[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[redhat-lspp] LSPP Development Telecon 07/17/2006 Minutes



07/17/2006 lspp Meeting Minutes:
===============================
  Attendees

  Janak Desai (IBM) - JD
  George Wilson (IBM) - GW
  Loulwa Salem (IBM) - LS
  Debora Velarde (IBM) - DV
  Michael Thompson (IBM) - MT
  Joy Latten (IBM) - JL
  Thiago Bauermann (IBM) - TB
  Eduardo Fleury (IBM) - EF
  Fernando Medrano (IBM) - FM
  Nikhil Gabdhi (IBM) - NG
  Al Viro (Red Hat) - AV
  Irina Boverman (Red Hat) - IB
  Dan Walsh (Red Hat) - DW
  Lisa Smith (HP) - LMS
  Linda Knippers (HP) - LK
  Matt Anderson (HP) - MA
  Paul Moore (HP) - PM
  Klaus Weidner (Atsec) - KW
  Robert ... (Atsec) - ROB
  Darrel Goeddel (TCS) - DG
  Chad Hanson (TCS) - CH
  Corey .... (TCS) - COR
  Venkat Yekkirala (TCS) - VY
  Joe Nall - JN
  Lenny Bruzanak - LB

Tentative Agenda:

    GW: Steve won't be joining today, he is in a plane during this meeting.
    LK: Also Amy is finishing up a few things before she leaves to OLS, so she
	is not coming. If we need her then I'll go get her.
    GW: Ok sounds good.

Kernel update
-------------
    GW: looks like .45 kernel is not a good kernel.
    AV: Considering Linus won't be back for a while, it won't matter. Amy posted
	several fixes last week. I did a patch doing lazy audit stuff for
	situations when we have no rules at all. I Sent to Steve, and when he is
	back, will get it in new kernel. That's about it.
    GW: So hopefully we got everything close to completed
    AV: All pending stuff, is manageable. As soon as Linux is back we'll feed it
	to him.
    IB: is it still 2.6.18?
    AV: 2.6.18 does not exist, we have rc2. It is manageable in this cycle; some
	outright fixes; some performance fixes.
    GW: that's good news .. so the major outstanding feature is still 	
	networking. Hopefully Venkat is close to getting ipsec patches done. We
	still don't know the final decision on CIPSO. Hopefully these are all
	the major issues to complete. We will get a new kernel when Steve gets
	back.
    IB: maybe sooner.
    GW: That would be great if someone can get that out this week with updated
	ipsec patches with networking in at all. Any issues with kernel -1?
	we've been testing on it as well.

AuditFS/inotify
---------------
    GW: anything on audit. Amy put in bug fixes.
    LK: she submitted three bug fixes.
    GW: Ok, great. We'll continue running audit tests to make sure there are no
	problems and we did not regress

LSPP kernel issues
------------------

Audit userspace
----------------

Print
------
    GW: Print, I saw the patches that Matt sent out. Anything you need to tell
	us on this Matt?
    MA: I sent out a patch; it works for me on MLS rawhide, but we are having
	problems internally testing it on targeted.
    LK: yes, I am running MLS and it is not working for me.
    MA: We noticed the trailing of banner page has dropped out of this patch.
	Also Lisa pinged me to add the audit failure case functionality. There
	will be a re-spin of cups patch later this week once we find out why it
	doesn't work for Linda. also a new one that works with "paps" package to
	remove dependency. Hopefully we get something to work for people.
    LK: needs to be before Thursday.
    IB: better by Wednesday.
    KW: need to be careful that even if "paps" is in rawhide, it might not be
	picked up by rhel.
    MA: thanks for bringing that to my attention Klaus, I'll check on that.
    GW: It's a good idea to stop development. Irena wants us to stop by
	Wednesday.
    IB: Freeze is on Thursday. so we just need to make a push and finish
	quickly. Are self tests part of rhel5?
    GW: should be part of the certification.
    IB: I was more concerned about user space packages.
    GW: how easy is it to inject bug fixes. In case we need to fix print after 	
	the freeze date.
    LK: I think it's close. it works for Matt, but not me, it's probably
	something small and we'll find it. if people want to try it it would
	help to figure out if it is just Linda or if it is something different
	in Matt's configurations.
    DW: Besides cups stuff, I updated some policy to allow cups to run.
    GW: thanks Dan.
    MA: great news Dan, thanks. The stuff I sent you earlier, is now out of date
	with the new changes. so if you can get the updated info please.
    DW: most problems I find is lpr command being prevented to run by normal
	users
    MA: the issue around run init is that lpq wouldn't work from there.
    DW: I put alot of fixes for that, I'll continue work and have it done
	tomorrow.

Device allocation
------------------
    GW: linda, klaus, and Casey brought up idea that device allocator is more
	relevant to print. one of the big push back Dan is getting on it being a
	trusted program, and there is no need for it to be trusted if used by
	regular users. Are people ok with it being not trusted.
    KW: it can be a trusted but not privileged (ie no setuid, or MLS
	privileges).
    CH: We want it.
    MA: if we get rid of dev allocator and have admins manually setting things, 	
	we would loose audit records.
    CH: yes it is a requirement, who allocates devices.
    LK: George was looking for ideas of what else it can be used for
    CH: we use it for user devices, CDrom for example as well
    KW: I don't know why you would need that. you need an admin to do that, not
	a user
    GW: wouldn't it need the ability to mount
    DG: mounting devices doesn't work, ideal goal is yes. You allocate the 	
	device and mount it
    KW: if anybody can write secret data to a floppy and it gets relabeled as
	unclassified it's a big hole
    DG: not any user, only users allowed to access the device
    CH: there is a user logged in, and they want to do something and they 	
	allocate that device
    GW: but that is for work stations
    CH: you are claiming that there are normal users logged in to the server. if
	there are cases for users, then they might need access to media devices.
    GW: if you have it mounted...
    CH: You can also tar the device.
    DW: the push back was because people prefer to have some interaction with
	HAL.
    DG: there are ways to not have it setuid.
    DW: right now with HAL, you stick a usb and it gets mounted and unmounted to
	the user; obviously you can't do that with ls pp. but if there is a way
	to communicate with HAL, that would work for us.
    DG: we'll look into that. It needs ability to relabel somehow as well.
    LK: doesn't it need setuid to audit
    DG: right, good point Linda. We need it to audit as well.
    GW: we decided to disable HAL after bootup
    DW: You need to just disable mount, unmount only
    GW: I believe we are shutting it off completely right now, Debbie correct me
	on this.
    DV: Yes, we are shutting it off completely after boot.
    KW: there are some features that can be useful in workstation environment,
	but they don't need to be used in certification.
    GW: we initially thought that user don't need to be able to mount/unmount
	devices, so this is late change in the game. Maybe we can have
	configurations to set up this. Is it too late to consider these changes
	Dan, or Irena. this doesn't seem like something we can get done by
	Wednesday.
    LK: Klaus mentioned that it can be included, but it doesn't need to be in
	certification. If we make a change now, I am thinking I need to update
	HLD, LLD, new test cases.
    GW: Yes Linda, exactly what I am thinking.
    IB: There are exceptions, but there are so many exceptions we can process
	and still maintain schedule.
    GW: yeah, so how important is it Chad.
    CH: we can continue to work on it, and send it upstream, so it probably
	doesn't have to be there at first, and we can just send it there.
    GW: it isn't useful unless it is setuid and can audit. Well not necessarily
	setuid, but there are ways to move around that; it needs to do some sort
	of type transition to be able to relabel.
    DG: the audit requirement is biggest for ls pp.
    DW: it doesn't limit it to admin, you can't have unlabeled data exported to
	labeled device, or labeled data to unlabeled device.
    GW: if we can meet requirement, and not have it integrate with HAL, then
	maybe Dan doesn't need to waste cycles on it.
    KW: I think it is not helping to have type environment. if it is something
	you can support yourself as you need then it is one less thing to worry
	about for rhel5. I think the action involved can be audited at syscall 	
	level.
    GW: so if syscall audit will meet requirements, then is that Ok.
    KW: what you are talking about is actually doing changecon, and setattrr
	which creates audit records that should have the info we need already
    GW: So are we telling Dan not to waste time on it ..
    KW: in my opinion it is not needed to have it
    DW: I agree, but I like to see it integrated in the future.
    CH: we will keep it in sourceforge and keep it updated.
    GW: ok, we reached consensus on that


SELinux base update
--------------------
    GW: Anything for selinux Dan.
    DW: I already talked about playing with cups stuff. there are fixes in
	tonight's package. we should be releasing trouble shooter by Thursday.
	The whole idea is to make selinux easy to use.


MLS policy issues
-----------------
    GW: Any mls policy issues. Mike Thompson is one that seems to run into them
    KW: considering we are heading to deadline, it would be nice to have the
	policy pieces for networking loaded to the redhat package to have
	consistency.
    DW: if anybody needs updates get them to me and I'll get them into beta2
    DG: I found issues, if you log in to terminal console, it will not allow you
	to change password. it needs to be able to edit shadow.
    DW: should be going for pam to do that, if you get any AVC messages, then
	please send them to me
    GW: Also the issue of the mix of 32 and 64 bit packages. This wasn't case in
	the past, we brought it up with steve, but there was no resolution. Dan
	you might help there. Seems if you installed, you got both 32 and 64
	packages
    KW: The critical issue is that pam for example has binaries and libraries
	overwriting each other without warning or check to make sure a complete
	set is left.
    DW: ok, I'll get on that.
    KW: we can have one set of the executors outside of PAM. the pam tally
	functionality stopped working completely because they use different
	modules
    LK: sounds like a good candidate for bugzilla.
    DW: ok, I'll handle it that way, that will be a bug fix.
    GW: I'll take action to write bugzilla today.


Roles
------
    GW: I think those are more crisply defined right now.
    DW: there is an update where upstream maintainer is working on so that it is
	an easier to assemble a role.
    GW: how hard is it now?
    DW: not too hard, the code is large, and it is a matter if breaking it up.
	we are making it modular
    LK: we did have this open issues how to create new roles based on old role.
	We reached consensus on technical part of solution.
    IB: we need to make sure we all agree on solution
    KW: I think we need to involve David O Brian who is updating the security
	target.
    LK: We wanted to combine security guide with selinux guide, which sounds 	
	like a good idea.
    GW: so we need to hear back still
    IB: yes
    KW: which reminds me, do we have initial documents to go along with the
	betas.
    IB: we do have some. I'll talk to him to make sure we have some drafts. I'll
	make sure to post drafts.
    MA: one more thing about roles. if we can maybe get something into bash
	around that, it would be useful for people.
    GW: I think James Antel was working on that
    DW: The worked on application to show that, he was working with bash
	maintainer to get that in. not sure what happend with that. I actually
	have a bash script to show me what role I am running. it's simple to
	execute, it executes id -z to show me
    MA: Ok, it is simple, but if we do it so many times, it would be worth to
	have it as a script

CIPSO
-----
    PM: not a whole lot since last week, did performance testing, and posted
	results; consensus was positive. Nobody seemed to complain.
    VAL: I replied, but there is one number I can't explain. We are chewing
	resources there, I'm almost positive it's in the loops were we are
	tearing and putting bitmaps together.
    PM: I think it is good enough for first round. I'm happy to leave it where
	it is until I hear anything. I pushed the netdev patch out. I got some
	comments from James Morris and I put those in and sent it out again. I
	don't think I'll hear anything since all are busy with kernel summit.
	The issue is that the ls pp kernel is based on 2.6.17, but the netdev
	community is expecting it on 2.6.18.
    GW: hopefully we get a new kernel soon
    PM: once things settle for a bit, maybe I can maintain two sets of patches
	for netdev and ls pp.


IPsec:  MLS, UNIX domain secpeer, xinetd
-----------------------------------------
    GW: there are patches for IPsec, and it is better . Any word from Venkat.
    VY: today I have patches out. hasn't heard back from Joy or Fernando about
	any bugs. they mentioned a udp issue, but haven't heard anything.
    GW: I believe it was a configuration issue, but Fernando is her
    FM: yes .. all passed now. you suggested we run tahi, I had some delays
	caused by setup issues, but they are being run as we speak
    GW: joy, how is performance testing going?
    JL: they are going good. Is CIPSO automatically enabled in ls pp. I run on
	machines with fedcore5, I noticed that when I introduced the fc5
	machine, I got msg from cipco, I got message about "admin prohibited" when
	ever I try to send a package. I am on kernel .44.
    PM: cipso is enabled by default.
    JL: when net performance sent that package I immediately got that message
	from the .44 kernel.
    PM: you know if there was an ip option set.
    JL: I didn't, but that is what I was gonna do next
    PM: ok, look at that and post anything you find out.
    JL: I didn't realize that CIPSO was enabled.
    PM: I am not surprised cipso is responsible.
    JL: I disabled ipsec just to make sure it wasn't what was causing this, and
	still got the same issue.
    PM: take a look and see if there are an ip option.
    GW: so tests have been running and you have not seen problems.
    JL: I had some base policy changes, and I'll send to Dan to see if they make
	sense.
    DW: I got to drop off right now, anything you need added, please send to
	me in email.

ipsec-tools:  SPD dump and racoon base + MLS
---------------------------------------------
    GW: we still need a fix to the SPD dump for the certification, I haven't
	checked if it made it.

Single-user mode
-----------------
    GW: I meant to remove this

Self tests
-----------
   GW: I'll get back on that.


VFS polyinstantiation
----------------------
    GW: Janak, anything
    JD: nothing new, pam namespace is upstream. been playing with loadable
	policy issues. Concern is that I didn't send anything to cron
	maintainer, I'll see if someone can ping the person holding on the vixie
	cron. I emailed him when I heard he is doing it to see if I can help.
   KW: if pam namespace isn't in rhel5 already, should we do a bugzilla to make
	sure we don't leave it out.
   JD: I'll check on that
   KW: also amtu is missing for rhel5
   GW: how do we want to track these issues
   IB: we can track these issues in bugzilla.
   GW: ok, so we will be opening bugzillas
   IB: please keep me update to make sure they are handled. There are 2 more
	entries, for kernel and user space, also one of ipsec. there are bunch
	of entries.
   GW: we will start opening bugzillas, and you want us to CC you on them
   IB: yes, also if you put in the header ls pp, we can search on that.
   GW: anything specific for format.
   IB: I'll just search for keywords in case people don't copy me on bugs. We
	had a specific kernel feature of concern, we need to get rid of tux on
	computer.
   KW: make sure it doesn't get autoloaded
   CH: there is a kernel module black list, not sure what it is.
   DG: can't you do something with modprobe, way to turn modules off.
   IB: as long as they don't have dependencies.
   KW: also might be nice to disable kernel keyring as a module.
   GW: that one we may have to permit for admins.
   KW: We only need bug fixes.
   GW: it's only a policy changes.

Cron, tmpwatch, mail, etc.
--------------------------

Kernel features of concern--tux, hypfs
---------------------------------------
    GW: some of these other features like keyring, config filesystem, we need to
	keep if users can use them. We need to make decisions about those late
	breaking features. Is there way to disable tux? there is a module in
	rhel5 alpha.
    MA: can you look in /etc to see if there is a modprobe -d.
    LK: is that a question we have for RH, which packages are gonna be included.
    GW: we really need to narrow that list of packages down for ls pp. we may
	want to have separate meeting to go through the package list.
    GW: we'll exchange mail on this. if we see something missing now we need to
	keep track of it
    KW: can you post it (the list)
    IB: I have to check with project manager.
    GW: we can maybe exchange it through email.
    IB: we need to find out who will participate in this discussion.
    LK: I want it
    GW: klaus, and me would like to see it too
    ROB: me too please.
    IB: ok, I'll see if I can post it
    LK: when is rhel 5 beta available
    IB: the freeze is this Thursday.
    LK: is there a target date?
    IB: there is, I just don't have a schedule infront of me, but it should be
	really soon.

    GW: ok, any more issues? Alright everyone, we'll adjourn.

More than 90% complete
Remaining tasks


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]