[redhat-lspp] LSPP Development Telecon 11/21/2005 Minutes

Mon Nov 28 17:37:27 UTC 2005

Apologies for getting these out so late. 
I will not be on the call today so I won't be able to take the minutes 
this week.

-----------------------
LSPP Meeting 11/21/2005
-----------------------
Known Attendees:
        Matt Anderson (HP)
        Andrius Benokraitis (Red Hat)
        Mounir Bsabies (IBM)
        Amy Griffins (HP)
        Serge Hallyn (IBM)
        Chad Hanson (TCS)
        Dustin Kirkland (IBM)
        Linda Knippers (HP)
        Paul Moore (HP)
        Debora Velarde (IBM)
        Klaus Weidner (atsec)
        David Woodhouse (Red Hat)

Tentative Agenda:
        Holiday schedule
        2.6.15 cutoff
        IPsec labels
        VFS polyinstantiation
        AuditFS completion
        Audit by role
        Audit enhancements
        Self tests
        Roles
        SELinux base update
        User management utilities
        Print
        Device allocation and udev
        Cron and friends
        Mail
        Xinetd
        DBUS
        Test and documentation
        Final package list
        Tasks and assignments

----------------
Holiday schedule
----------------
- Will meet first 2 weeks of December and skip the last 2
- If there is a significant amount of work or people need this time, 
then we can revisit.

-------------
2.6.15 cutoff
-------------
- cutoff for getting new development code was a few weeks ago
- bug fixes until 2.6.16 release
- bulk of work in David's tree won't see light of day until 2.6.16 
- 1 or 2 patches that should be pushed forward before then
- David needs to make a new kernel
- any more updates pulled into -mm tree?
- those were dropped from the -mm tree
  if we want them pulled in again, can ask Andrew to pull it up
- David will get rpms and src rpms out again
  then ask andrew to pick up
- David to send note to both lists where the kernel can be found

------------
IPsec labels
------------
- Trent, Catherine, Joy not on call
- David doesn't think he's seen that patch
  not in his email or the list
- It's been on netdev

---------------------
VFS polyinstantiation
---------------------
- Janak out

------------------
AuditFS completion
------------------
Amy status 
- same as last week
- swamped with other responsibilities and holiday
- first crack of patch for review probably a couple of weeks

-------------
Audit by role
-------------
SUMMARY: TBD by Dustin in kernel rather than userspace, OK from David
- Steve not on call
- Dustin going to start working on this
- should be done in userspace or kernel?
- initially thought it should be done in userspace
- a little bit of traffic on mailing list about this
- Klaus: need to be able to filter before it ends up in the audit log
  in the daemon not by the search tools
- the last filter we put in, filter by msg type, 
  was to be the last of the filtering in the kernel
- David carefully accepted, but didn't want to see any more filtering in 
the kernel
- David: we want to put this in userspace if it can be done in userspace 
at all
- Klaus made a good argument for having it in the kernel:
  may want to keep from auditing for performance reasons
- David: that's why we do filtering for syscalls in the kernel space
- David: if has that kind of performance implication, then we can put in 
the kernel
         but if it doesn't, then we should put it in userspace
- Dustin offers to write patch against the audit daemon
  could be changed later if there is a big performance problem
- Klaus: for LSPP, could be required to audit all file access for one 
specific role
         difficult against userspace
- use case where we want to filter access to a given file from one role
  and there are many other accesses?
- to keep track if main admin is reading other people's email or something 
like that
- David: OK go ahead and put it in the kernel

----------
Self tests
----------
RBAC requirement
beyond CAPP certification

-----
Roles
-----
- Klaus has been going through RBAC, doing gap coverage
- RBAC defines roles in terms of other roles
- mismatch of selinux roles
- is plan to be moving to reference policy or is that too far in the 
future?
- according to last week, reference policy pulled out of fedora should be 
in test 2 release

-------------------
SELinux base update
-------------------
- selinux people not on call

-------------------------
User management utilities
-------------------------
- seuser add 
- key selinux folks not on call

-----
Print
-----
pointed cups lead developer to site where the patches are
he hasn't pulled them down yet
engaged in other responsibilities

--------------------------
Device allocation and udev
--------------------------
- busy as well and holiday
- still only have initial patches, don't have updated ones up yet
- to do beginning of December

----------------
Cron and friends
----------------
- cron had commented out code for sendmail
- Dustin offered to make that readable from a command line option
- Jason V. said he'd do it himself and put it in test 1 fedora

----
Mail
----
- if the cron change is made then maybe don't need
- Only need cron to be able to send mail for certification