I think I confused voices in these notes, so feel free to correct me if I
attributed something to you that you didn't say.
01/29/2007 lspp Meeting Minutes:
===============================
Attendees
George Wilson (IBM) - GW
Lawrence Wilson (IBM) - LW
Kris Wilson (IBM) - KEW
Loulwa Salem (IBM) - LS
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Kylene J Hall (IBM) - KH
Irina Boverman (Red Hat) - IB
Steve Grubb (Red Hat) - SG
Dan Walsh (Red Hat) - DW
James Antill (Red Hat) - JA
Lisa Smith (HP) - LMS
Linda Knippers (HP) - LK
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Chad Hanson (TCS) - CH
Joe Nall - JN
Ted Toth - TT
Tentative Agenda:
Kernel / Beta / rawhide update
===============================
GW: Thank you Paul for the loopback fix patch
PM: Was joy gonna do stress testing on that. I want to stress it is a proof
of concept patch so probably there is stuff missing. I posted that to
spur some discussion. It won't surprise me if it breaks once you test
with it
JL: I am hoping for good results
PM: I noticed other issues other than racoon. The SA in phase two, there is
no directionality since src and dst address are the same, it is unusual
so I don't know the ramifications of that.
JL: I looked at your code and it is the same places I was looking at. when I
was playing with manual stuff, I only needed one SA and it didn't need
direction. I had 1 SA and it worked both ways. so i think it's going to
be ok
PM: only thing that concerns me is sequence number and window. it is
loopback so you are guaranteed delivery
JL: I'll look at seq number. To be honest, I'm thinking who cares about seq
number on loopback. but I'll look. I think seq number was to make sure
we are not forging packets
PM: if there are lots of senders and receivers, what happens in that window
will we have packet loss
JL: I'll look at that. To be honest I'm not sure we need to be concerned. I
think seq number is optional sometimes that's why I'm saying it might
not matter. So let's just make sure
PM: Ok thank you
GW: that's extremely good for everybody .thanks Paul. How is current kernel
looking
LS: it's good I'm using it. I have not seen any problems so far
GW: how is networking
JL: yes, it's looking good for me too
GW: with current policy and 18 kickstart, if I applied updated packages
during post install phase system rebooted instead of panic-ing, so it's
good. Now I don't get console login prompt. I'll look at that more. I
don't see AVC either. anyone else not seen console prompt?
LK: I've seen that problem on ia64 on first boot. just on the console
PM: I think I've seen it as well
DW: is there a getty for that
GW: there is a getty on console as far as I can tell. I'll look into it
more.
DW: 2 things to check, check the getty and check the device is labeled
correctly.
GW: good point since it is a hvc0
DW: it might be problem ...
GW: I'll look into that since this is a virtual console
LK: if you reboot system, it'll be fine .. that's why it's weird. I went to
single user mode and it came back
DW: the console came back
LK: yes, also even though you don't get prompt, I can still log in to the
system
JA: when this happens is it running first boot graphical?
GW: I don't think so. is it even running on first boot?
JA: depends on your kickstart
MA: if it is a java console ...
KW: I've run it on VM ware and I don't see that, so I don't think it is
related to that.
LK: I'll try to reproduce
GW: I tried to look at AVC . on first boot you can't log in as admin
anywhere. so it becomes alot more of pain. but we are making progress we
can reboot without panic-ing. Any other issues?
SELinux base and MLS policy update
==================================
GW: Any policy issues
DW: we have to find out why some of you are not able to ssh as some roles
KW: seems to be related to translation, if I comment that out it works.
what's happening is that it has separate categories for A and B and it
combines them. it doesn't like that sometimes
DW: you added that to bugzilla? cause I'll look at it
KW: I didn't see the bugzilla, I added that to the mailing list
MA: there were other categories that worked .. weren't those merged together
KW: it wasn't doing that with some others
DW: if I have two categories defined it translates the entire string
KW: I think it would make sense to give translation to each label. if it is
supposed to do that then it should work
DW: you still need to do it for each sensitivity, which is more than desired
KW: people at lower level don't need to see higher levels. It gets
translated, but other libraries don't agree on syntax
LK: can someone log in with raw context? should they be able to
KW: translation should be at user interface level. I am slightly surprised,
it is using sometimes the translated and sometimes the raw context
DW: I'll look into it now that I have more info
KW: mostly it is related to specific ones.
DW: library might be broken
KW: might be too late to change that. I feel more comfortable if tools use
the translated level all the time
DW: everything should be translated to raw
KW: be careful when you are testing that because successful and unsuccessful
ssh attempt look ok
GW: so you are advocating not being able to use translation on login
KW: should be a convenience but not affect security
MT: what's the fallout
KW: ...
DW: maybe ssh is broken, I'll figure out what's going on
MT: just for my info. going forward there was talk about defining
categories, individual components but not entire context. Is that still
the case?
CH: that would be wonderful.
MT: the permutations get big, so I see that as being useful
DW: is A,B the same as B,A
MT: should be sanitized. categories are independent listing
CH: raw context has to be same
PM: question are the compartments related to each other if c1 c2 c7 are
set, by convention they will display to user in order
DW: access decision is fine
KW: currently it allows us to give range of categories. if someone comes
along and renumbers things, a tool might include things that you might
not have expected. admin shouldn't use category ranges
DW: I don't think you can use ranges. only reason I say this is that the
whole system would break. there is way to translate and it can
definitely use smarter engine
MA: and what about changing your translated file
KW: polyinstantiation uses translated labels. it is something people need to
be aware of that their home dirs may go away.
MT: it should be changed to use raw
PM: there was same discussion for s-tar. stephen smalley came out and said
he likes translated context than raw since it makes more sense
CH: it might make sense especially if you have different numbering schema
JN: polyinstantiated dirs used to translate names ..
JA: do we have any translation which have / in them
JN: in the us government on labels it has / all over the place
LK: is there a need to have context as part of directory name
MA: this came up in last SELinux symposium.
JA: that should give you usability plus it is guaranteed unique
GW: hashed would be safest
PM: I understand this is convenient but how often is it done
KW: there is no reason why security user logged in as secret can't read his
unclassified dir.
LK: if you check file level will you get full context
KW: kickstart uses level and category to set up polyinstantiation not full
context. it doesn't need to be fully unique. it's a nice thing it
doesn't polyinstantiate based on user name.
JA: ..
KW: my gut feeling is keep it way it is with translated format. raw format
has problems
JW: right we don't want to move everything to raw
KW: especially for tools ... it would be better if they use ...
CH: if old setrans file tried to concatenate A and B together...
KW: there are 2 different definitions
CH: translation library says there is no match, so I'll take A and B and put
comma between them.
KW: if it uses syntax with commas I expect that to pass
CH: I would expect that to fail if it can't translate
KW: seems it can't translate back
GW: Other issues?
JL: kylie , lou and I saw we can't so ssh as secadm .. is there a boolean
for that?
DW: there is a boolean. you can't specify to secadm?
KH: I'll check on that
KW: isn't secadm deprecated in this policy?
DW: might be a policy issue
GW: should we expect them to be deprecated
KW: it is not possible for sysadm to start setrans daemon in enforcing.
DW: did you run through init?
KW: yes. I'll send an email
PM: maybe because it runs as systemHigh
KH: auditadm works ok, but not secadm.. wait I wasn't in enforcing
JL: sysadm only works, secadm and auditadm doesn't
DW: ok, it should be an easy fix.
JN: has joy changes made it to latest policy?
DW: I put them in latest
JL: I sent patch so setkey can look at directories. I sent you patch so
setkey can't look in user home dirs for config files and such.
DW: where is user likely to create these things?
JL: I don't know where. I figured setkey should only run as sysadm, so I
don't need to be looking in user directories. SO I changed it to look in
sysadm user dir, /etc/ and maybe /tmp
DW: Ok, I saw the patch. I'll take another look at it
KW: problem with setrans, if you use runinit it doesn't seem to know there
are others running, so it creates another one. It seems to have a pid
file.
DW: if you say run-init status what does it show you?
KW: shows stopped
DW: so it is not seeing pid file. what is label on pid file
KW: systemhigh
PM: what happens if you try to query if you are at systemhigh
KW: I get no such file or directory for pid file.
PAM and VFS polyinstantiation
==============================
ssh level selection
====================
IPsec localhost, IPv6, 1st packet drop
======================================
GW: talked about most of networking. first packet drop is not going to get
fixed anytime soon since it is a big fix. I am wondering the
ramifications
JN: I think it is a big impact
JN: there was email with james morris and he said he had a patch but it
wasn't ready for prime time. he said I should use openswan. I was
surprised he did that
JL: openswan doesn't use native ipsec either
CH: it does now
JN: he said if he didn't use pfkey symmantics he didn't see it. I wasn't
sure
CH: I think this can't be fixed . if you use netlink
JL: regardless of socket API .. shouldn't be the same
CH: I think we still do...
JN: james said he had patch which fixes blocking packet. even if it is 60 or
80% solution, it is better than nothing. In our solution I put a check
and just make it try again, but this is not a solution for 3rd party
tools
JA: we can put that in glibc. obviously not the right thing to do
GW: if we don't do anything, labeled ipsec solution will be useless
JN: I think it'll be problematic.
CH: It is not completely useless. it does work, but just has initial setup
problem
GW: I think most people are setting VPN tunnels
IB: is there a defect number.
JL: I'll open one now
IB: there are 2 that I can see but not what you are discussing
GW: joy will open a bug today. Thanks Joy. I am thinking what is this going
to mean for certification.
JL: it will be problematic
SG: what we need is to get bug open and I'll get that to kernel managers and
see who we can get assigned to it.
JL: ok, I'll open a bug now and mail number on lspp list
GW: is there some hope that we can fix this for cert
JA: if we have to we can input that in glibc
SG: not sure they would let us do that though
JA: yeah. just if we have to
SG: start with a bug and I'll talk to kernel managers. once we have estimate
we'll decide.
LK: are you going to open bug for no prompt on first boot george
GW: yes, I wasn't sure first if it was a real bug
JN: I think this packet dropped discussion is good
LK: what kernel are you running Joe
JN: we have .63 and hacked up version to make racoon work with local host
Self tests / aide
=================
GW: I've done nothing since last week. been trying to get runcon transitions
to work, not able to get that to happen from python.
MA: is runcon supposed to work in mls policy
GW: it should if you give it sufficient policy. another process is to have
processes running at high and low beforehand
DW: it would work if you are changing your policy. so it runs on command
line, but not in the python
GW: i get invalid context ..
DW: how are you doing exec in python
GW: os.system
PM: I wonder if that invalid context is cause of your problem
GW: I can do it on command line ..
PM: wonder if you are getting bit by that translation problem
MA: you are using system high and low right, not messing with weird
combinations.
GW: yeah .. I think if I give perms to use everything, then it should have
permission
PM: does python have its own domain
DW: no
LK: there was some stuff on selinux about python recently
GW: fact that says it can't write to /tmp file is weird
JA: is that on ..
DW: is python throwing an exception
GW: no it is what get puts on stderr. I feel it is coming from runcon
MA: is your runcon still bin_t
CH: further testing of translation .. it seems A,B doesn't translate
backward... there is old definition we had compartment problem. it seems
translation daemon had smart in it to make A,B valid.
KW: there are 2 things AB is specific translation, which is not good idea if
you have to define each combination. second issue is in forward it
translates A,B but in backward it can't translate, I expect them to be
reversible
GW: anything else? ok .. we'll adjourn. I'll post self test results see if
anyone sees any issues. Thank you all.
Cron
====
Bugs / remaining tasks
======================
Final cutoff date
==================
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
