[redhat-lspp] LSPP Development Telecon 04/17/2006 Minutes
Debora Velarde
dvelarde at us.ibm.com
Fri Apr 21 16:30:19 UTC 2006
-----------------------
LSPP Meeting 04/17/2006
-----------------------
Known Attendees:
Matt Anderson (HP) - ma
Irina Boverman (RH)
Russell Coker (Red Hat)
Janak Desai (IBM) - jd
Steve Grubb (Red Hat) - sg
Chad Hanson (TCS)
Linda Knippers (HP) - lk
Joy Latten (IBM) - jl
Paul Moore (HP)
Bill O'Donnell (SGI)
James Morris (Red Hat)
Loulwa Salem (IBM) - ls
Lisa Smith
Debora Velarde (IBM)
Al Viro (Red Hat) - av
Klaus Weidner (atsec)
George Wilson (IBM) - gw
Tentative Agenda:
SELinux base update
Kernel update
Installation, MLS policy, LSPP kernel issues
Audit regression tests, enhancements, performance issues
AuditFS/inotify completion
Audit of POSIX message queues
Audit API
Audit failure action inquiry function
Audit of service discontinuity
Fail to secure state
Print
IPsec labeling, xinetd, secpeer
ipsec-tools patches: Base, SPD dump, and racoon MLS
Device allocation, udev, DBUS, hald, hotplug
Label translation daemon
Self tests
VFS polyinstantiation
Cron, tmpwatch, mail, etc.
Remaining tasks
Target date has come and gone
Tests and documentation
------------------------------------------------------------
SELinux base update
------------------------------------------------------------
Dan not on call
------------------------------------------------------------
Kernel Update
------------------------------------------------------------
Update from Al:
in mm going towards Linus today
don't know how well it will get there,
execve argument, apparently works
execve login patch
So far still not complete
Al would really like to hear from Amy but on vacation
- lack of hooks shouldn't be in single critical area
- Al found problems over the weekend
hopes he'll have fix for that, getting done, not done yet
------------------------------------------------------------
Audit regression tests, enhancements, performance issues
------------------------------------------------------------
Steve and Al talked about perf and the watches
- Al had idea of something we could try
- He was taking care of these locking issues
to take a stab at these performance issues
- getting it to where we want it to be in terms of perf
George got perf team engaged
- Jose Sanchez will be looking into this stuff
- hypervisor is causing a fair amount of noise in perf measurements
- going to find another box for him w/o hypervisor setup
- George forwarded him this meeting notice
- hopefully can get Jose setup
so he can start getting data and profiling
George ran into problem that caused him to reboot
- after inserting 100 watches, deleted, and then repeated them
- hung, couldn't do anything
- had to reboot
- Loulwa had similar problem by running test
general_kernel_default message
- Getting a backtrace
lk: had a hard time getting it to work even back then
sg: feeling going to have similar issues
lk: will go dig into notes
sg: think sysctrl.conf - enable
gw: enabled first thing I do in kickstart script
can do a control 0
but couldn't do anything with it when it was in this state
- Architectures?
gw: ppc64
ls: x86_64
lk: Couldn't lift watches any more
might be easier to troubleshoot that problem first
sg: seems like a netlink problem
that bug not related to Amy's code
sg: repeat the test but use only syscall audit command
if only during watches would be sufficient to point to the patch
gw: Can try that
sg: that would help cut the problem in half
audit userspace
gw: can't get the python wrapper to build
will investigate that some more
can't get it built on pseries cleanly
will take that off-line
sg: New package into rawhide last night
forgot to post announce to audit mailing list
1.2.1 userspace
Al has a plan how to speed this up
- it involves splitting the list
- syscall entry and exit into 2 groups
so when we do attempt to go through rules
only have to go through the fork
- nothing else has any change
- that would reduce the # of rules were looking at considerably
- if comparison of rule, involves change inode #
- remove most of the consideration,
good inode numbers are the context
reduce the number of controls we have to look at
gw: makes sense
lk: will you post a write up of that?
av: It's simple
When we change inode # in the watch
(happens when go from no such inode to inode created)
Need to be careful of order of operations
Insert update rule into right list
Be careful of other users of those lists
gw: should the perf person stop or wait?
av: depends what he's doing
worth doing, need to test any fixes
av: deadlock, may still need
gw: OK, will help him get machine setup
kw: good baseline
??: .16 kernel, .17 has cache poisoning
gw: OK Jose said there's a lot of debugging stuff turned on
so need to go to .16
gw: anything interesting in .17 that we wanted to profile against?
av: one thing would like
take current mm kernel and see rule problem is there
about to start fitting this stuff into mainland
if it is problem with too much in rule lists
definitely want to hold off
would be good if that could be done reasonably fast
gw: will give that a try
------------------------------------------------------------
Audit of POSIX message queues
------------------------------------------------------------
George played with POSIX message queues
------------------------------------------------------------
Audit API
------------------------------------------------------------
Update from Steve:
- no progress
- hope to get to this week
- in holding pattern with kernel issues
Put out a new release
- a lot of bug fixing
- 15-20 syscalls that got added in last 2 kernels
updated syscall tables
------------------------------------------------------------
Audit failure action inquiry function
------------------------------------------------------------
Lisa has taken this one.
Lisa has been talking to Matt,
Once has idea of how to proceed will post to the list
------------------------------------------------------------
Audit of service discontinuity
------------------------------------------------------------
open
------------------------------------------------------------
Fail to secure state
------------------------------------------------------------
open
------------------------------------------------------------
Print
------------------------------------------------------------
Update from Matt:
- has a sample one
- ttex maintainer might make his own
- fixed ghostscript incompatibility
- posted to the list
- asked about additional formats that we need to support
- No more formats needed
- hope to post something middle to end of week
after get more internal testing
------------------------------------------------------------
IPsec labeling, xinetd, secpeer
------------------------------------------------------------
Update from Joy:
- completed all stress tests
- will post summary, hopefully by end of day
- but no problems
------------------------------------------------------------
ipsec-tools patches: Base, SPD dump, and racoon MLS
------------------------------------------------------------
Update from Joy:
- Plan to resend the first patch
and ask if we can at least get that much in
- small patch, and then we can build on that
Joy heard back from Venkat on the MLS patch
- he's working on the MLS constraints for the association class
- as soon as he has the MLS policy for that
he's going to post it to the list and Joy can try it
- Chad from TCS on the call
- general MLS rules, related to that?
- making sure you have the right labels,
- when Venkat posts to the list Joy will take a look
SPD issue
Chad: should be getting freed up soon
Paul from HP - networking issues
- the CIPSO stuff
- posted patch a week ago now, no feedback since
- still working on it
- before release another draft would like to know
if still heading in the right direction
- Has anyone had a chance to look at the patch yet?
sg: talked to Herbert Hugh (IPsec maintainer)
mentioned that we are looking at CIPSO
and he seemed like he was interested
lk: Do you know if James Morris is monitoring the list?
James Morris had feedback when Paul first posted it
sg: James is more in the selinux mind set
Herbert is on the networking side of it
so best to CC both James and Herbert
sg: Herbert not on LSPP list
he's warmed up to know that this is out there
gw: testing?
- HP has a trusted Solaris box
- Joe and Lenny not on call
- They offered to do some interoperability testing as well
- Chad will try to also
- number of interesting issues
don't know if IPsec transitions will handle
Is the age transform code smart enough to know if its immutable?
Chad and Joy not sure
------------------------------------------------------------
Device allocation, udev, DBUS, hald, hotplug
------------------------------------------------------------
Update from Debora
- haven't gone though to make sure getting all of the audit messages we
need for device allocation
Chad:
- there is a patch
- I'll check the status on that and copy
- did have somebody working on that last week,
hopefully should come out that this week
------------------------------------------------------------
Self tests
------------------------------------------------------------
Update from George:
- wrote a man page
- need to make that available
- need to address comments Serge and Matt sent
- will get to that after the POSIX message queue
and perf assistance
------------------------------------------------------------
Cron, tmpwatch, mail, etc.
------------------------------------------------------------
Janak's Update
cron:
jd: haven't heard anything except what got from Russell
Is there anybody from fedora core to review it?
Jason Dias
sg: there is an upstream maintainer
Paul Vixie can take a while to get back to
jd: Can you send me his email address,
I can send him the patch to see if he'll review it
pam namespace
- updated the manpages for pam_namespace and namespace.conf
as requested by Tomas Mraz (upstream PAM maintainer)
- wanted to refer to the shared tree stuff
so admins know you want to use the share tree
- but the userlevel of shared tree isn't upstream yet
- Ram Pai worked on share tree patch
sent it to Adrian Bunk
trying to get user space support (mount command) upstream
but hasn't heard anything back yet
- suggested we just apply the patch in rawhide
tempwatch
- Janak posted something for tempwatch
- posted it a couple hours ago,
- request for folks to look at it and provide feedback
- prefer the man page change approach, but provided 2nd option
------------------------------------------------------------
Remaining tasks
------------------------------------------------------------
same list as last week
discussion on LSPP list
- main question if you have different admin
secadmin, sysadm, auditadm
- How to separate and change between roles?
- How is the authentication supposed to work?
- secadmin password or something?
- In the file management tools,
see if you're allowed to use the role or not
Are we in agreement that we don't need a separate DB for passwords for
roles?
Chad, Linda, George: Yes
kw: OK
rc: su -; before you can do anything
password twice,
role change a uid change
modified version of su
kw: Could also make it a switch, change label or not
ch: don't have a problem
Want to be able to set the behavior when you want
and not when you don't want
kw: Right now staff_u
ch: If in audit role, have 2 different namespaces anyway
rc: newrole -u, change the role?
make it an addition to newrole rather than su
Have to make newrole when it's appropriate
pam, newrole, combine it with su
ch: newrole is overloaded so adding another piece of
functionality probably more palpable than modifying su
------------------------------------------------------------
New wiki location: http://fedoraproject.org/wiki/SELinux/MLS
More information about the redhat-lspp
mailing list