[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[redhat-lspp] LSPP Development Telecon 08/07/2006 Minutes

08/07/2006 lspp Meeting Minutes:

  Lawrence Wilson (IBM) - LW
  Janak Desai (IBM) - JD
  George Wilson (IBM) - GW
  Loulwa Salem (IBM) - LS
  Thiago Bauermann (IBM) - TB
  Nikhil Gandhi (IBM) - NG
  Al Viro (Red Hat) - AV
  Irina Boverman (Red Hat) - IB
  Dan Walsh (Red Hat) - DW
  Eric Paris (Red Hat) - EP
  Linda Knippers (HP) - LK
  Matt Anderson (HP) - MA
  Paul Moore (HP) - PM
  Robert (Atsec) - ROB
  Darrel Goeddel (TCS) - DG
  Chad Hanson (TCS) - CH
  Joe Nall - JN
  Ted Toth - TT

Tentative Agenda:

Kernel update
    GW: let's get started, not much in here I think. Al, do you have any kernel
    AV: Basically everything is in mainline. Now git tree doesn't have anything
	that is not in mainline. I am not sure about the situation with
	netlabel. Also rawhide kernel should be equivalant to lspp kernel.
    GW: thanks Al for your help on this project
    AV: no problem
    GW: we'll get to net label in a bit. I was hoping Irena is on to give us an
	update on the status of that.
    IB: I am on George, what is the question?
    GW: Al was saying that he didn't know the status of the lspp kernel
	regarding net label. Is there an update on it's status?
    IB: I understand that it is accepted in -mm tree. Our developers will pull
	it in as soon as it is stable.
    GW: any if it will go in, and when?
    IB: CIPSO, and net label are both accepted. They have to go through the RH
	acceptance process before going in RHEL5, but I believe it is accepted.
    GW: anything you need from us or HP?
    IB: Just make sure they are stable, don't break anything. Perform as much
	testing as possible to make sure it is working right.
    PM: you mentioned that net label is in -mm tree; I know it is in Dave
	Miller's tree, not sure it is in -mm
    IB: that is what Tim Burke told me.
    GW: excellent, I will get with Fernando and see what he can test, he is
	working part time. Joy is out for the entire week on personal business.
	Ok, excellent, we are shutting down development and we can start real
	regression testing in the kernel.
    IB: we expect beta 1 to to be available for partners on 22nd of August
    LK: is there a code freeze date for beta 2?
    IB: I don't remember, there is a date I just don't have a schedule in front
	of me. I'll let you know.
    GW: It is useful to know the absolute cutoff point for user space. Thanks
	everyone, we are making great progress.

    GW: Steve is out, last he wrote, audit user space is a work in progress,
	mainly in terms of API. I think there is one more change in auditctl but
	nothing major.

LSPP kernel issues

Audit userspace

    GW: Matt, would you like to give us an update? Saw you had a patch out.
    MA: yeah, Tim took it in rawhide, and I believe there was another iteration
	of it as well. I am working with Eduardo in Brazil on an issue, it seems
	you can't set ranges in character devices, so I put together a policy
	file and sent to Dan to check and get back to us on that. Still have
	problems with various foomatic printers, Linda and I are working on
	that. once that is determined there will be a patch for that and
	possibly another one for auditing. I am adding ability to audit title
	of print job, it's also worth while to add range of printer device to
	the audit config audit message. The patch looks like it went in the
	first beta, so it's a matter of fixing few things and getting them to RH
	to include in the next version
    GW: good news. thanks Matt.

SELinux base update
    GW: The policy is probably gonna be a work in progress until we get near our
	ship date. Anything you want to tell us about selinux base Dan?
    DW: not much, I am negotiating regarding the init changes. We have a patch
	and figuring out the best way to do this. I see Janak had questions
	about policy, so I'll look into that, but I am on vacation today.
    JD: don't worry about that, I got an answer from stephen smalley. The other
	question is small and you can answer it later when you get back. I also
	saw that you put changes to crontab, so I'll download that and test it.
    DW: yeah, I'll be back tomorrow. crontab is running fine at least on my test
    GW: Janka, the dominance operator allowed you to transition into roles, but
	not the union of types?
    JD: Technically true, but you have to change into role to do those things.
	Automatically changing into super role doesn't mean you get everything
    GW: ok, different than what I thought, but the policy compiler didn't segv?
    JD: no, I was able to create the dominance operators I needed.
    DG: it's not the role, it's the type. the type is what you have to worry
    JD: right, so it's the type that matters.

[Later in the conversation]

    JD: We have a library interface which changes initial value of a file that
	someone can create. now there is fscreate in the /proc/self/attr
	directory, but not for sockcreate. I don't know if there are plans to
	put an selinux call for that. Are there plans for that?
    EP: I can do it, at least the user space part of that.
    JD: what type of audit record would that generate, a write to the file?
    EP: yes, I think you would test it the same way you test fscreate, they are
	basically the same thing but use a different path.
    JD: Ok, I'll let klaus know, I think he was hoping it had a distinct audit
	record. but I'll tell him.
    EP: I don't know what the auditing will be, but it is similar to file

MLS policy issues

    GW: Mike Thompson is not here to complain about roles, and I have nothing
	to add on this.

    GW: we already talked a bit about this. paul anything technical you like to
    PM: Unfortunately I missed the beginning, and not sure what was said
    LK: someone hung up the phone accidentally, that was me :)
    PM: David miller accepted the patch in 2.6.19,  I found it is in -mm tree,
	which is better. We need to do more testing sine this iteration includes
	the MLS hooks from Venkat's patch. I think I might have run into small
	problem with the code from Miller's git tree, so I am not sure it is in
	net label patch, or something else. Also, I updated Klaus's policy
	module to allow you to run with no problems. One last note, I will be on
	vacation until end of August, so if you need anything send me
	an email just don't expect a quick response; I will be back 1 or 2 days
	in the middle of that.
    GW: are your patches in the current lspp kernel.
    PM: no, current lspp kernel is based on 2.6.18, but when I switched to
	Venkat's patches those are in 2.6.19. There are two options, I can back
	port my patch, or Venkat's patch gets back ported.
    GW: This brings up good question of who will do the back porting. I know you
	all committed to maintaining your code, does that include back porting.
    PM: well, we need to find out if Venkat's patch needs to be pack ported, if
	not, I have no problem back porting my patch.
    GW: good question, who will back port venkat's patch?
    DG: Venkat will back port his patch, he is on vacation for next 2 weeks
    LK: that's why I was asking for a date of beta 2, ideally we want those in
	there as well.
    IB: Yes, I insist they be in beta 2. I think the date was Oct9, but we might
	pull to Oct 1. So the cutoff will be at least 2 weeks before so Sept 15.
	I'll be talking to the person responsible for pulling in patches every
	week to see when these will be included.
    LK: also we have someone as a backup for Paul if something comes up
    GW: when Joy comes back she can help back port, also serge has some free
	cycles and can help, so let me know.
    IB: I thought people were providing Steve with back ported patches.
    LK: Yes they were, but not for the latest patches
    IB: I suggest people should provide Steve with back ported patches
    GW: Yes, this is an important point.
    LK: I think we went out of sync with the kernels of lspp. Steve is back next
	week, so we'll talk to him about that.
    DG: once venkat's patch gets in, the net label patch should be trivial
    GW: ok, if you need help, please raise the flag

IPsec:  MLS, UNIX domain secpeer, xinetd
    GW: not a lot to say. Steve was working on xinetd patch before going on
	vacation. there is also the SPD dump issue, I don't
	know if there is intent to address that. We have to talk to Venkat when
	he gets back to see if the hybrid approach is workable.

ipsec-tools:  SPD dump and racoon base + MLS

Single-user mode
    GW: Dan already talked about that, he is negotiating to get that working
	with init.

Self tests
    GW: One of the reasons I came back from vacation is to work on that.

VFS polyinstantiation
    JD: I submitted the polyinstantiation patch, and so far one comment from
	Carl for cleanup. He then said that I was following the format of the
	command, so I wasn't sure if he was asking me to change my part since
	it'll be inconsistent with the rest of command. I guess I'll have to
	check on that.
    GW: have we tried it with wrapper mail command
    JD: no, I'll test with new policy and report on that.

    GW: Ok, sounds good, any other issues anyone would like to raise?
    JN: in the mac6T6 (??) world, there is a way to read socket and get some
	attributes like, id, group id .. etc. there does not appear to be way to
	do it for IP sockets. anyone has ideas on how to do that?
    GW: no, I think because we are concerned with MAC control, not DAC.
    JN: if we do a 1-1 mapping from SELinux and Linux context, we can maybe get
	what we need.
    CH: have you looked at something like xinetd
    JN: I was looking at that this morning. I hacked code up to see if we can
	branch the process and get the id. but that doesn't help with the
	group.if anyone has ideas, I'd appreciate it. We had a call with RH, and
	this was one of the issues we talked about.
    DW: what about using CIPSO?
    JN: it is not a sticking point, but if someone has ideas to fix this, then
	I'd appreciate it. When we talked to RH last week, they told us netlabel
	and ipsec patches are going in.
    GW: sounds like a done deal.
    IB: not 100% yet
    GW: yes, we'll continue testing
    JN: do we have test cases for IPsec
    GW: we have tests, but they are not publicly available
    JN: will they be available under NDAs maybe?
    GW: possibly, we can discuss that.
    JN: Also, we have about 20 developers now, so we might put lots of questions
	on the mailing list.
    GW: Sure, please don't hesitate to ask.
    JN: Since Chad and Darryl are on the call, I was wanting to ask if they can
	share their code for XACE(??) ?
    DG: most of our fixes are to selinux extensions.
    JN: last time I looked at tree, it was against 6.8
    DG: yes, but there might be a tree out there against 7 from Allen
    JN: ok, that is more positive than what I thought.
    DG: there is more push in the community to get the framework in, once that
	is in, SELinux module shouldn't be hard
    JN: does that include window manager
    DG: no
    GW: is that gonna be open sourced, or you'll keep it
    CH: there are different parts to it, so some will be closed and open
    GW: in particularly the Xwindow, and window manager support, will that
	remain closed source
    CH: some stuff we have out there, there is support for that
    GW: ok, so we should take this discussion off line.

    GW: ok, we are wrapping up. I will not be here again next Monday, and I'll
	put that in the next meeting note, and find someone to run the meeting.
	Thanks everyone, we are making progress and almost there.

Cron, tmpwatch, mail, etc.

More than 90% complete
Remaining tasks

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]