[redhat-lspp] LSPP Development Telecon 11/21/2005 Minutes
Debora Velarde
dvelarde at us.ibm.com
Mon Nov 28 17:37:27 UTC 2005
Apologies for getting these out so late.
I will not be on the call today so I won't be able to take the minutes
this week.
-----------------------
LSPP Meeting 11/21/2005
-----------------------
Known Attendees:
Matt Anderson (HP)
Andrius Benokraitis (Red Hat)
Mounir Bsabies (IBM)
Amy Griffins (HP)
Serge Hallyn (IBM)
Chad Hanson (TCS)
Dustin Kirkland (IBM)
Linda Knippers (HP)
Paul Moore (HP)
Debora Velarde (IBM)
Klaus Weidner (atsec)
David Woodhouse (Red Hat)
Tentative Agenda:
Holiday schedule
2.6.15 cutoff
IPsec labels
VFS polyinstantiation
AuditFS completion
Audit by role
Audit enhancements
Self tests
Roles
SELinux base update
User management utilities
Print
Device allocation and udev
Cron and friends
Mail
Xinetd
DBUS
Test and documentation
Final package list
Tasks and assignments
----------------
Holiday schedule
----------------
- Will meet first 2 weeks of December and skip the last 2
- If there is a significant amount of work or people need this time,
then we can revisit.
-------------
2.6.15 cutoff
-------------
- cutoff for getting new development code was a few weeks ago
- bug fixes until 2.6.16 release
- bulk of work in David's tree won't see light of day until 2.6.16
- 1 or 2 patches that should be pushed forward before then
- David needs to make a new kernel
- any more updates pulled into -mm tree?
- those were dropped from the -mm tree
if we want them pulled in again, can ask Andrew to pull it up
- David will get rpms and src rpms out again
then ask andrew to pick up
- David to send note to both lists where the kernel can be found
------------
IPsec labels
------------
- Trent, Catherine, Joy not on call
- David doesn't think he's seen that patch
not in his email or the list
- It's been on netdev
---------------------
VFS polyinstantiation
---------------------
- Janak out
------------------
AuditFS completion
------------------
Amy status
- same as last week
- swamped with other responsibilities and holiday
- first crack of patch for review probably a couple of weeks
-------------
Audit by role
-------------
SUMMARY: TBD by Dustin in kernel rather than userspace, OK from David
- Steve not on call
- Dustin going to start working on this
- should be done in userspace or kernel?
- initially thought it should be done in userspace
- a little bit of traffic on mailing list about this
- Klaus: need to be able to filter before it ends up in the audit log
in the daemon not by the search tools
- the last filter we put in, filter by msg type,
was to be the last of the filtering in the kernel
- David carefully accepted, but didn't want to see any more filtering in
the kernel
- David: we want to put this in userspace if it can be done in userspace
at all
- Klaus made a good argument for having it in the kernel:
may want to keep from auditing for performance reasons
- David: that's why we do filtering for syscalls in the kernel space
- David: if has that kind of performance implication, then we can put in
the kernel
but if it doesn't, then we should put it in userspace
- Dustin offers to write patch against the audit daemon
could be changed later if there is a big performance problem
- Klaus: for LSPP, could be required to audit all file access for one
specific role
difficult against userspace
- use case where we want to filter access to a given file from one role
and there are many other accesses?
- to keep track if main admin is reading other people's email or something
like that
- David: OK go ahead and put it in the kernel
----------
Self tests
----------
RBAC requirement
beyond CAPP certification
-----
Roles
-----
- Klaus has been going through RBAC, doing gap coverage
- RBAC defines roles in terms of other roles
- mismatch of selinux roles
- is plan to be moving to reference policy or is that too far in the
future?
- according to last week, reference policy pulled out of fedora should be
in test 2 release
-------------------
SELinux base update
-------------------
- selinux people not on call
-------------------------
User management utilities
-------------------------
- seuser add
- key selinux folks not on call
-----
Print
-----
pointed cups lead developer to site where the patches are
he hasn't pulled them down yet
engaged in other responsibilities
--------------------------
Device allocation and udev
--------------------------
- busy as well and holiday
- still only have initial patches, don't have updated ones up yet
- to do beginning of December
----------------
Cron and friends
----------------
- cron had commented out code for sendmail
- Dustin offered to make that readable from a command line option
- Jason V. said he'd do it himself and put it in test 1 fedora
----
Mail
----
- if the cron change is made then maybe don't need
- Only need cron to be able to send mail for certification
More information about the redhat-lspp
mailing list