[redhat-lspp] LSPP Development Telecon 01/09/2006 Minutes

Wed Jan 11 01:06:23 UTC 2006

Known attendees:
        Matt Anderson
        Mounir Bsaibes
        Tim Chavez
        Janak Desai
        Steve Grubb
        Linda Knippers
        Dustin Kirkland
        Joy Latten
        Ken Hake
        Chad Hanson
        Amy Griffis
        Chris PeBenito
        Emily Ratliff
        Stephen Smalley
        Michael Thompson
        Dan Walsh (DW)
        Klaus Weidner (KW)
        George Wilson
        Kris Wilson (KEW)
        Catherine Zhang

RHEL5 SCHEDULE AND CUTOFF
-------------------------

RHEL5 cutoff end of March.
Real cutoff Date is end of Jan. or Early Feb.
Need RH help for upstreaming.
SG:  Need to get upstream.
Through is March probably OK.
Going through list; much stuff already done.
Steve and George need to ensure they're in sync.

SG:  See 2 or 3 major items outstanding:
        FS audit completion.
        Dustin audit by role.
        Transport piece is a dependency for audit by role and auditfs.
        Haven't looked at udev--could require kernel changes--IBM?
        Dev Allocator--needs testing--IBM?

George to update the task DB.

FEDORA BUILDS
-------------

SG:  Updated tty audit for RBAC over Christmas.
DW:  FC5T2 will be cut tomorrow and out in a few days.
MB:  Should we pick up FC5T2 from now on?
SG:  Yes, for test.
DW:  Will continue updating T2.

LK:  What is in FC5, RH, LSPP test kernel.
What do we need to build a working system?
Is Test 2+ what we want?
SG:  Need to pick up Dave Woodhouse's kernel.

JL:  T2 has ref policy, right?
DW:  Yes, targeted is now based on ref policy.
JL:  Do we need to change policy type to refpolicy, or targeted now?
DW:  Now install selinux-policy-mls RPM; edit with system-config-securitylevel.

IPSEC LABELS
------------

GW:  How's the secpeer work going?
CZ:  Sent new update of secpeer patch to lspp list to address Stephen's comments.
Waiting for folks to try it out.
Will then submit to netdev and Herbert Xu.

SS:  When do you anticipating sending it to netdev?
CZ:  Depending on comments, next week.
SS:  The sooner to netdev the better.

GW:  Are you using xinetd as a consumer?
CZ:  Haven't played w/xinetd yet; have own testcases.

VFS POLYINSTANTIATION
---------------------

GW:  How's unshare() and the polyinstantiation PAM module?
JD:  Just before break; send patches; updated patches; Andrew accepted for -mm.
Also needed more decription for why unshare() is needed.
Andrew is also concerned that locking and concurrency issues are addressed.
Does not want a rarely-used syscall to intruduce security issues.
Last week an oops was discivered in unshare() and it was pulled from -mm.
Will send updated patches in next couple of days.
Need to write up things Andrew asked.
Hopefully it will be considered in 16 version.

SS:  Chris W. out of picture?  Looks like he left OSDL.
GW:  Yes, he did.

SS:  How is userspace stuff?
JD:  Had PAM module I've had for a while; been using it w/every kernel verion.
Haven't made changes recently.
Incorporated changes Steve Grubb suggested.
SS:  Have you thought about putting it in Fedora?
SG:  Don't know how that would work w/missing syscall.
SS:  Will have to dummy anyway--std headers won't include that for quite some time.
SG:  Also, PAM has moved to 2.0.
JD:  Yes, I have been monitoring PAM list.
SG:  Only problem is Fedora kernel; don't know if it can get in w/o upstream.
David Woodhouse may be carrying it in test kernel.

AUDITFS
-------

GW:  How is auditfs completion going?
AG:  Want to get i/f changes worked out before pusting guts of code?
SG:  Will we get to see guts this week?
AG:  Next week.

AUDIT ENHANCEMENTS
------------------

DK:  How much work it get strings in/out of kernel?
SG:  Not at top of list; want to modify newrole this week.
DK:  how many changes have you made?
AG:  Not that many; can discuss on IRC.
DK:  Ready to make use of transport.
Would be helpful to both Dustin and Amy.

DK:  Curious about Dave Jones blog entry on kmallocs in audit?
SG:  Have to look to see what he is talking about; many log_format() calls.

DK:  Now that we have an audit rules structure, can can filter on context
components.
Will look at perf hits on context matching.
Don't think we came to a clear agreement on methodology.
Pass context and string to matching API w/in SELinux?
Advice from SS on filtering audit message context components?
SS:  Depeneds on type of context.
If talking about path, can optimize by pulling out values and doing comparisons.
In the case of obj contexts, we already have all the strings at the end.  just
mapping at that point.  So if you could alter code to collect SIDs rather than
strings, wouldn't have to map later.
DK:  Does it make sense to genralize filter for any of context components?
SG:  I thought that is what we were going to do all along.
SS:  Only caution is role only deals w/task label; audit system doesn't generate
full context unless it really needs to generate an audit record.
If only need task to filter on task SID, amount of work may be smaller.
SG:  But one can't say, "I want to see everything that is top secret."
LK:  Could get opinions from list.
SS:  Another approach for level-based auditing would be to create an auditallow
variant.  That falls back under policy vs. auditctl rule manipulation.
DK:  So, in the end, maybe just meet LSPP/RBACPP letter of law with
an eye towards flexibility.  Need to evaluate how far we can get given
time constraints.

AUDIT RECORDS DURING BOOT
-------------------------

GW:  Steve, did you want to say something about boot messages?
SG:  Many messages, including AVC messages, are generated during bootup.
Do we need to generate audit records for these?
KW:  From startup until login:  message--not under control of policy.
SG:  Relabling can occur on the way up for a variety of reasons.
Do we need to collect messages on the way up?
Klaus:  From eval POV, need audit records for relabeling printer, for example.
SG:  What I'm worried about is, there is a policy change and reboot requires
relabel.
KW:  2 issues:  (1) Admin needs to change mode to fix problems, discontinuity of
operation as far as audit goes.  (2) Other thing is admin action.  Admin action
should have audit records; but maintenance does not have expectation of audit
records.
Relabeling happens early on.  Could argue at a single audit messages that an
autorelabel occurred; can "fake" this.

SG: But do we need to spool audit messages to syslog because syslog is not
there?  Nice to have but no a requirement.  Want to keep automatic relabels to a
minimum for evaluated config anyway.
KW:  Changing enforcing mode is not part of normal operations anyway.  Need a
obvious audit message that system is being taken out of security enforcing mode.
SG:  Patch in Dec. should have covered that.
KW:  There is no expectation the audit system will work during maintenance mode.
Only thing that shouldn't happen is things shouldn't change silently without
notifying the admin.

BINARY AUDIT RECORD FORMAT
--------------------------

GW:  What about the binary record format, Tim?
TC:  Need more planning before seriously discussing implementation.
SG interested in normalizing records.
Plan to document record formats as design basis.
Maybe some traction with XDR.

SELINUX BASE
------------

GW:  Dan, would you like to give a base SELinux update?
DW:  Many MLS policy patches accepted upstream today.
Have MLS working; admin no longer has to change role.
Most of semanage tool has been implemented.
It's ready for folks to play around and submit patches.
Can actually install policy and do work.
Based on tonight's rawhide--same as todays.

KW:  I still can't ssh in using current rawhide.
DW:  Just use local logins for the time being.

LABELED PRINT
-------------

GW:  What about the print patch?
MA:  Been looking at how to reork patch.
Been talking wh Linda.
2 CUPS severs:  1 untrusted; final filter generated bitmap images and exec's
trusted CUPS server.  No labels or papersize issues!  Final step of generating
labels done by untrusted server.  Trusted server will add banners to scanned
image from untrused server.
KW:  Would untrusted server have priveleges of user?
MA:  May have some additional priveleges to bind ports.  But won't be able to
override labels.
MA:  Other thing is to get CUPS auditing patch upstream.
These 2 patches weren't all that interesting to CUPS.

CRON
----

GW:  I saw the cron -m option.
DK:  Somebody needs to try this.
JD:  Cron patch should be ready.
JD:  Got good feedback from Stephen.  Should send to cron maintainers.
Most feedback from earlier cron patch.

RBACPP SELF TESTS
-----------------

GW:  We never came to concensus on self-tests.  Do we need Tripwire?
SG: Tripwire is the obvious choice becuase it was shipped in the past.
Would need to teach about xattrs and prelink.
KW:  Can we simply disable prelink?
SG:  Can't make a decision off the cuff.
Would just be for evaluated config.
Prelink is pervasive.  May be ramifications--like ld.
LK:  What do other evaluated systems do?
GW:  I'll look at the Trustd Solaris ST self test words and post.
LK:  Not advocationg not doing anything; but maybe just meet requirements.
DW:  sestatus--can check selinux security contexts.
KW:  I just rebooted w/o prelink and it seems OK.
SG:  Have see some folks unable to login w/o prelink.
Need more analysis:  cron jobs, ldconfig, rpm --verify, rpm -i, etc.

-- 
George Wilson <ltcgcw at us.ibm.com>
IBM Linux Technology Center