12/11/2006 lspp Meeting Minutes:
===============================
Attendees
George Wilson (IBM) - GW
Loulwa Salem (IBM) - LS
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Kris Wilson (IBM) - KEW
Debora Velarde (IBM) - DV
Kylene Hall (IBM) - KH
Irina Boverman (Red Hat) - IB
Steve Grubb (Red Hat) - SG
Dan Walsh (Red Hat) - DW
James Antill (Red Hat) - JA
Eric Paris (Red Hat) - EP
Linda Knippers (HP) - LK
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Joe Nall - JN
Tentative Agenda:
No holiday meetings
GW: given holidays coming up, we don't plan on having meeting next 3 weeks
(18, 25 and 1). we can stay in touch with email. RH is trying to shut
down development, it is imperative that we get fixes, write bugs and
verify them asap.
IB: we really need to test as much as possible. We will be able to report
bugs to fix them before release candidate in January. It is important to
file bugs asap, that needs to be done before end of Dec. RH is
officially closed last week of Dec. most of people won't be here.
GW: we'll have some people around, except for new years eve/day as well as
Christmas eve/day. people are beginning to disappear, alot more people
will drop off by this week as well. there will be few people around in
last 2 weeks. Is this a problem for anyone? any concerns?
SG: sounds fine to me to not have meetings. I'll monitor email through
Christmas. I'll be able to work high priority issues. I have a feeling
there are a bunch of bugs that may be undiscovered still.
GW: unfortunately I have the same feeling
SG: I feel we will carry kernel package and a policy package
GW: we still had installation problems with this build
IB: snapshot or beta 2
GW: snapshot 2. when we reinstall we get init panic. that went away the last
couple of builds, then came back, still need to do problem
determination. The virtual ethernet problem seems to be fixed, thanks.
Really, this is the first installable build we had in long time and now
we need to do a lock down. we are running out of time especially with
timing around the holiday. having said that, we will flush out as much
bugs as we can.
IB: sounds good
GW: I think everyone is doing that, sure Linda and company are doing the
same. thanks linda for copying us on your bugs. we'll do the same. That
definetely will save us repeated efforts.
kernel / Beta / rawhide update
-------------------------------
GW: I installed. Had few hick ups. Klaus made modifications to kickstarts,
existing kickstart script saved off file descriptors(fd), and it seemed
fd are not restored properly. It might be general problem but Klaus made
a work around for now. We had kickstart deprecated key words with
anaconda. hopefully won't happen farther down the line.
LK: was that intentional change
GW: definitely was intentional. this was the language selection keyword.
don't know if you have intent of producing key words to prevent prompt
for keys. if there is no way to automate that, it'll break automated
insalls. if there is a way around that, we would like to know what the
keyword will be.
SG: if you wanted to talk about anaconda, we can get them here.
GW: I didn't know we'll talk about it.
IB: did you file a bug
GW: there was a note in the file for the deprecated keyword. The fd one,
I'll open a bug for that. it was general install issues.
SG: I would think there is an explanation.
GW: anyway, got it installed, and no obvious glaring problems, we need to
test to see if it is stable.
LK: I am still having fun with polyinstantiation. Dan, I was looking at your
people page, I see pam latest on Friday. did you post something later
than that
DW: let me check.
LK: I think I have everything else ready to go.. Dan made change last week
that I was running with. he made another version so I am looking for the
latest
KW: we need new pam to put the changes that linus mentioned. The other issue
is to do the level selection
GW: so we need to pick up the kernel, pam, and selinux policy.
LK: there is no pam rpm that is new enough
SG: I was in cvs and didn't see anything new
DW: 3.6.el5 on Dec 8
LK: it has all the changes in it?
DW: yes. allows you to do selection by level rather than context
LK: I'll take a look again.
DW: I'll try to install it and check. that should be the one though, if not,
I'll build another one. pam can be used without the kernel, it allows
you to chose by name, level or context.
LK: I see the man page is updated, maybe I was doing the wrong command. I'll
try it again
GW: what's the pam packages?
DW: 0.99.6.2-3.6-el5 (on Dan's page). go to my people page. should also have
the latest policy. the cron fix is coming also, is James on the call
JA: yeah .. what did we change in vixie cron. oh, wait that fix is not there
yet.
DA: as of Friday, pam was working for me using levels
LK: I'll go back and re-test
DW: once it is updated, I'll write a blog explaining the changes
LK: also was trying to go through lspp config script, alot of that is no
longer necessary
DW: the trickiest thing I found is the DAC permissions.
LK: also some inconsistencies where the instance directory is. it seems like
we want all instance directories to be in the same place.
DW: I actually changed the namespace explanation to be like that, but the
more I read it, Janak was explaining that you can do it in different
directories if you want.
MT: are you talking about the instance being in /tmp
DW: the directories that includes polyinstantiated directories. I find it a
bit confusing, you could run out of memory.
SG: I think that janak had a very good reason why you couldn't do it, there
is a bug that'll bite you somewhere later maybe.
GW: he had a problem with x-windows socket
LK: didn't try to use the initialization script at all.. do we need one for
home?
DW: I thought about that too, you need alot of power to do that. I think you
are opening a big can of worms in terms of selinux policy to allow that.
KW: we can have a helper program. However, this sounds beyond what we need
now though, maybe fox for next release.
GW: other things with current beta
KW: when installed using KS script, I had invalid grub configuration, wanted
to boot from second part of hard disk that didn't exist
DW: sounds like a generic bug, I've seen that at some point.
GW: anything else
PM: I am still looking at cups stuff that Eduardo saw. The issue of any user
at any level being able to see jobs at other levels is a one line fix,
but the print file is a bit tricky, I think I got that, it has to do
with policy, and I'm re imaging a system to test that now. if you create
a print file in /tmp, then the default is cupsd_temp_t, which is not
being used much. I've been playing with creating a type print_output_t
as a type for those file printers.
DW: label that like spool_t
PM: I was planning to stay away from spool files
DW: what are these files you are creating?
PM: if user creates a file on system .. seems to be problem .. if secadmin
printed something, then other users can read it.
DW: should be labeled somehow
PM: right ..
DW: cups is doing this not lpr .. right?
PM: right, if file exists before hand, it's fine, but if it doesn't exist,
then it will create it with that type.
DW: you need to write code so that when you create a file, give it the
context
PM: sounds like hard coding policy into cups
DW: if creating type created file type, then it asks the kernel what the
transition should be.
PM: ok, I see what you are saying.
DW: this way admin can create files and be labeled correctly
PM: ok that makes sense.
DW: yeah .. we can take this offline.
GW: will that be generic solution?
DW: yes
PM: the mls issue is non issue, since level of file is obvious, but TE is
the real problem.
DW: last week linda was asking about targeted vs. strict policy. I was
running through that to see what transitions happen. that's where I
found
all those issues with polyinstantiation. so I'll continue to update
policy
GW: great Dan, since all of our combined testing might not hit all these
bugs. what about the powerful admin user
DW: sysadm is all powerful except the audit file capabilities. I think that
works better than what we had before. currently the policy has the
boolean switch, but problem is the policy compiler will not allow you to
have the boolean. Tresys is working on that. currently, we have sysadm
and auditadm, and we still have secadm
GW: Ok, so that is another good reason to grab latest policy. I had an
issue I was running into with self tests
DW: grab my latest policy, I am only putting policy that is going to be in
rhel 5
GW: I've been changing aide policy
DW: send me all the changes you need
GW: I'll go and see what changes are no longer needed compared to the latest
policy.
GW: I remember there was a problem with runcon
DW: people were trying to use runcon as a testing tool. it needs alot of
policy changes and doesn't work in enforcing. use newrole to test
instead of runcon.
MT: so it works only in permissive. is that documented anywhere?
DW: yes, permissive only, and don't think it is documented.
GW: I used to write my own policy. I can have the test create the files, or
have a permissive setup stage. might do latter rather than formal if
policy is too hard
DW: send me what you are trying to do and I'll help with the changes.
GW: I need to rethink that. I am trying to create files at
systemhigh/systemlow then try to manipulate them
DW: rootok
GW: yeah.. I see that. I can use that to avoid prompting. would that be a
problem?
DW: not really, we are not gaining any information about the user. someone
else had problem with pam
KH: that was me, I figured that out.
GW: I like that, I'll try rootok
DW: if you run in unconfined_t then .. actually that won't work either .. nm
LK: ltp also uses runcon, how does do that
DW: it has a policy, the transition is what is missing. so you have to write
special policy to do the transitions. theoretically runcon is really a
\
test program and shouldn't be installed.
LK: well we are trying to use it for testing
DW: at RH, we use test policy. we actually write policy to allow all domains
to write to certain files for logging purpose. I can make those
available
GW: one of things we are avoiding is changing policy.
DW: but if you know that is needed, then it's not a big change.
GW: right, but any of these exceptions we have to explain to evaluator. from
security point of view we have to create policy to allow policy to run.
MT: Got a question, to install selinux module, is sysadm ok to do it
DW: yes, sysadm can do it, but file have to be labeled in a way that
semodule_t can read it.
MT: I got error during module install. I get "unable to move
/etc/selinux/mls/current/modules/active to
/etc/selinux/current/modules/previous"
DW: those happen every once in a while .. do restorecon -R mls-targeted and
that should fix it. mainly you ran in permissive mode and labeling got
messed up. if labeling is messed up in enforcing mode, then we have a
problem.
MT: so restorecon should fix it ..
DW: yes .. files get created in wrong context in permissive, and when you go
do semodule in enforcing, it has the wrong label. I get burned in that
every once in a while.
GW: so I guess we are all ok with newrole file descriptors. we'll leave it
the way it is
MT: yes.
DW: what's that
MT: newrole failing to do the stderr ....
GW: we covered most of the areas
SELinux base and MLS policy update
----------------------------------
PAM & VFS polyinstantiation
----------------------------
CIPSO
------
IPsec
------
JL: ipsec tools finally picked up racoon patch and should be in their CVS. I
ran stress test on .56. all ipv4 tests look good. the ipv6 test did not
look good at all. I have concerns. I couldn't get it to work with
labeled ipsec. got it to work with regular ipv6 and it was not very
robust at all. was going to investigate, I saw something similar a while
ago so I am investigating.
SG: try the .57 kernel. the .56 kernel is ancient.
JL: if someone else wants to try ipv6, that would help. I found problems
with my configurations. so someone else trying is appreciated.
SG: remember that Eric is picking up some non release versions. so you'll
waste time working with .56
EP: I would like to hear about the unlabeled ipsec issue on .57 versus the
upstream 2.6.19.
JL: I tired 2.6.19 git 12, and I saw similar behavior. I'll try again on
.57. I'll update my configs as well
GW: can you prioritize this high please
JL: there have been changes in ipv6, so I'll keep trying. I'll post findings
that I have. I've been working with Chris Pebinito on ipsec policy. I'll
give that to him once done
SG: also curious about local host
JL: on .56 I could not get labeled ipsec to work with local host
GW: where you doing UDP or TCP
JL: was doing simple loopback. anyone can try it, that would help
GW: did you see any AVC
JL: no, so that was the concern. I am not sure what the problem is.
GW: seems like a focus item. at least the racoon is in. please put as much
effort on this.
xinetd
-------
SG: take off the agenda
PM: take cipso off as well. If something comes up we can discuss in bugs
section
Self tests / aide
------------------
GW: still completing that
Cron, tmpwatch, mail, etc.
--------------------------
GW: still have issues?
JA: cron that is available now needs testing to make sure it gets in rhel5
GW: need to pick rpm from your people page
JA: Dan said he is posting it on his page, but it is also on my page
GW: so that is another things we need to pick up.
MT: speaking of these fixes, are these going in rawhide?
DW: don't use rawhide
GW: so at this point, we should pick stuff off your people page?
DW: avoid rawhide for all updates
MT: even selinux policy ..
DW: packages should have el5 in package name.
GW: so don't pick off rawhide. unless packages that are not relevant maybe.
GW: any other issues
SG: audit 1.3 version got pushed through to beta2. please check all your
tests run perfectly. we ran into one test that was different, so we
needed the test fixed rather than audit.
LK: was it one of our tests or yours
GW: not one of mine.. it had to with the kernel config changes. It recorded
that when it passed. when I did aureport it skipped over those records
and didn't expect them pass or fail.
LK: would like test patches if you have them available.
SG: did build audit 1.3.5 into rhel 5
MT: I had one issue. very small set of syscalls mq_open, mq_unlink,
mq_timelisten and timesend I think.. Their first arg is pointer to
memory, the value of pointer looks like it is being increased by 1, so
if you had 1024, in audit it would show up as 1025. that is causing our
audit tests to fail. I am not sure this is a bug. anyone else has seen
this? I filed a bug ..
SG: what arch are those on
MT: tried it on x86_64 and ppc64 and I believe it is same error (RH IT#
107652)
IB: create a bugzilla if there is not one. even if you created an issue
tracker (IT) and there is no bugzilla, then go ahead and create a
bugzilla. I personaly don't have visibility into IT.
GW: we'll write up anything we see.Micheal is creating a bugzilla right now.
IB: scan through all IT and see which ones don't have bugzillas assigned,
then go ahead and create them
EP: I just checked that IT and didn't see that one in bugzilla. go ahead and
copy eparis as well please.
GW: alright everyone .. anything else?.. have a great holiday
Bugs / remaining tasks
-----------------------
Final cutoff date
-----------------
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
