[redhat-lspp] LSPP Development Telecon 04/10/2006 Minutes
Debora Velarde
dvelarde at us.ibm.com
Fri Apr 14 20:58:31 UTC 2006
-----------------------
LSPP Meeting 04/10/2006
-----------------------
Known Attendees:
Matt Anderson (HP) - ma
Russel Coker (Red Hat)
Janak Desai (IBM) - jd
Steve Grubb (Red Hat) - sg
Chad Hanson (TCS)
Linda Knippers (HP) - lk
Joy Latten (IBM) - jl
Loulwa Salem (IBM) - ls
Debora Velarde (IBM)
Al Viro (Red Hat)
Dan Walsh (Red Hat) - dw
Klaus Weidner (atsec)
George Wilson (IBM) - gw
Tentative Agenda:
Kernel update
Installation, MLS policy, LSPP kernel issues
Audit enhancements, performance issues
AuditFS/inotify completion
Audit of userspace messages
Audit API
Audit failure action inquiry function
Audit of service discontinuity
Fail to secure state
Print
SELinux base update
IPsec labeling, xinetd, secpeer
ipsec-tools patches: Base, SPD dump, and racoon MLS
Device allocation, udev, DBUS, hald, hotplug
Label translation daemon
Self tests
VFS polyinstantiation
Cron, tmpwatch, mail, etc.
Remaining tasks
Target date has come and gone
Tests and documentation
------------------------------------------------------------
SELinux base update
------------------------------------------------------------
Dan selinux update:
- got Joy's IPsec patch running on machine
- trying to get a hold of Al
- need to get OK and then can throw the patch in
Russel working on secadm, sysadm, audit_adm
Mike: secadm_t can no longer go to /root or go to user's home
Dan will go thru and look at it.
dw: Why would secadm be able to go to user's home?
Normally have 2 windows open:
1 secadm
2 sysadm
kw: fixing labelling issues?
MLS override capabilities?
Who can do that?
dw: need him to be able to run chcon command on anything?
kw: somebody needs to be able to do that
secadm better fit than sysadm
don't think sysadm can either
restorecon yes but not chcon
someone needs override capability for more than just default
dw: needs to be able to go into any directory?
kw: Yes
gw: Wendy or Joe might have a perspective on that
dw: Will put it in the policy to allow that, will get it out by tomorrow
------------------------------------------------------------
Kernel Update
------------------------------------------------------------
lspp.16 almost everything in -mm branch
lspp branch
right now getting whole tree
going to split into individual patches
then will go to Linus
there are 2 kinds of components
individual - on track towards Linus
stuff pulled from a system tree
where we're at right now,
responsibility of system maintainers to get to Linus
sg: how long is "sitting in the -mm tree for a while"?
al: giving it a week is alright
maybe tomorrow, maybe a day after that
al: once see nothing catastrophic going on
sg: lspp kernel
working on a .17
doing a test build right now
includes Amy's patches from Friday
+ patch sg sent out on sat
should push that out later this evening or first thing in morning
Loulwa ran regression tests against previous kernel
only problems in how we're parsing but we'll change that
gw: will you try again on sg's new kernel?
ls: yes
Regression
sg: looks like a problem if you try to list 95 rules
get buffer error
doesn't look related to watches
just load 95 syscall audit rules, get same error
trying to get into contact the netlink maintainer
whatever changed breaks us
Performance
sg: did perf testing
looks like we're loosing a lot of perf with current watch situation
looked at algorithm for syscall auditing
don't see simple change to get us perf improvement
all things change was noise range only
couldn't statistically see any improvement
need to figure out how to have a large # of rules
benchmarked same thing in RHEL4 kernel
only 6% performance hit, with 95 rules
current lspp kernel, 232% hit, a lot of work
gw: in danger of missing kernel window because of this issue?
sg: don't know, need to see if Amy has some ideas
Amy on call?
gw: serge had an idea
lk: Amy not on call yet,
She thought we needed to improve intelligence of filtering logic
sg: looked at that in every way possible
doesn't look like
filtering logic is very simple
locking, needs to be multiprocessing friendly
lk: Want to watch a whole directory tree,
if can do with a single watch, should do that
sg: Even if get 10 rules off of that list because consolidated still in
trouble
Need to separate the watch from syscall auditing,
2 can't be tied together
Don't wait until syscall exit to decide if it's auditable, do it
before
lk: Things we should look at
mark it as auditable and not mark rules against
sg: in the code path
evaluating auditability at the time of the filesystem access
as opposed to paying the price at syscall exit
lk: Continue conversation via email, irc, or if she joins call later
gw: Anything we can do on our end?
Try to engage our perf people?
sounds like we know where the bottleneck is?
sg: Streamlining not going to be the solution, got 6%
Has to be an algorithmic change to make that much of a jump
Would like to engage the perf people to do some perf from 11% to 5%
gw: do profiling
lk: Amy was going to take a look at the posix message queues,
maybe Amy should take look at this
gw: Joy and I will look at
not clueless but not experienced in that piece of code
sg: Change to having more operators, more capability
but need to try to close that gap close to what RHEL is
------------------------------------------------------------
Audit API
------------------------------------------------------------
going to start working on it this week
done what he can on kernel w/o talking to Amy
------------------------------------------------------------
Audit failure action inquiry function
------------------------------------------------------------
anybody taken this?
still needs to be done
------------------------------------------------------------
Audit of service discontinuity
------------------------------------------------------------
Ivan working on
sg: got an email from him over the weekend
going to be tied up from now until the end of May
take his name off, and hope someone will volunteer
------------------------------------------------------------
Print
------------------------------------------------------------
Update from Matt:
Print going well
proof of concept that goes well
incapability with ghostscript
work off by updating
untrusted cups rendering the image for the trustedcups
ghostscript different errors
lots of changes in errors to fedora core 5
was working on fedora core 4 w/ updates, but not this version
testing - currently cups doesn't have a config file option
that will allow 2 different
- one uses trusted filter
- one sends files
when looking at that
realized not everything needs to be running through this filter
kw: what files need to be run through the filter
ma: postscript, enhanced postscript, and pdf
ma: does anyone have any other ideas of what files they want parsed?
kw: configuration on support formats
ma: will put together email and post on list, continue discussion on there
ma: hadn't thought about pdf
if going to convert, can convert pdf to postscript, and then handle
for pdf: pdf -> postscript -> then handle
ma: post something next week
ma: want to do more internal testing here
Any thing else?
ma: Ran George's RBAC self test utility
Ran fine, only thing is:
by default some of the files in cups weren't included in an exclude
list
the rpm doesn't flag the file correctly
ma: printers.conf file, changed by running
gw: see what fails, and add to exclude list
lk: could change how rpm handles it
gw: when post next patch,
Can you post a paragraph of how you want us to test it?
How to exercise it?
lk: mentioned fedora updated to
March 20th version of cups? or still older?
ma: latest version
not sure if showing up in rawhide or extras
Target date?
ma: want to finish up a little more and do internal testing this week
get something out mid next week
------------------------------------------------------------
IPsec labeling, xinetd, secpeer
------------------------------------------------------------
Joy hasn't gotten attention on patch that she deserves and needs
Dan pushing that on RedHat side
Anyone else has suggestions, send it
Joy: original date was Dec 1st
Update from Joy:
Testing nethooks with ipv4 and ipv6 and succeeded fine
24 hour stress testing
Trying to come up with MLS constraints for IPsec
MLS policy - no MLS constraints
not sure need to put any kind of MLS constraints
Do we need to add any or is that OK?
Dan: think TCS would be the best to answer
Chad: send me an email, I'll think about it,
top of my head don't think of any
gw: targeted policy should be able to use it as is?
jl: right, with unconfined_t
jl: need to write policy in order to use with different types
need to do myself to write up that documentation
gw: try it out
gw: TCS has been doing that
------------------------------------------------------------
ipsec-tools patches: Base, SPD dump, and racoon MLS
------------------------------------------------------------
Catherine posted patch for UDP datagrams
got comments directly from Andrew
Haven't heard from Trent about xinetd patch from Trent's student
hopefully hear something from him in next week or so
Any word on SPD dump issue?
Chad: no
gw: anything we can do to help with that?
Chad: won't complain about any
gw: can't commit any right now
but if someone out there can help with this, please speak up
------------------------------------------------------------
Device allocation, udev, DBUS, hald, hotplug
------------------------------------------------------------
Debbie completed her analysis of dbus, udev, hotplug
addressed some comments
device allocation:
problem with user mounts don't have any kind of limits
then getting screwed by out of memory
gw: Doesn't sounds like a huge restriction to make the admin do the mount
in advance
In that case the user wouldn't even allocate the device because the
administrator already mounted it
another daemon out there to help you with that, not device_allocator
Chad: had one bad idea earlier
media through polyinstantiation
Issue is that device allocator can't mount devices
Question is how bad of a problem is that?
What is the customer expectation?
want Cindy/Wendy's input to get user's perspective
Maybe its an acceptable restriction
Adequate data from Debbie's dbus/udev report?
if so closed
OK, closed
------------------------------------------------------------
Label translation daemon
------------------------------------------------------------
Has Darrel been able to give you a patch?
Very sorry he's out through beginning of next week
------------------------------------------------------------
Self tests
------------------------------------------------------------
Update from George:
Put first attempt in python out on list
Got laundry list from Serge
Will look at Matt's issue.
Let George know if you want to see it do more things
ma: short option tags
gw: has it, just not on the usage
gw: can add to the manpage if its near final form
gw: think it should do more verification on selinux
if you have any creative ideas of what it should do
ma: was doing it in permissive mode
can you make it an option to not make it exit and keep going?
gw: yes, will do that
------------------------------------------------------------
VFS polyinstantiation
------------------------------------------------------------
Update from Janak:
sent module to RedHat maintainer
had a couple of minor comments, Janak to fix
main thing to do is to write up man pages
Then he'll push it upstream (he's one of the upstream maintainers)
haven't had a chance to write them yet
------------------------------------------------------------
Cron, tmpwatch, mail, etc.
------------------------------------------------------------
Update from Janak:
cron
- sent a patch out on Friday
- mainly incorporated some of the feedback from Stephen Smalley
- had asked him to make some things configurable
- ported it to ?
- copied cron maintainers
- so far haven't heard anything
- but since just sent it on Friday will wait a day or two before pinging
again
gw: thought there wasn't an upstream cron maintainer?
jd: was told to copy different distros' cron maintainers
tmpwatch
basically because can be run on any directory
1. augment the man page to tell the admin that if the dir they are running
this on is polyinstantiated they need to unmount that so they will see all
the other dirs
2. putting that feature in may be possible by adding pam_ to temp watch
But may have affect where admin doing ls
- may only see his temp files when doing ls
- but may end up deleting more than just his temp files
wrapping some sort of mailer?
Janak still hasn't gotten to look at that
gw: Dustin was originally going to look at that
------------------------------------------------------------
Remaining tasks
------------------------------------------------------------
date passed
trying to recover by end of month
tasks Ivan was going to take up are now available again
some of those are probably not too difficult to do:
- Audit service discontinuity
- fail to secure state
Had put his name by them on the task lists
Need to take it off and update
------------------------------------------------------------
New wiki location: http://fedoraproject.org/wiki/SELinux/MLS
More information about the redhat-lspp
mailing list