[redhat-lspp] LSPP Development Telecon 08/21/2006 Minutes
Loulwa Salem
loulwas at us.ibm.com
Tue Aug 22 04:02:57 UTC 2006
08/21/2006 lspp Meeting Minutes:
===============================
Attendees
Robin Redden (IBM) - RR
Janak Desai (IBM) - JD
George Wilson (IBM) - GW
Loulwa Salem (IBM) - LS
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Thiago Bauermann (IBM) - TB
Serge Hallyn (IBM) - SH
Al Viro (Red Hat) - AV
Irina Boverman (Red Hat) - IB
Lisa Smith (HP) - LMS
Amy Griffis (HP) - AG
Matt Anderson (HP) - MA
Klaus Weidner (Atsec) - KW
Robert (Atsec) - ROB
Darrel Goeddel (TCS) - DG
Chad Hanson (TCS) - CH
Joe Nall - JN
Bill O'Donnel (SGI) - BO
Tentative Agenda:
GW: So while we are still waiting on Steve, one thing I wanted to talk
about, is how many meetings do we need to have going forward since
development is almost taken care of. It's just something to think about.
IB: Steve is going to be on in a bit he said.
Kernel / Rawhide update
------------------------
GW: any kernel updates Al
AV: no news
GW: Good, what I was expecting. As far as I know all development is in
rawhide now
IB: yes, I know all patches are in rawhide and probably going to be in beta
1
GW: ok great, now we don't have to keep asking Steve to build kernels for us
JN: any userland patches included in rawhide?
IB: no just kernel stuff
GW: I was hoping Joy could make this call. I saw a note when TCS sent one
patch to joy for incorporation with the userland patches she is working
on.
JL: I am here George
GW: Do you have status on ipsec userland Joy?
JL: not now, I've been stuck in kernel land
GW: did you get a patch from Venkat?
JL: yes he sent it.
SELinux base update
-------------------
GW: is Dan on, or anyone has news on base selinux. I Hope this development
is done also.
IB: yes, I know he is working with Steve on fixing bugs.
GW: I assume policy bug fixes is last thing to do. Anyone has any policy
issues to bring up? I think once we get into roles, we might face some
issues later.
KW: I am not sure if anyone did any end to end testing with labeled
networking, see if labels to network are propagated correctly. I think
these need to be integrated together
GW: I think this is what Joe was pointing to. We need to get end to end
testing. ssh end to end is the most interesting whether done with xinetd
or not, I prefer without. We also need to provide some example policy \
for networking.
JL: right, but we never got that far, since we had basic problems with
getting IPsec working with the policy
GW: need to do that testing. Once again xinetd previous patch not what we
would have hoped it to be a more complete implementation. That limited
the amount of testing people can do. I take klaus' point as very
important. we need to try and test now before we get deep in testing and
it's too late to fix issues.
Print
-----
GW: I didn't go through my mail yet. Matt, if you give us a quick synopsis
on print, that would be great.
MA: sure, I opened a bugzilla (bug # 203376) this morning, and saw it was
incorporated into rawhide within half an hour, I was very impressed. I
also sent a patch to RH and it will be incorporated in cups.1.2.2-14 for
the audit fail feature. Also when a user prints something, the title for
the print job is captured, this was in response to users asking to audit
filename, the problem is filename can't be trusted, so since title
defaults to filename, then that was part of the audit record. Also there
were some wholes in auditing overrides, the code around that has been
updates, and all audit overrides are audited correctly now. There is
still a problem in mls enforcing to verify access to print device.
Before it was working when I was running as root sysadm_r role. From
talking to people on #selinux and mailing list, we came up with a
solution, so I need to add that in. The latest version should have all
audit records reporting all the right things. I also posted docs on
how to set up a print server. people should take a look at that and send
feedback please.
GW: great, thanks. If that's all with print, let's move on to CIPSO
CIPSO
------
MA: Paul is still on vacation.
GW: That was mostly a question for Irena, is it going to make it in beta?
IR: It is in rawhide and marked as a beta blocker; means it needs to go
through reviews and either accepted or rejected. if accepted it'll be
part of beta 1, if rejected then it'll be part of beta 2. The decision
will be made tomorrow or Thursday
GW: how will secmark be supported? Stephen Smalley posted something about
having some problems with it. what's RH position on secmark when using
evaluated configurations. Is it going to be a must have, or will we be
working around it. This is with respect to node and net-if, mostly a
net-if issue. whether we really need these controls in the evaluated
configuration. This maybe a mailing list question, not sure if anyone
here knows the answer.
IB: I don't have an answer, so I would sat put on the list
SH: are those even needed. we already have controls
GW: Right, and that's why I am not convinced we need it. this is more like a
firewall type control
JN: I don't know if there is a way to specify anything, you are either all
CIPSO or not. Sometimes that was a problem for us
GW: right, so you use firewall to control that.
JN: no, with if-sec some hosts are multilevel, some single level, with
CIPSO, it's all or nothing. It might have been addressed in later
version but I'm not sure.
GW: so you don't have the granularity you need
JN: right
GW: part of the question is to see if we need it or not. and if we do need
then, then we also need to document it to achieve that control over
granularity. I'll post to the list. What's the compatibility vs. using
secmark, and what's the impact if we have to document secmark.
JN: another issue that developers face is that documentation about secmark,
cipso, and if-sec hasn't matured as fast as the code, and it's hard to
point someone to docs on how to setup things.
GW: yes, it is certainly an issue for us and HP since we have a big pile of
documentation that we need to go write. One issue is that secmark came
in late, James warned us about it, but we didn't realize the impact it
had for rhel5. we can say that it is not needed, but that doesn't seem
to be an option, or we can run in compatibility mode, but RH won't seem
to want to support two things. it causes us and you pain since you don't
know how the final system will be like. I'll take action to point that
to the list and come up with resolution. Hopefully it won't be too bad,
but the documentation impact scares us.But I definitely hear you on
documentation, we need to make the info available to be able for us to
all use it.
ipsec-tools: SPD dump and racoon base + MLS
--------------------------------------------
GW: we touched on IPsec a bit, and the thing that goes on both is xinetd.
Irena, you know how far has Steve gotten with that.
IB: all I know is that he is working on it.
JN: I think we have a work around for not having DAC control by doing
something like that in the ... we'll be ok on that.
GW: are you gonna open source that
CH: I doubt anyone needs that. I was looking into the work that steve was
doing and looking into applying patches to that.
GW: maybe no one else is interested in that. Were you able to do any testing
with that
CH: I made connection to different levels and telneted to machine to make it
work. It wasn't an end to end test but that it just worked.
GW: The proof will be in ssh. I imagine that alot of people will care about
it.
GW: what is the status of all userspace stuff. Joy, what's the patch that
venkat sent you
JL: it allows racoon to negotiate MLS labels. I need to integrate it in
there. I'll try and get that out soon, but I got stuck in the kernel
part for a while.
GW: ok, no problem. Anyone has a read on the SPD dump issue. I know it is
not as serious as most of the other issues we have, but if you want to
manage SPD database, you would need a query on it. If we need to address
SPD dump, the we need to do that soon. Any other ipsec or cipso?
JL: I downloaded the latest rawhide, and couldn't even run regular IPsec. I
got kernel oops and just couldn't get it working at all. I am using
targeted permissive so there shouldn't be any selinux permission
problems. I can't even get it to ping. I opened a bugzilla for that
GW: You have the bugzilla number Joy?
JL: it's our internal bugzilla
GW: Ok, request mirroring to RH on that, also cc Irena and Steve
JL: It worked for lspp.44 kernel, but not rawhide
IB: what about Venkat. Does he know?
JL: I thought CIPSO was enabled in rawhide, but I thought it was also
enabled in .44 kernel. Maybe something changed. Is the only way to
disable it, to not compile it in.
GW: I don't know
JL: I changed the configs of my kernel, and I am building it again to
eliminate that
GW: sounds like a reasonable approach, to eliminate stuff
IB: I am hesitating to put it in beta 1 if it is not working at all. We need
to resolve that quickly other wise it won't go in beta 1
GW: which rawhide was the one you used joy?
JL: the one I downloaded it Friday
JN: can you send your instructions and configs on how you are testing, so we
can try it.
GW: yes, that would be good, since this is a beta blocker. Send out what
you've been doing to set up the systems and test so we can try it too.
JL: ok, I'll send it to the mailing list, shouldn't be hard, right now I am
running regular IPsec
JN: I am particularly interested in propagating labels. but I can also try
the regular. also please put the kernel version you are running so we
have all the right info
JL: I'll send the info to lspp list
GW: when do we need to get that fixed Irena
IB: as soon as possible. Is Venkat aware of this, is he back from vacation?
GH: Venkat just got back
IB: not sure if anyone tried it since it was put in rawhide, we used James
Morris' code changes.
GW: looks like joy is the first to test it. we need to see if this is
something happening on other people's boxes and get started on
debugging, hopefully this will be a glaring problem with a simple fix.
Joy are you gonna try to recreate it.
JL: yes, I opened a bug and put on there how to recreate it, but I'll also
send that out. it is basic IPsec configurations
GW: did you get stack trace out of that, where did it die
JL: yes, it died at skp_to_sgp(??), where it does the encryption.. not even
sure it even dies there. I know there has been lots of changes in
transform code in past few days
GW: hard to say, since there are many patches on top of that
JL: yeah, I need to look at it more.
GW: need to look at patch set against vanilla kernel or against patch
kernel.
JL: it's an odd place, something tells me it is not the real problem
GW: have you tried with vanilla kernel
JL: good idea, I'll try that.
GW: if anyone else has any suggestions
IB: once joy will post the info on the list, I'll send it to james morris
and have him look at it.
GW: great, since this is a critical problem, we need to focus on it. Joy
what arch were you on?
JL: good question, it's Pseries (ppc64) and I didn't try it on anything
else.
Single-user mode
-----------------
GW: dan was negotiating to get changes into rc-sysinit . you know Irena if
he was successful
IB: I couldn't find him before the meeting to ask him
GW: I assume he did, just thought I'd check.
Self tests
-----------
GW: I actually made some changes to that, I encapsulated the code in
classes, and I will go back and get more things done on that. I'll get
that out soon
VFS polyinstantiation
----------------------
GW: Janak any news on polyinstantiation
JD: I sent a patch to Stephen Smalley, he sent me an email with couple of
problems, one was a resource leak and another is restructuring of some
code, I am working on that and will be sending an updated patch in next
couple of days. The one I sent out is working but has a couple of
problems. Now with the patch you can use newrole and get your
directories polyinstantiated
GW: did you get time to test cron with mail wrapper.
JD: no, we have few people waiting for cron to get done, and we'll be
testing once it is done
GW: Thanks for the update. from what I hear, remaining task will be
addressed with bugs. steve has list of things to be done on audit
Cron, tmpwatch, mail, etc.
--------------------------
Bugs / remaining tasks
-----------------------
Final cutoff date
-----------------
GW: what is the final final cutoff date. I know it's ASAP, but what is drop
dead date.
IB: for features, if not by beta 1, it won't be accepted unless for stuff we
discussed. we'll keep fixing bugs and people need to continue testing.
we need to test rawhide. I hope cipso is working
MA: Paul was working on issue with it dropping packages
IB: yes, he had two bugs and we have suggested solutions.
MA: I think if there are no more bugs then he is not aware of any
JN: I'll try to post a test case to that in next couple of days.
IB: to answer questions, talk to developers on lspp list. The only way for
me to track those issues is through bugzilla.
GW: what I am hearing, if you need anything to get fixed, then you better be
writing bugs, put alot of effort into testing.
IB: We are relying on project and community to test it as well
GW: certainly our focus has been and will be that. As we wrap development,
testing becomes our focus, besides bug fixes
Further meetings
-----------------
GW: brings question, since development is winding down, do we still need
those meeting
IB: still need at least one meeting, since many developers are missing from
this one
GW: ok, but I do see an end finally in site. and I'll work on my self tests
LS: I have an issue with audit, wanted to ask Steve. Basically you can add a
two watches on same path one with a filterkey and one without or with
different filterkey. Before when we needed to delete a watch a '-W path'
was sufficient, but now you need the filterkey to differentiate which
watch. why would you need to have two watches on same path, is that
needed, is this what the intention of auditctl is?
MT: I don't see it needed, no point in having two watches on same path, one
with key and one without.
GW: yes, doesn't make sense
LS: I'll send out an email about that to steve
MT: and audit mailing list as well.
GW: ok, so if no other issues, then we'll adjourn. Thank you all.
More information about the redhat-lspp
mailing list