[redhat-lspp] LSPP Development Telecon 11/16/2005 Minutes

Debora Velarde dvelarde at us.ibm.com
Fri Nov 18 06:34:15 UTC 2005 

-----------------------
LSPP Meeting 11/16/2005
-----------------------
Known Attendees:
        Matt Anderson (HP)
        John Boone (TCS)
        Russell Coker (Red Hat)
        Darrel Goeddel (TCS)
        Amy Griffins (HP)
        Steve Grubb (Red Hat)
        Chad Hanson (TCS)
        Ken Hake (IBM)
        Linda Knippers (HP)
        Joy Latten (IBM)
        Paul Moore (HP)
        Emily Ratliff (IBM)
        Debora Velarde (IBM)
        Dan Walsh (Red Hat)
        Klaus Weidner (atsec)
        George Wilson (IBM)
        David Woodhouse (Red Hat)
        Venkat Yekkirala (TCS)
        Catherine Zhang (IBM)

Tentative Agenda:
        Changing the meeting day and time
        Holiday schedules
        2.6.15 cutoff
        IPsec labels
        VFS polyinstantiation
        AuditFS completion
        Audit enhancements
        SELinux base update
        Print
        Device allocation
        Cron and friends
        DBUS
        LSPP wiki
        Test kernel and RPMs
        Test and documentation
        Package list
        Tasks and assignments
        Unowned items


---------------------------------
Changing the meeting day and time
---------------------------------
Tuesdays 2PM CST?
- 8PM David, 8AM Russell
- Next week 2PM Tuesday starting next week
- We will have a meeting next week
- George will make announcement on lspp list

NOTE: THE DAY HAS BEEN CHANGED TO MONDAY
Now every Monday 20:00 UTC/14:00 CST/15:00 EST

-----------------
holiday schedules
-----------------
particularly last week of December might not want to have meetings

-------------
2.6.15 cutoff
-------------
don't know what the date is but is coming soon
have important kernel pieces that have not gone upstream yet

------------
IPsec labels
------------
Trent is going to sign off the IPsec patch

Catherine posted 2nd proposal
- UDP sock peer design
- suggestion from James Morris based on input from others
- there exists a similar API for getting user credentials for datagram 
- idea is to extend that to UDP
- there exists auxiliary msg control msgs that are appended to a normal 
packet
- could put user credentials, use that for labels
upside: 
- get label with the data at the same time
- don't have to get the labels and then the data later
down-side
- doesn't seem like every OS supports this
- if we're not concerned with that, then not a problem
- Catherine thinks this is a cleaner design and is going to go ahead with 
it
- Catherine just got started on a patch

---------------------
VFS polyinstantiation
---------------------
- Janak out
- Probably means its not going to go upstream in the next couple of weeks
- Will be on hold

------------------
AuditFS Completion
------------------
Amy's Status
- same progress as last week
- probably going to be the same for a short period of time (a week or two)
- then things should pick up at a faster pace
- current state of patch not ready for line by line detailed review

Any testing of the first patch?
- Steve is running it every day
- David sent msg to the lspp list with availability to the kernel
- badly need new kernel
- are we shooting for the 2.6.15 deadline for the first patch 
  that is already included in the lspp kernel?
- if there's a question about how tested it is it might not make it
- it is in Andy Morgan's tree
- 2 week opening when 2.6.14 goes out

------------------
Audit Enhancements
------------------
David not on call yet
Dustin not on call

-------------------
SELinux base update
-------------------
Dan:
- reference policy put out on Monday
- pulled yesterday due to breakages
- froze out of test 1 release
- will be in test 2 release
- a lot of work going into it now
- hopefully by end of the week will be back to the reference policy

George did run Coverity with reference policy
- has some patches to fix vulnerabilities
- some libs getting a big workout and finding problems
  adding python wrappings to all the libraries 
- libselinux fairly static

-----
Print
-----
Matt's status
- also being dragged to other responsibilities
- same status as last week, hopefully back to it in a couple weeks

Cups status itself
- they had been getting ready for a release
- Have they done that yet?
- Based on the amount of bugzilla traffic dropping off
  looks like they're getting close to posting the new version

-----------------
device allocation
-----------------
- Now has a home
- Thanks TCS for the patch and the project
- only have the initial release in there
- also having some deadlines
- might be end of this week or week after Thanksgiving before patched one 
gets up there

----------------
Cron and friends
----------------
- Janak out
- Janak had produced a patch for cron

Other utilities that need enhancements?
- slocate out
- not convinced on tmp watch 
  but not definitive conclusion on that
  need to get ownership or eliminate from package list

----
DBUS
----
- plan B had been to keep it active at boot and then shut it down when 
users are active
- need some init script experiments
- still open item

--------------------
RBAC - audit by role
--------------------
- auditing by roles in order to meet RBAC
- pretty good size task, going to take some time to do
- filtering by strings vs bitmasks?
- controls inside selinux?
- so far no real solution
- task is open for someone to start looking into
- whoever wants to jump into that however they want
- George thinks Stephen had objections to adding controls
- If you want to suppress records early on would need controls in there
- Two options:
  1. create a patch that does insert the roles into selinux 
     and see what happens if the patch is proven to be working, 
     and can't be used as a backdoor
  2. create a hodgepodge of userspace tools 

Understanding what RBAC means by a role and what we mean by a role
- selinux has roles
- are we meeting RBAC requirement to the right thing?
- selinux roles are a bit lower level

sys_admin restarting system service
- need to make sure not actually switching roles unless you do a new role
- audit continuity problem there?
- the roles can also change in the daemon
- restarting ssh daemon - needs to get audited as sys admin 
- what requirement was that? 
  auditing by role
- Klaus: admin actions which user under which role did that action?
- Steve: thought you meant that anytime an admin started a daemon, it 
should be audited
- Dan(?): shouldn't it?
- Steve: not necessarily
- Klaus: for compliance only need to be capable of doing that
  don't need to always doing it

Mainly talking about manual actions, not automatic ones
- reboot example, the reboot would get audited
- audit changes to init scripts
- we also have audit rules that can do this
- with RBAC: can choose to not audit system_r but to audit admin_r
- with RBAC still have trustworthy admin
  don't need to protect against malicious admin
- can we put a role in the auditing system? 
  can we put rule like 'admin_r' role?

Big task partially because of politics
- How are you going to do that, by policy?
- could change to a hash for faster compare, already doing that for files
- Stephen Smalley doesn't want capability of inserting anything into 
selinux w/o going through policy
- other LSMs might want to use audit
- don't want to closely tangle audit with selinux
- RBAC is closely tied to selinux
- do we need an immutable role id, like login_uid
- we just need to know what role caused it, selinux role should be doable 
that way
- don't want a new set of hooks to do enforcement
- selinux role doesn't match what RBAC considers a role

How is filtering by label different from filter by role?
- can't we do a similar thing?
- Dustin's patch for us to be able to do that for syscalls
- filtering needed on the source or target? 
  could be either subject or object
- right now were not filtering on it yet
  but that's what we're going to be able to do
- think requirement is to be able to audit selinux user roles, type or 
category
- Klaus: careful with role transitions, mostly daemons and want that role 
  don't want sshd tied to admin, but it will have loginuid
  other users don't get shown as admin
  right now goes to system_r

What is a "security action"?
- Is killing a process a security action?
- Needs to be defined in the security target
- RBAC doesn't go into much detail about what it expects
- security function defined in the common criteria
  not sure if that's exactly what they mean


Klaus having problems getting role transition working 
- Klaus is using the MLS HOWTO on the wiki
- Russell: MLS impossible to use right now
  sshd being able to use with different levels
- Klaus' problem could be in home directory
- Dan and Klaus to work together off-line and to fix it


---------
LSPP wiki
---------
- We have wiki now
- add any documentation or HOWTOs
- George going to try to put the tasks list on the wiki
- Request: if you make edits please create a user id

--------------------
Test kernel and RPMs
--------------------
need to all be testing these bits

David's status on the kernel:
- updated the git tree today
- having problems building the rpm
- the unshare code is in
- Dustin's patch to correct problems - that is in

audit bug - 4500 watches 
- reworked auditctl
- restructured the loop with problem
- Linda tested it
- need a new audit package pushed out for everyone to try

More information about the redhat-lspp mailing list