[redhat-lspp] LSPP Development Telecon 11/02005 Minutes
Debora Velarde
dvelarde at us.ibm.com
Thu Nov 3 19:53:44 UTC 2005
-----------------------
LSPP Meeting 11/02/2005
-----------------------
Known Attendees:
Matt Anderson (HP)
Mounir Bsabies (IBM)
Tim Chavez (IBM)
Janak Desai (IBM)
Darrel Goeddel (TCS)
Amy Griffins (HP)
Steve Grubb (Red Hat)
Ken Hake (IBM)
Chad Hanson (TCS)
Trent Jaeger (PSU)
Dustin Kirkland (IBM)
Linda Knippers (HP)
Joy Latten (IBM)
Paul Moore (HP)
Emily Ratliff (IBM)
Debora Velarde (IBM)
George Wilson (IBM)
Kris Wilson (IBM)
David Woodhouse (Red Hat)
Venkat Yekkirala (TCS)
Catherine Zhang (IBM)
Russell Coker (Red Hat)
Tentative Agenda:
Next week
IPsec labels
VFS polyinstantiation
AuditFS Completion
Audit Enhancements
Print
Device allocation
File archivers
Unowned items
SELinux base update
DBUS
Package list
Tasks and assignments
Test and Documentation
------------
IPsec labels
------------
Catherine trying to test
- able to boot fedora core 4 with all the networking hooks
- permission denied msgs - have to add rules to even be able to ping
- Joy originally had to add a lot of allow rules
but when she put Trent's latest patches (no IPsec tools yet) didn't see
as many not allow msgs
Trent: you will need rules for to give permission
Trent - networking hooks
- Herbert good with latest patch, just formatting issues left
- should be early next week
- sounds like he's going to upstream it
Catherine and joy still to produce a usage document
-Right now with the latest, the kernel boots fine
-Now going to add IPsec tools and see if that goes fine, then document
should be good to go
---------
Next Week
---------
George will not be here
- We will have another moderator
- Will be getting notes from someone else
---------------------
VFS polyinstantiation
---------------------
Janak's status:
unshare
- unshare same stage as last week
- waiting for Chris Wright
- Janak has pinged him on IRC and emails, no response so he must be really
busy since he's been really helpful
Janak working on cron
- extending the cron protocol to make it multi-context aware
- hopes to send first draft of patch for review by end of the week
------------------
AuditFS Completion
------------------
Amy Status:
4 parts to the kernel implementation
1 part to the userspace
each part in various parts has diff status
kernel parts:
1. patch to augment audit inode collection
completed and tested by Amy
Her understanding that it would be included in lspp kernel
awaiting testing
2. interface changes (between kernel and userspace)
Amy completed
discussed with Steve on IRC
Steve wanted Amy to recap and post on audit mailing list
possible there could be some changes there based on discussion
Amy thinks that could also be included in kernel now
3. notify kernel
written back in august
a bit of rework to do; not a lot
there isn't anything that's actually using it
don't need to include in kernel yet
4. specify watch on a particular location
implementation that the kernel requires
Amy working on but not completed yet
userspace piece:
- Amy made changes in libaudit that she needed
- auditctl needs changes
- Steve will be making these changes but not until 1.1 release of auditctl
some of these pieces are relying on each other
George: Would it be helpful to have someone here [IBM] work on auditctl
Steve needs kernel pieces posted for folks to review
need to start with getting the kernel pieces out and then included in the
kernel
- logistics of that?
- David not on the phone yet [joins later]
- Steve will try to nail that down
- pseries problem now fixed, should now be able to yum update
- make this an agenda item for next week
------------------
Audit Enhancements
------------------
Steve's status
- last week continued updating pam, ssh, other things
- 5-6 function calls going to be deprecated when switch to audit 1.1
- moving pam, ssh, etc over to the new api
- allows freedom to delete those functions
- should be able to kick off a rebuild and all the applications will pick
up the new functions
- that way we have compatibility
- getting prepared to make the big change
pam-tally
- forgot a couple of auditd changes needed for it to
- 1.0.9 today or tomorrow so we can do more testing
DBUS
- starts as root and changes to DBUS user
- trying to make it so that DBUS user still has permission to write to
audit
- not in target but needs to be working correctly for everybody else
Dustin's patch to allow filtering in the kernel to allow msg types to be
excluded in the kernel before any memory allocated or any time spent
creating a record that would be thrown away
- this is a kernel patch
- Discussion if it should be in userspace or kernel
some requirements posted early on
Steve: not viable to do this in userspace could back up the queue
RBAC
people don't want all these audit msgs to hit their screen (no way to
shut off other than dmesg)
David: in that particular case there should be an option to make avc
George: Stephen not on phone but think he had strong opinions about that
Dustin: advantage of it being done generically - for all msgs not just
avc or lspp
David: We can do this in the kernel, but were putting stuff in there
that we shouldn't, that we could be doing somewhere else
any little thing won't be the straw that breaks the camel, but
it's a slippery slope
- Dustin: Do we need to set boundaries?
Steve: list back from September
Linda - info he posted on the list - features didn't have implementation
details
We put user filtering in there, and it doesn't necessarily need to be in
there
Need to increase our resistance every time
- What about filtering logic in the audit library?
Steve: a lot of traffic userspace with kernel
David: Why? userspace looking at config
Steve - problems in selinux
every trusted application will need a type so that it will have
the ability to access that info and don't think we want to do that
David: is that info restricted?
Steve: yes, it should be
Linda: these are trusted programs to begin with
- David: don't generate msgs we don't want, rather than filtering them out
in the kernel
Steve: more syscalls and more context switches, would ultimately burden
the kernel more
Linda: could be less overhead
David: audit lib would check with config somewhere, if not then turn
those to null operations
Steve: pam lib example
pam will have to open file, read file, parse the file,
open & read, 2 more syscalls, also have to give ssh secure admin
rules
- trusted applications could check if it should submit its msgs
Steve: want to control info flow, so one program can't become spring
board for other things
David: trusted programs, should they not know whether or not their msgs
are logged or not?
Steve: they shouldn't; auditd running in system high
- RESOLUTION: We will go with Dustin's patch and say that's it for the
kernel as far as filtering, except for ability to track child processes
and sessions
- Dustin submitted a new patch (to address comments from Steve and David)
sent out 2, 2nd patch is the correct one
- David going to try to build new audit kernel, but having trouble
lspp rawhide kernel this evening or tomorrow
will include Dustin's patch
should have patch from Amy
a lot of people not on this call, that do testing
- David will put out email
-----
Print
-----
using a soon to be deprecated function
- almost done making those changes
ended up with audit events: AUDIT_LABEL_OVERRIDE,
AUDIT_LABEL_LEVEL_CHANGE, AUDIT_LABELED_EXPORT
- label export sounds like export labelled data and not unlabelled data
- Steve thought we didn't need that, selinux labels everything (export
data that isn't labelled is unlabeled_t)
but if we think it's something someone wants to search on, we could add
it
- we would want it's own audit type in case someone wants to do a search
of any unlabelled data
- defining these types with cups in mind
exported printing, vs exported archive
what else is going in there
standardize
do we want to have printing broken up from archiving
do we want to have imports as well?
you may want to be able to do a search of any
Steve should get audit 1.0.9 out there with new types
- audit 1.0.9 -m param can now take a list of types
- Linda requested that Steve send out sample msgs like Dustin did
- Steve's reply: when I send out 1.0.9, could you run the program with it,
generate the print messages and post that on the lspp list
won't see the data exported
- example: tar to cdrom won't label the file it will just put it on there
- biggest issue we don't have a test kernel
- could do an audit on open, and should see the types in the syscall, dev
major and minor of the device
- might want to add to the device allocator - auto add that rule, or
command line option, for it to automatically add audit rule for that
- How do you determine if it's unlabelled or labelled export? why would it
be unlabelled_t
- device allocator would need to iso_t
- OK for this example
maybe next week Dan Walsh will be on the phone (at convention today)
device allocator - manual state change audited anyway
-----------------
device allocation
-----------------
sourceforge project
- close just need to work on description a little more
--------------
File archivers
--------------
No feedback posted yet
If haven't heard anything by end of the week, Debora to go ahead and try
to submit it upstream.
-------------
Unowned items
-------------
items with 0% complete are unowned so feel free to sign up for them
-------------------
SELinux base update
-------------------
base for policy?
barring any major catastrophe, can't throw it in rawhide and blow everyone
up,
standard policy - problems he's had with it
next week should have update on that
----
DBUS
----
- We need definitive read on this
- shutting it off and seeing that it didn't break something on one of our
machines isn't enough
- Steve thinks hotplug events would be broken
- Klaus proposed have DBUS on at boot, and then turn it off before cron or
anything comes up
could be an initd script
- didn't want DBUS in evaluated config if we could do w/o it because we
didn't want to have to document
- question about nettop usb mass storage devices used for encryption keys
- We will need to revisit when look at desktop systems
(along with other items we're not including now but would be needed for
desktop such as xwindows),
but ok without for server
------------
Package list
------------
- might not want to discuss publically
- Steve and George should revisit this and track
----------
Any issues
----------
Request to change meeting time by Russell
- It is his 3AM
- Would like it to be a little later
- David could do later, but not on a Wed
- To be discussed more on mailing list
More information about the redhat-lspp
mailing list