[redhat-lspp] LSPP Development Telecon 03/13/2006 Minutes
Debora Velarde
dvelarde at us.ibm.com
Thu Mar 16 00:23:18 UTC 2006
-----------------------
LSPP Meeting 03/13/2006
-----------------------
Known Attendees:
Matt Anderson (HP)
Andrius Benokraitis (RH)
Lenny Bruzenak
Russel Coker (RH)
Janak Desai (IBM)
Darrel Goeddel (TCS)
Amy Griffins (HP) - ag
Steve Grubb (Red Hat) - sg
Chad Hanson (TCS)
Linda Knippers (HP) - lk
Joy Latten (IBM)
Loulwa Salem (IBM) - ls
Michael Thompson (IBM) - mt
Debora Velarde (IBM)
Al Viro (Red Hat) - av
Dan Walsh (Red Hat)
Klaus Weidner (atsec) - kw
George Wilson (IBM) - gw
Kris Wilson (IBM)
Tentative Agenda:
Kernel update
SELinux base update
Secpeer accepted!
IPsec labeling, xinetd, ipsec-tools
VFS polyinstantiation
AuditFS completion
Audit enhancements, including audit by role
Audit API
Print
Device allocation, udev, DBUS, hald, hotplug
Cron, tmpwatch, mail, etc.
Self tests
MLS policy issues
Target date--what will/won't make it
Remaining tasks
Unit and functional tests
Documentation
------------------------------------------------------------
Kernel Update
------------------------------------------------------------
Steve put a new kernel
- addressed memory leaks
Update from Al
- there had been some issues
sg: another kernel, Tuesday or Wednesday
merging Darrel's and Dustin's patches and maybe Amy's patches
another version of the patch addressing Al's findings
ag: posted a patch today that fixed all the things Al Viro found
Amy doesn't have a patch to auditctl
she has been using a changed libaudit
Amy hasn't been planning to do any changes to auditctl
How about releasing an rpm for our group and not publically?
sg: If spending that much time to get it the way he wants it, he should
post it to everyone
sg: doesn't want to get started until it forks
kw: Amy could you post what you have against libaudit so folks could use
that?
ag: have posted it before but will again
sg: will post that on his people's page
------------------------------------------------------------
SELinux base update
------------------------------------------------------------
Update from Dan:
working on most bugs reported on mailing list
one fixed by tomorrow
gw: ss was on line, not any more
problem: ssh into a machine multiple times
dev pts file system, nothing in policy
supposed to be SystemLow to SystemHigh
Why is it happening at all?
Shouldn't be happening but that's what the kernel is assigning it
Dan will take it to the kernel folks
3 more things that need fixing in the policy
FC5 is frozen
but new development not allowed in the build
difficult getting updates while FC5 is frozen
chad: when mount the dir, becomes SystemHigh, should be SystemLow to
SystemHigh
there is something in policy saying it should be SystemLow
Dan will try to get a hold of Stephen Smalley and see if he can shed some
light on it
Mike has question about his policy:
should it arise that certain scenarios need policy to do something
example: can't assume roll of admin and then switch to user
Can we have roll in policy that can be used by the test environment?
by default not assigned to anyone
secure system wouldn't use that roll
Answer: Would be best use Expect or something like that
to simulate the real environment
------------------------------------------------------------
Secpeer accepted!
------------------------------------------------------------
Catherine's secpeer patches appear to be accepted
hope that it will get upstream sometime soon
------------------------------------------------------------
IPsec labeling, xinetd, ipsec-tools
------------------------------------------------------------
Joy still working on ipsectools
- hasn't had much response on ipsec mailing list
- one maintainer posted he wanted to accept it
but he wanted input from other maintainers
- last week, Venkat, the maintainer, and joy all posted about patch
- Joy will send another note for comments and copy all maintainers
How are updates to ref policy going?
Joy had to update to get it working with nethooks
put aside to get policy for selinux testcases updated
gw: being positioned to be there soon,
really need to get userspace piece there
gw: need someone to hack xinetd
may be gw or someone else that picks that up
Darrel, chad, can you give update on racoon
chad: no further on it yet
gw: updated tasklist of what were tracking
once joy's patch is accepted for ipsec-tools, might want to go ahead
and combine
------------------------------------------------------------
VFS polyinstantiation
------------------------------------------------------------
Update from Janak:
- started work on feedback he's gotten
- making more configurable
- hoping by next Monday to have a new version
regression testing
Janak been testing new kernels to make sure that unshare is still working
and not broken
------------------------------------------------------------
AuditFS completion
------------------------------------------------------------
Update from Amy:
- posted a patch end of last week
- Al had more feedback
- been cleaning up and re-basing patch
- finishing today and will re-post
- then will look at work for inotify
Inotify
- wanted to see a cleaner separation inotify and a client for the
userspace and the kernel
- use of common structures
- going to start on inotify API rework next
lw: asked if it was inotify or audit people wanting the changes
ag: some were from inotify maintainer
Target Date?
- Amy hasn't looked at it for a couple of months, need to take a look at
it before can give ETA.
- Need by next week to get upstream
- sg: was hoping Al could help with that
- av: willing to help with that but not sure how useful he'll be since his
taste and theirs is so different
- could be an incremental improvement
- Amy needs to look at it before she can say whether or not its possible
to get it in a week or not. Amy will post to the list.
------------------------------------------------------------
Audit enhancements, including audit by role
------------------------------------------------------------
gw: Dustin put his patch out
Has sg taken a look at it?
sg: wasn't me that was objecting to it
sg: personally ready to merge it
sg: question about Tim's patch
that one needs to get picked up
sg: labels w/ userspace messages
depending on something, selinux API avail now
patch needs to be adjusted for that
gw: relatively small patch?
sg: probably
sg: plan to put Dustin's patch in the next kernel
patch in kernel now has the syscall record thing that sg wanted tested
look for missing data
check slab allocation
sg: think everyone is okay
added script off sg's dir that looks for slab leaks
gw: serge's suggestion was to add watches and build the kernel 100 times
gw: can we run regression tests on the kernel?
ls: Was it in the .11 also?
sg: Yes, but the .12 takes care of the memory leak
Loulwa has run some regressions on .11 and didn't find any regressions
Loulwa will run on .12, and post on list so Steve knows she's run it
George or joy will have to work on that, have a bit of Dustin's time
------------------------------------------------------------
Audit API
------------------------------------------------------------
API
- some discussion
sg: unless hear more, the API is final
sg: hoping to have ready for testing on Friday
------------------------------------------------------------
package list
gw: will try to get a meeting time
early April probably be better
new min install
min package install, might be helpful for configuration
capp tests had to uninstall a bunch of packages
new min package install has a lot less
kw: Fedora Core 5 - on schedule
Dan: yes
------------------------------------------------------------
Print
------------------------------------------------------------
Trying to get it out last week
internal testing, found a couple of bugs
2 patches:
1. back-port
2. combination of audit patch and MLS patch that TCS put out
will go out later today, won't have back-port for Unix domain sockets
will have everything for trusted server
------------------------------------------------------------
Label Translation Daemon
------------------------------------------------------------
TCS had mentioned that we might want to have a label translation daemon
and we should ask them for the label translation daemon
gw: asks TCS for that daemon
lk: seconds that motion
gw: what's the vehicle for that?
is it GPL now?
Darrel:
- had done some work on it to daemonize it
- strip off networking portion
- will revisit work done before, clean it up, and get it out
Device_allocator project? or its own?
- just needs to be accepted and put in
- hope to get something there sometime this week
------------------------------------------------------------
Audit of Child Processes
------------------------------------------------------------
gw: planning on that being part of the certified?
sg: yes, someone in kernel will be working on that
gw: added that to the list of items tracked
------------------------------------------------------------
Device allocation, udev, DBUS, hald, hotplug
------------------------------------------------------------
Debora's Update:
- yum updated & installed additional packages to get dev_allocator built
- noticed new messages filling up /var/log/messages
- coming from hcid and avahi-daemon
hcid is Bluetooth
gw: Probably okay to disable bluetooth
debora disabled bluetooth, all hcid messages went away
avahi-daemon
- avahi-daemon has config file,
change enable-dbus to NO
those messages go away
Chad: probably don't want avahi-daemon running anyway
see what packages require avahi and try removing them
debora to post all info on wiki and list
------------------------------------------------------------
Cron, tmpwatch, mail, etc.
------------------------------------------------------------
cron - no updates
------------------------------------------------------------
Self tests
------------------------------------------------------------
George's Update:
put together scripts
having trouble getting rpmverify to useful data
some configuration files change, like statistics
wanted to make it configurable
Do we want some general mechanism to panicking, single user mode?
or putting something into the audit log?
What should that mechanism look like?
Calls a script, looks like a config file to see what it should do
like if selinux is not enabled
How should that be defined?
sg:
- if self test fails, should send audit message, anomaly msg that it
failed
- nothing in userspace that panics
- if amtu fails, doesn't bring system down
long term, doesn't exist right now
sg: has amtu patch to send the anomaly msg
self test - should send an anomaly msg
skeleton.c, can take a look at the msgtype, issue a shutdown
Dan: want to be careful about shutting down into single user mode
kw: not default behavior
gw: certainly not
sg: long term
gw: Need Tim's patch to make sure authentic?
sg: already authentic, Tim's patch just to have the label
sg: don't have a label, have uid, just not context
Audit Inconsistencies
kw: on the audit mailing list, about inconsistencies, spaces...
sg had posted its too late
sg: OK, let's make a list
mt: do you want one bugzilla that has the whole list?
sg: look at list before putting it in bugzilla
post to list first, then bugzilla
------------------------------------------------------------
MLS policy issues
------------------------------------------------------------
if anyone finds any problems post them on the list
------------------------------------------------------------
Target date--what will/won't make it
------------------------------------------------------------
inotify stuff
print doing great
ipsec label packets - focus on userspace
testing on the secpeer
label translation daemon
------------------------------------------------------------
unit and functional tests reminder
comments are great
------------------------------------------------------------
New wiki location: http://fedoraproject.org/wiki/SELinux/MLS
More information about the redhat-lspp
mailing list