[redhat-lspp] LSPP Development Telecon 07/24/2006 Minutes

[Loulwa Salem <loulwas us ibm com>]

07/24/2006 lspp Meeting Minutes:
===============================
  Attendees

  Janak Desai (IBM) - JD
  George Wilson (IBM) - GW
  Loulwa Salem (IBM) - LS
  Michael Thompson (IBM) - MT
  Thiago Bauermann (IBM) - TB
  Nikhil Gabdhi (IBM) - NG
  Al Viro (Red Hat) - AV
  Irina Boverman (Red Hat) - IB
  Dan Walsh (Red Hat) - DW
  Lisa Smith (HP) - LMS
  Linda Knippers (HP) - LK
  Matt Anderson (HP) - MA
  Paul Moore (HP) - PM
  Klaus Weidner (Atsec) - KW
  Darrel Goeddel (TCS) - DG
  Chad Hanson (TCS) - CH
  Venkat Yekkirala (TCS) - VY
  Joe Nall - JN
  Lenny Bruzanak - LB


Tentative Agenda:

Kernel update
-------------
    GW: AL, would you like to give us kernel updates?
    AV: not much. No merges, Linus is not back yet, so he hasn't pulled anything
	yet. New branches in git tree still consist of fixes and lazy audit
	stuff. That will go to mainline as soon as Linus pulls it. We need
	testing on lspp kernel, b.23.
    GW: great. At this point we don't want anymore news. As for audit were there
	some patches that went into a new kernel
    LK: I don't think there is any
    GW: I know that .45 is the broken one, is there a .46 version? Steve
	mentioned he'll have a new kernel.
    LK: let me check. I think he was gonna repatch with Amy's patch, but not the
	networking stuff. Anyhow, Steve is back tomorrow, we'll check with him.
    GW: Also we did put in a formal requirement for inclusion of CIPSO. We are
	trying to give it as much a push as we can.

AuditFS/inotify
---------------

LSPP kernel issues
------------------

Audit userspace
---------------
    GW: There is not much on audit. Steve would be the one to give us updates on
	this.
    LK: yeah, he'll be back tomorrow.

Print
------
    GW: Matt, anything new regarding print.
    MA: print is looking good, I sent a patch to the list. I heard from cups
	maintainer (version 1.2.2-4). I did need to do minor updates. There is
	an existing issue with way labels are applied. There is work to be done
	to ensure labels are getting on properly. There will be updates mostly
	to config documents on how to get that done. The core of cups is looking
	good at the moment.
    GW: good that it went upstream
    MA: I seeing an issue on i386, and it could be just on that arch. When I see
	it i try to track it down, but I haven't seen it lately
    LK: should we file bugzilla on Fedora in this case.
    GW: It is probably a good idea. In general we are opening bugs to track all
	issues; that was the message we heard from Irena during our last call.
	Feel free to correct me Irena if that is not what we need.
    IB: yes. It is better to create bugzillas to track issues.
    DW: your patch went out in 1.2.2-3?
    MA: yes.
    DW: there is a -4 available.
    GW: so yeah in general we are opening bugs to track them better.


SELinux base update
-------------------
    GW: Dan anything you'd like to tell us regarding SELinux?
    DW: not many changes to that, maybe small one for MLS policy. I also worked
	with package maintainer for crond and came up with alternate solution, I
	believe it is under review currently. With Multilevel crond, Janak was
	adding extension on file name as to what level it is running at, now the
	patch uses environment variables to indicate what level it is running
	at. This reduced size of patch, and it is up for review now
    JD: yes it is much cleaner, and I am reviewing and testing it
    LK: early on, there was dicussion of changing format of cron file. What ever
	happened with that?
    JD: this is not changing format, but just using environment variables.
    DW: selinux basically looks at ownership of crontab and decides which
	security context to run. but it never worked with multilevel security,
	so we were trying to figure out how to do that. I think this is a good
	solution
    GW: sounds cleaner
    JD: I remember stephen smalley talked about using file names, but now it
	seems cleaner to use environment variables
    JD: I think Klaus wanted to bring arranged object ...
    KW: There was a discussion on RH lspp list that was inconclusive. if you
	submit object then users can change context. Easy to fix, try to turn
	off ranged object and see what breaks if you do that ...(didn't catch
	the remainder of what Klaus said)
    GW: need to do policy experiment
    KW: In the mailing list I didn't hear anyone needs multilevel objects. We
	need to decide if we keep current behavior
    DG: Chad is not back, so I am unable to comment on that. Are you wanting to
	extend that to higher object and get rid of all ranges we set by default
    KW: this is one way, but another can be if you don't specify a level, then
	take the lower level object.
    DG: what we have left is sockets, range and block devices, character dev,
	blocks, and directories.
    KW: polyinstantiation should take care of directories and block devices.
	Users don't need to do anything with that. but the terminal device may
	be a bit tricky
    DG: sounds like good experiment
    KW: I'll write another note to list to summarize that. one way is to use
	existing overrides.
    DG: I need to check with Chad, I don't think we have need for it, but I'll
	check.
    GW: who is appropriate to carry out this experiment?
    KW: I'll work on a patch to current policy and see if it works.
    GW: Thanks, I can help you if you need help with that


MLS policy issues
-----------------

Roles
-----
    GW: any role issues today
    MT: nothing, was in class last week. As far as I know, there are no issues
	now.

CIPSO
------
    GW: we put a requirement to RH formally and pushed it as much as possible,
	haven't done any testing like we did for IPSEc. I think we can look and
	see what tests are interesting to run particularly in enforcing mode.
	Paul, anything you want to say
    PM: a few things, I appreciate any testing you guys can do. Is joy on the
	phone?
    GW: no, she is in class this week.
    PM: she was reporting potential problem with cipso, we exchanged emails, but
	unfortunately I didn't help with testing alot. last I was waiting on a
	response from her.
    GW: I think she was trying different policies
    PM: yeah, she sounded like she had alot going on, and I couldn't help much.
	I'll take a look at that soon
    GW: it doesn't seem like policy to me
    PM: I know, especially if she was running permissive. anyway, not alot of
	progress on cipso stuff. was trying to tighten up some of these loops
	that deal with categories if anyone was following the performance
	discussion. (2.6.18 rc1 and rc2 are broken on my machine) once we get a
	kernel that works on my test machine, I'll resume work on that.
    LK: those are opterons, any one has problems with them?
    GW: I don't know
    PM works on my ppc and cups titanium. once it works, I'll continue test and
	release data. I probably not going to do much work on kernel stuff this
	week.
    GW: Joy and Fernando are both in class this week, not going to do much work
    PM: James Morris seems to think david miller is looking positively on the
	patch. I expect that 2.6.18 is in better shape now that the door is
	shut.
    GW: excellent, hope your read is correct on that.
    GW: as soon as they get back, we can do some testing and get some results. I
	guess there will be controls for nodes .. or are those supposed to be
	removed from these stuff
    PM: the secmark had a compatibility mode that allows you to use the old
	filter check. up to RH if they decide to use that for rhel5. Do you know
	Irena?
    IB: I don't know, if you need more info, send me a note, and I'll find
	people to answer that.
    PM: I know in reference policy they have option to use secmark, making it
	more easy and convenient
    GW: question is where the hooks are going to be?
    DG: as far as net compatibility, when policy is loaded, I assume we have
	....


IPsec:  MLS, UNIX domain secpeer, xinetd
-----------------------------------------
    GW: Anything for this?
    VY: As far as I am concerned, sent patch to net dev, haven't heard anything
	or comments, I am working on configuration stuff, and hope to have patch
	by next week
    GW: great thanks a lot.

ipsec-tools:  SPD dump and racoon base + MLS
---------------------------------------------
    GW: I haven't confirmed if unix domain secpeer is in there, need to check on
	that.
    DG: is that the one with the memory leak?
    GW: you know if katherine has any idea about this?
    DG: I don't know, will check with her on that

Single-user mode
-----------------
    GW: I bypassed it last week, question is will there be configurable option
	to drop into single user mode. would you drop on any failure?
    LK: are you sure everything is stopped appropriately? what stops, because we
	tried it and we have alot of things running
    KW: to clarify, when you drop in single user mode, and you reboot that's
	when it stops. current path is .... it needs to be improved to make sure
	it is reliable. Either have a dirty flag or a config option for that.
    GW: I though that Dan implemented this.
    DW: we added stuff to relabel into single user mode, but not to drop to it
    GW: sounds like dirty file approach is what we end up using, but it's your
	call Dan.
    DW: The idea is to put something in <some directory>
    GW: you put it there at startup, and remove it on a clean shutdown, so if
	you crash, then it is there and you drop to single user mode.
    KW: you only remove that file on a clean shutdown. if any unexplained panic
	or reboot, then it is forced to go in single user mode
    GW: this is an RBAC requirement
    KW: yes, we can argue if the administrator can reboot into this mode, but I
	don't think this really meet requirements.
    GW: Dan, is it possible to hack that in
    DW: Yes possible; it's just a matter of time
    Gw: you think it is difficult at this stage
    DW: basically we want a boot flag. I'll talk to .. and we'll do it
    GW: thanks much
    DW: on a clean boot you delete the flag, with anything wrong it is not
	removed.

Self tests
----------
    GW: got back on it. I'm going on vacation mid part on this week. I'll work
	on an iteration of that. Also next week Janak will be running this
	meeting and hopefully I'll be back next week.

VFS polyinstantiation
----------------------
    GW: anything you want to tell us about polyinstantiation Janak?
    JD: I am reviewing patch for cron. there may be an issue, but I need to
	experiment and check something first. The other good news is that mount
	and namespace are in rawhide now. I created bugzilla, and got a message
	saying it is slated for rhel4 beta. As for namespace, David is cleaning
	and rearranging code, so I am reviewing that. also playing with policy.
    GW: have we tried device mapper with that on yet?
    JD: not yet.
    GW: Ok .. great. We are getting there, all the major pieces are in there

    GW: Any other issues
    LK: I have a random question about policy. Is only mls policy available now
	based on strict policy. is there no targeted MLS
    GW: you can build it either way
    JD: yeah, I've been building from source
    LK: what policy is RH supporting?
    DW: we are not gonna support that. There is not an MLS targeted, MLS strict
	is very similar to targeted policy
    LK: but targeted is a lot bigger and more strict
    JD: I've been using targeted-mls, which one should I be using?
    DW: you should use strict-mls, not sure what is the difference between them,
	probably few if-defs
    LK: so you get at least mcs
    DW: we don't have none mcs versions
    GW: yup, that's helpful to know
    DW: that way we get testing on that
    GW: so we need to be using the policy package and not building our own. ok
	any other issues? alright, we'll adjourn the meeting. Thank you all