[redhat-lspp] LSPP Development Telecon 02/13/2006 Minutes

George C. Wilson ltcgcw at us.ibm.com
Mon Feb 20 01:58:16 UTC 2006 

Apologies for my delay in getting out the minutes.  These were taken by Michael
Thompson and edited by George Wilson.

-----------------------
LSPP Meeting 02/13/2006
-----------------------

Known Attendees:
----------------
   Matt Anderson (HP)
   Andrius Benokraitis (Red Hat)
   Lenny Bruzenak
   Russell Coker (Red Hat)
   Janak Desai (IBM)
   Darrel Goeddel (TCS)
   Amy Griffis (HP)
   Steve Grubb (Red Hat)
   Chad Hanson (TCS)
   Dustin Kirkland (IBM)
   Linda Knippers (HP)
   Joy Latten (IBM)
   Chris PeBenito (Tresys)
   Emily Ratliff (IBM)
   Michael Thompson (IBM)
   Al Viro (Red Hat)
   Dan Walsh (Red Hat)
   Klaus Weidner (atsec)
   George Wilson (IBM)
   Kris Wilson (IBM)

Tentative Agenda:
-----------------
        IPsec labeling, getockopt(), xinetd
        ipsec-tools
        VFS polyinstantiation
        AuditFS completion
        Audit by role
        Audit enhancements
        Audit of network events
        Print
        Device allocation, udev, DBUS, hald, hotplug
        SELinux base update
        MLS policy gaps
        Cron, mail, etc.
        Self tests, Bastille & STIG hardening
        Target date--what will/won't make it
        Unit and functional tests
        Documentation
        Remaining tasks


New wiki location: http://fedoraproject.org/wiki/SELinux/MLS


General:
--------
- No more status on the wiki, just in email form (had it on wiki for
convenience only).


Networking:
-----------
- News from Catherine, Joy, or Venkat?
- getsockopt() status is unknown (as per George) -- no news from Joy.
- No new issues w/ IPsec labeling.
- IPsec tools maintainers comments on patches?  No, we need to get
acceptance on this.
- xinetd needs help (from Steve Grubb?).
- Need to incorporate TCS patches.
- Will racoon be part of eval config?  Unclear.
- IPsec tools update for current upstream (for Red Hat).
- IPsec userspace needs to get accepted.  No indication of progress here.

- Catherine(update per joy):  No responses on her patch.  How to proceed?  (Al
Viro / Janak?)

- Dave Miller was copied on initial post.  Either Catherine or one of us needs
to repost and copy Dave per Al's advice.  Testing is also needed.

- Steve Grubb:  Going to rebuild a new kernel either later today or tomorrow
(0.8).  Includes Amy's 3 patches, Jason Barrens(sp?) patch.

- Which yum repo to use?  Woodhouse's is deprecated.  Walsh's is basically an
early mirror of rawhide.
- Audit of user and role modifications should be covered now in FC5T3.
- ipsec-tools progress:  Joy is trying to get feedback from maintainers.


Unshare:
--------
- Janak:  Unshare is upstream.
- Requests made to arch maintainers to get in.  2.6.16-rc3 has unshare in all
arch's we care about.

- Steve:  AFAIK, it's supposed to be picked up now (for gcc).

- Janak still testing cron on MLS system


Auditfs Patches:
----------------
- Amy:  Patches are going into kernel . . . working towards stability on last
bits.
- Issue:  Not able to receive inotify_delete_self event; not sure why, though.
Happens with events which involve inodes

- Being removed from FS, code running to invalidate before sys_exit.  So
audit records not getting recorded for removals.  Still thinking about how to
approach.

- Target date for inotify client/server:  hopefully this week


Audit by Role:
--------------
- Dustin:  Blocking on patches from Darrel (help with SELinux API).  Work with
James Morris patch.  ETA:  maybe tomorrow.

- Darrel:  Should have some code out for ridicule soon.

- Targeting end of month for patches into development kernel.


Userspace Audit Messages
------------------------
- Tim's patch is almost done, but needs pSeries testing.  No new comments from
Stephen or James (on patch for SIDs).


Audit in General
----------------
- Steve:  Not much going on, getting audit of user & role modifications only
major recent work - should be in T3.


Print
-----
- Matt:  Going well, posting to list today re:  concerns of UID mapping and
capturing for print jobs.  Fixing bugs in patch based on review.  Backporting
functionality from CUPS 1.2.

- Concern about correct UID for audit tools.

- Steve:  CUPS some way to store loginuid.
- Matt:  Concern is something on an exec boundary?  Can I make a call or deal
with PAM?
- Steve:  We have functions to do this already--get/set loginuid.
- Matt:  get_loginuid_by_pid would be great!
- Steve:  Don't want that.  Get the credentials of the connection to start the
job.
- Matt:  We want the right auid, need to pass that on to audit subsystem.

- No significant progress on print server itself.

- Target date for CUPS list:  not ready at this point.



Udev, Dbus, Device Allocator:
-----------------------------
- Debbie:  No breakages so far with udev/dbus removal.  Latest version of
dev allocator.  TCS doing policy updates to get it up to ref. policy.

- Using tentative list of packages to check dependencies of udev/dbus.  So far,
good news.


SELinux Base:
-------------
- Dan:  dev allocator - new updates.  Creating ref, policy should be done.
Testing on rawhide last week.

- Klaus:  a simple watch is not sufficient if we're changing security
relevant information (as per protection profile).

- Current MLS policy work:  Polyinstantiation almost working.  SEmodule has had
added policy.


Cron and Friends
----------------
- Janak:  Still experimenting under an MLS . . . still need a mailer.  Still need
to look at; some other things we've not looked at in terms of polyinstantiation.


Self-test
---------
- George:  Posts about maybe conforming to STIGs.  Do we want this?  It has
clear pros; confirms that a system in setup to match a STIG.

- Steve:  May be easy.  Need current state of other tools.
- George:  Need to assess state of Bastille and Fortknox.
- Linda:  Would be nice to have a volunteer so we can allocate a resource.


Timeline
--------
- Target cut-off:  End of March . . . staged for end of February.
- George:  Need to assess what's going to make cut-off date,
and what we do about those that miss.

- Maybe audit makes it?  Print probably won't make it.  Self-test not looking
good.

- ipsec-tools is questionable.
- Secpeer is questionable.
- Audit of network events is questionable, though that should be xinetd work.
- Device allocation is looking pretty good.
- Cron is questionable.  Janak:  turn it out next week, but it has not not
been reviewed by cron maintainers.

- We need to push on them and try to get completed.


- Standard unit & functional test reminder . . .


Open forum:
-----------

- Nothing.

-- 
George Wilson <ltcgcw at us.ibm.com>
IBM Linux Technology Center

More information about the redhat-lspp mailing list