me think about that some
more. We may be able to bother Janak a bit, but he is busy. yeah we do
need to find a maintainer going forward.
KW: In order to have this work properly, we might need to work with net
labeling to have the right data, that involves alot of components to get
that to work together.
GW: I think we need to have a name to put as maintainer. As klaus is able to
put info out, if others are experimenting and find things out, then we
would appreciate seeing that info on the list as well. Thanks much klaus
Cron, tmpwatch, mail, etc.
--------------------------
GW: cron seems to be working Dan said. and I don't know if anyone has tested
that with mail wrapper. Would it help if I put out a list of bugs. Irena
mentioned that every issue needs to have a bug with "lspp" in title, so
we can search on that. If there is a bug that you need but don't want to
open, then I'd be happy to open a bug. I can also put a list out with
the bugs if RH is ok with that
IB: yes, that is ok George. I also opened all the bugs so anyone can look up
the lspp bugs. George as far as the bugzilla account, do you have one? I
couldn't find you.
GW: yes I do, it is with email ltcgcw.
IB: ok, I might have used another email
GW: any other issues? alright I'll continue bug fixes. I think that all we
have now are small fixes. Irena anything else you like to add.
IB: not much. Just one thing, when you open a bug, also submit the test
along with it, so I can use that to defend the acceptance of the bug.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
