[redhat-lspp] LSPP Development Telecon 11/09/2005 Minutes

[Debora Velarde]

-----------------------
LSPP Meeting 11/09/2005
-----------------------
Known Attendees:
        Matt Anderson (HP)
        Andrius Benokraitis (Red Hat)
        Tim Chavez (IBM)
        Janak Desai (IBM)
        Amy Griffins (HP)
        Steve Grubb (Red Hat)
        Ken Hake (IBM)
        Dustin Kirkland (IBM)
        Linda Knippers (HP)
        Joy Latten (IBM)
        Paul Moore (HP)
        Stephen Smalley (NSA)
        Debora Velarde (IBM)
        Dan Walsh (Red Hat)
        Klaus Weidner (atsec)
        George Wilson (Red Hat)
        David Woodhouse (Red Hat)
        Catherine Zhang (IBM)

Tentative Agenda:
        IPsec labels
        VFS polyinstantiation
        AuditFS Completion
        Audit Enhancements
        Print
        Device allocation
        File archivers
        Unowned items
        SELinux base update
        DBUS
        Package list
        Tasks and assignments
        Test and Documentation
        New Addition: Identifying what pieces of code need to get upstream
                      FC5, RHEL deadline

------------
IPsec labels
------------
Trent not on call.
Catherine:
- Trent recently sent out a new patch that addresses flow cache problem
- Catherine has been testing that
- she got fedora core with network hooks and newest policy installed
- When pings from one machine to another
  receiver deterministically hung

Joy also setting up 2 machines
- will put latest policy
- will try to duplicate what Catherine is seeing
- will touch base with Catherine later today

UDP
- Catherine sent out preliminary design doc for UDP implementation
- got some comments back from serge and Dan


---------------------
VFS polyinstantiation
---------------------
Janak:
unshare 
- no update (would like included in upstream list)
- waiting for Chris Wright, 
  he had lots of interest in it a couple of weeks ago
  but wanted to explore some more to see if it was needed
- Janak does think it is needed
- Janak: When does it need to go upstream by in order to be included in 
FC5?
- FC5 cutoff is end of the year, but RHEL5 will probably be after that
- Chris Wright not on the call
  he has been posting on LKML but at a reduced rate
  Janak has sent a couple of emails
  has been logged on but responding on irc

------------------
AuditFS Completion
------------------
Amy
- not ready to post the patch to the list yet
- the first piece of this work, got pulled into -mm 
  not sure if that's good or bad, but it is getting tested
  Dustin's patches that David had integrated into his tree made it into 
-mm also
  David not on the call yet
- shooting for FC5 is realistic, but going to depend on the feedback

----------------------
Patches going upstream
----------------------
<David now on call>

Amy's code and Dustin's patches made it into -mm
- good as far as getting it upstream but hadn't put it to testing
- plan was that we would roll kernels, after checked for a week or so 
  then they would go up to -mm
- David doesn't want to see any patches aren't ready for -mm

David: minimum criteria for making it to -mm is that it not break anything 
else
- -mm is for testing stuff that someday we might want upstream
- OK if new features don't completely work, as long as it doesn't break

Dustin has a patch for Tim's problem
- assuming it will fix Tim's problem and haven't heard back from Chris, 
  then ready to be included 

Janak's unshare
- same true for unshare, tested and waiting to hear from Chris also
- David: already in 2.6.14 -mm1
- Janak will double check to see if it is in there
- David: maybe Andrew meant he was going to drop git tree before mm1
  when Andrew starts using git tree again, he'll pick it up

What are the guidelines are for testing, so we know we did an acceptable 
amount?
- Don't break anything
- majority have been compiled problems with audit disabled
- Build w/o audit enabled and w/o selinux enabled
- test various combinations: 
  audit enabled, selinux disabled
  audit disabled, selinux enabled

------------------
Audit Enhancements
------------------
Steve's and Stephen's audit enhancements
- put together a patch against the kernel and seeing what that looks like
- Steve Grubb going to sign up to do that, simple task
- Steve Grubb talked with Dan Walsh, he pointed out a couple of items

filters in auditsc.c
- request for David's opinion
- filters that maybe don't belong there, 
- rip them out and put them somewhere else or leave them there?
- should be moved audit.c
- David going to move them to audit.c and externalize them

Steve: audit userspace
- over last week finished up audit work, into U3
- going to push new release to fedora 
- departure for new features
- Junji has time to work on audit dispatcher
  right now Junji between contracts
  going to hit that while he's available
  will be all the work for at least a week
- want to get that in fedora core 5 test 1 release

unshared syscalls 
- if acceptable for upstream, have pam modules we need to start testing 
with

rawhide userspace FC5 
- freezes this weekend for test 1, but only for a week or so, 

David will build kernel rpms with the latest changes later this evening 
and post to the lists

Steve had requested lspp version of audit.rules
- Debora posted to list
- Steve copied it to latest audit tar file to try it out
- need to comment out the watch rules

-----
Print
-----
- printing patches coming along well
- flushed out some regressions
- planning on this being a new patch that doesn't require all the old ones
- hoping to post a link to the source rpm to get more people to test this
- fedora core test deadline - this weekend
- need it in by the 14th, we need to see it by Friday
- if not it will need to wait (a week or 2), will fall into work for test 
2
- changed all the old audit log type messages to the new ones

----
Cron
---- 
Dustin asks Steve Grubb to ping Jason about cron patch he offered to help 
with

-----------------
device allocation
-----------------
chad not on the call, don't hear any TCS folks
no status today

--------------
File archivers
--------------
- Debora posted zip/unzip patches on infozip sourceforge page
- Dan did pass patches to zip maintainer
- Debora hasn't heard from anyone yet
- Dan going to ping the maintainer

-------------------
SELinux base update
-------------------
Update from Dan
- reference policy is available on people page
- doing cleanup
- trying to get targeted policy out
- then will work on MLS policy
- should be running with MLS policy that is in rawhide
- there isn't a reference policy yet,

Request for documentation from Klaus
- seusers, user.local
- how you add the users? seems to be multiple ways of doing things
- seusers - table that links that linux users to selinux
- users.local - shouldn't be using at all
- should be using seusers
- There will be utilities, lib interface, in the future
- a short readme would be nice if we're supposed to help with testing
- Klaus volunteers to help write up stuff, if someone can work with him
- Dan to help klaus
- wiki would be good for hosting this kind of documentation

New Time for meeting so Russell can join?
- Andrius can work on getting a new time 
- 5 hours from now would be OK for David Woodhouse just not on Wed
  any other day OK

AVC denials where syscall actually succeeds
- problem seen on x86_64
- not sure if its the audit code grabbing the wrong thing for success
- definitely seeing syscalls returning success with an AVC denial on them
- Steve Grubb put a search string on the mailing list yesterday
- interesting if people ran that on their machine and see what their 
seeing
- Steve Grubb is seeing it on 2 machines
- he's running on targeted, doesn't normally change modes
- stat is the main syscall, also stat64
- Klaus: there had been one arch where the success return was in a diff 
register
- Steve sees it when just accessing a man page
- Steve -> David: is stat an architecture specific syscall for x86_64?
- David: stat reads info from the inode catch to the user
- x86_64 kernel - userspace compatibility syscall issue?
- Two issues:
  1. Allowing access to happen when it shouldn't
     If selinux is failing then we have a problem
  2. Just an auditing problem

RBAC: corruption and preservation of a secure state
- result in a failure or just a warning?
- people wanted graceful recovery
- lspp environment wants a more strict environment than default
- Could have it configurable in /etc/selinux.conf or something?
- Stephen Smalley: could introduce callbacks, in terms of the error 
handling path
- not entirely clear about what is required for the file context
  if there's a problem in the kernel policy mode
  how files should be labelled, initial labelling at install time
- Had disabled checking, because was running into a conflict 
  but that is fixed now 
- What conditions do we want to halt in?
  whether we're lspp or default fedora or RHEL system
- Would be good to have it configurable
- Needs to be capable of switching to failed mode
- Not required that it always needs to be running in that mode
- Steve Grubb would like to test that mode, to be in that mode
- Stephen: if you abort the restorecon command, 
           doesn't bring you into a secured state
- Will follow-up on list w/ more specifics about what makes sense for 
error handling