[redhat-lspp] LSPP Development Telecon 04/03/2006 Minutes
Debora Velarde
dvelarde at us.ibm.com
Fri Apr 7 16:09:04 UTC 2006
-----------------------
LSPP Meeting 04/03/2006
-----------------------
Known Attendees:
Matt Anderson (HP) - ma
James Antill (Red Hat)
Irina Boverman (Red Hat)
Russel Coker (Red Hat)
Janak Desai (IBM)
Amy Griffins (HP) - ag
Steve Grubb (Red Hat) - sg
Linda Knippers (HP) - lk
Joy Latten (IBM) - jl
Paul Mooere (HP)
Bill O'Donnell (SGI)
Chris PeBenito (Tresys)
Loulwa Salem (IBM) - ls
Michael Thompson (IBM)
Debora Velarde (IBM)
Al Viro (Red Hat)
Dan Walsh (Red Hat) - dw
Klaus Weidner (atsec)
George Wilson (IBM) - gw
Kris Wilson (IBM)
Tentative Agenda:
Kernel update
Installation, MLS policy, LSPP kernel issues
Audit enhancements, performance issues
AuditFS/inotify completion
Audit of userspace messages
Audit API
Audit failure action inquiry function
Audit of service discontinuity
Fail to secure state
Print
SELinux base update
IPsec labeling, xinetd, secpeer
ipsec-tools patches: Base, SPD dump, and racoon MLS
Device allocation, udev, DBUS, hald, hotplug
Label translation daemon
Self tests
VFS polyinstantiation
Cron, tmpwatch, mail, etc.
Remaining tasks
Target date has come and gone
Tests and documentation
------------------------------------------------------------
Moving time to 90 minutes later, to accommodate Russel Coker
- no objections
- effective next week
------------------------------------------------------------
Kernel Update
------------------------------------------------------------
Update from Al:
- about to push new version, about 5 minutes
- what's been in lspp
good lspp.17
Steve pushed out every patch he has in the queue
- the resulting, lspp.16 kernel needs testing
- changed userspace messages, a lot of things
- wondering what Tim's patch was going to look like?
can see what it looks like
Al pushing patches to Andrew Morton,
- Will head to Linus pretty quick while the door is open
- Need to make sure not introducing problems
Except for watches, do the userspace tools work with all of kernel?
sg: userspace will get more of my attention now
pretty close to the end of the kernel work
lk: going to push out w/o the userspace tools?
sg: filesystem auditing, not getting pushed
- one other thing that needs an adjustment
- otherwise userspace don't have anything to do with it,
- patches can be exercised to see if it oopses
- some of that stuff isn't going to be turned on yet
ag: audit by role, Darrel's piece, hasn't had much testing
gw: What changes to userspace do we need to change it?
sg: audit by role, or a piece of context, that's not there yet
Darrel, did you make a patch to userspace to see if it was working?
Darrel not on call
sg: can't get at the userspace tools fast enough
- see whatever who wrote it, can see what they did to test with it
- I can merge the whole thing together later
- primary thing is that we don't oops the kernel
- and memory leaks
gw: Regression effort like what we did for the partial syscall record?
sg: Yes
kl: Everything clear about ipc patches, quite a few versions?
Do we agree what's intended to go upstream?
gw: Dustin's + Steve's modifications
sg: Dustin said everything looks OK
Anyone who wants to eyeball it please do
gw: Need to run tests against it.
Loulwa to run regression tests.
------------------------------------------------------------
AuditFS/inotify completion
------------------------------------------------------------
Update from Amy:
- hiccup last week, time working a solution that was too much of an impact
for inotify users, a little more impact than thought
- just finishing up that part
- this week, patch for linux kernel
- ended up making changes to the API from what we have in the lspp kernel
- make change to use the modified API
- need to make sure works for everything that we need for audit
- recent changes to inotify from other folks
the end of delete events, wasn't being generated
think over the weekend that fix went to Linus
- when I've been looking through comments in the code,
haven't been certain if the way the locking is being handled correctly
need to look into and verify not a problem
Steve had mentioned getting some patches from Amy
- post an updated inotify API patch? can cc list
ag: based on -mm tree, could be slightly diff from the lspp tree
- Will wait until closer to the end of the week,
give more time for things to go upstream and back downstream
- Also in case folks have a chance to find something
lk: Amy, once inotify API changes go in,
need to update audit code that uses that,
need to synchronize 2 patches
------------------------------------------------------------
Audit of userspace messages
------------------------------------------------------------
Tim's patch went in, thanks to rework done by Steve
- all you need to do is upgrade the kernel
- change backlog limit, add/delete rules, should read labels
------------------------------------------------------------
Audit API
------------------------------------------------------------
sg: can look at it later in the week
------------------------------------------------------------
Audit failure action inquiry function
------------------------------------------------------------
What to do if audit not available?
Nobody taken ownership on that
------------------------------------------------------------
Audit of service discontinuity
------------------------------------------------------------
Ivan has taken over these tasks.
gw: Does Ivan want to be on these calls or not?
sg: Think not, probably get them knocked out before next meeting.
------------------------------------------------------------
Print
------------------------------------------------------------
Update from Matt:
- post updated patch next week
- only one thing:
auid printed to the cups error log as signed instead of unsigned int
- not the audit record, not security relevant
- now working on trusted cups server
------------------------------------------------------------
SELinux base update
------------------------------------------------------------
- auditctl perf bug, should be fixed now
- going through testing, need to get latest audit
- Open bugzilla problems up as soon as possible
Matt?: Default fedora core 4 install, used LVM
the policy couldn't get it to reboot
gw: permissive relabel, then reboot
ma?: Failing when it tries to run the initrd
gw: Are you running a 32bit kernel on a 64bit machine?
ma?: no
Any avc messages?
No, occurring right after grub.
Can you send us a visual photograph?
Will gather more info and make bugzilla entry when he verifies it
Neither Russell or George has had problems with it.
Matt?: only having problems when running with LVM
kl: was having problems weeks ago, but not any more
m: might of been that policy that was having problems in rawhide
Chad?: instant reboot
Klaus:
people generally like the idea of having a separate administrator
unless someone volunteers to do that, not going to have that
Russel will look into
Is sec_adm no longer able to look at audit log?
sec_adm / audit admin?
kl: intent had been
sec_adm - user management for the selinux
relabel, overrides
read only on audit logs
audit admin - audit related, separation of duties
Russell volunteered, Dan will take the patch
------------------------------------------------------------
IPsec labeling, xinetd, secpeer
------------------------------------------------------------
Joy hasn't spoken with Dan
assume RedHat picked up patch sent to list
testing?
- going well
- stress testing on ipv4 and ipv6
everything going fine so far
- Serge asked her to test a couple things
- Also need to test racoon for 24 hour period
Serge, Trent, Joy have been collaborating about documentation
- don't really need anything to continue using
- since have unlabelled_t in policy
- but if you want to use hooks, to go to a higher level
need documentation
xinetd
- Trent had a student do work similar to what we need
- He was going to review that work and then make it available
by posting it to the mailing list
- Then might be able to pick up that work
- Relieve TCS some of the burden of what they were going to do
- TCS had indicated that they didn't have much bandwidth
- haven't seen patch yet
Dan -> Joy:
- It is in-line, can you send it as an attachment?
- And compress so that mailer doesn't change it.
- did you hear from Harold?
Joy: No
Dan: response from maintainers?
Joy: No, only that their swamped
Dan: I'll get it in fedora this week
Joy: will copy Dan on all those emails
Dan: also copy Harold
------------------------------------------------------------
ipsec-tools patches: Base, SPD dump, and racoon MLS
------------------------------------------------------------
------------------------------------------------------------
Device allocation, udev, DBUS, hald, hotplug
------------------------------------------------------------
TCS not on call
Debora posted updated write-up to the list.
Cory posted explanation of dev_allocator mount device issue.
------------------------------------------------------------
Label translation daemon
------------------------------------------------------------
Darrel going to do prep work and then send to Dan
not yet
------------------------------------------------------------
Self tests
------------------------------------------------------------
Update from George:
- recreated function of the shell scripts
- one missing piece of function
- go ahead and post that and then complete that
- reasonable set of excludes
------------------------------------------------------------
VFS polyinstantiation
------------------------------------------------------------
Update from Janak:
- sent the patch to the RedHat pam maintainer, Thomas Barge
- only had minor comments
- will make changes
- He also asked Janak to make man pages
- will make those also
- then he'll forward to the pam upstream
------------------------------------------------------------
Cron, tmpwatch, mail, etc.
------------------------------------------------------------
Update from Janak:
cron
- was hoping to finish it by today, will be tomorrow
- also copy the maintainer of cron to see what kind of feedback they give
tmpwatch
- just started looking at it
- shouldn't be too much of a problem
------------------------------------------------------------
Remaining tasks
------------------------------------------------------------
Ivan picking up some of these issues
Remaining items:
- xinetd,
- end to end ssh testing
- name translation daemon
- inotify integration
- self test
Whatever you think you have skills to work on, please do
- documentation
- helpful hints on the wiki
------------------------------------------------------------
New wiki location: http://fedoraproject.org/wiki/SELinux/MLS
More information about the redhat-lspp
mailing list