[redhat-lspp] LSPP Development Telecon 01/30/2006 Minutes
Debora Velarde
dvelarde at us.ibm.com
Fri Feb 3 03:39:45 UTC 2006
-----------------------
LSPP Meeting 01/30/2006
-----------------------
Known Attendees:
Matt Anderson (HP)
Tim Chavez (IBM)
Janak Desai (IBM) - jd
Darrel Goeddel
Steve Grubb (Red Hat) - sg
Ken Hake (IBM)
Chad Hanson (TCS)
Dustin Kirkland (IBM) - dk
Linda Knippers (HP)
Joy Latten (IBM)
Debora Velarde (IBM)
Al Viro (Red Hat) - av
Klaus Weidner (atsec) - kw
George Wilson (IBM) - gw
Venkat Yekkirala (TCS)
Catherine Zhang (IBM) - cz
Tentative Agenda:
IPsec labeling, getockopt(), xinetd
ipsec-tools
VFS polyinstantiation
AuditFS completion
Audit enhancements
Audit by role
Audit of network events
Audit API and binary records
Print
SELinux base update
MLS policy gaps
Device allocation, udev, DBUS
Self tests
Cron, mail, etc.
Remaining tasks
Package list
Unit and functional tests
Documentation
-------------------------------------
Tim & Catherine moving off the project
-----------------------------------
IPsec labeling, getockopt(), xinetd
-----------------------------------
Catherine had paper deadline, hasn't worked on this much
updated patch will be posted hopefully tomorrow
-----------
ipsec-tools
-----------
Sent patch to ipsec-tools community
one maintainer sent email that he had a lot of work so it would be a while
before he gets to newly submitted patches
hasn't been able to do stress testing yet
gw: Venkat, when would you like to make available the MLS changes to
racoon?
vk: enhancements kernel to ipsec tools, racoon
whole thing working in basic fashion
need to clean up code
a few more weeks before its out
Chad: also trying to address iptools package from the kernel
current implementation has some limitations
Joy: is this patch on ipsec-tools? userspace and the kernel
Joy: patches made on top of the patches she had
cz: issue was raised on stability of the getpeer patch when selinux was
disabled
Catherine didn't see the problem
cz: might be applying the patch to the wrong kernel,
or maybe mailer corrupted the patch, and spaces or tabs are wrong
sg: saw it crash one time
hasn't had a chance to go back and look at it more
gw: Venkat, needed to enhance secpeer patch?
vk: no
chad: also working on more of fundamental issue of ipsec
reduce the # of rules, use ranges
entirely separate issue how the rules interact with the kernel
<< missed part of discussion due to phone problem and switching conference
rooms >>
same problem exists in BSD as well
track work item - depends on how many rules we need to use
---------------------
VFS polyinstantiation
---------------------
not a lot of new to report
completed the test set Andrew Morton wanted
haven't heard anything officially
indication that it is going upstream, patch rearranged syscalls #,
included unshare
------------------
AuditFS completion
------------------
Amy's status:
4 parts
1. augment the audit context collection
done last fall
had went into the -mm tree
need to check if its gone in
2. interface changes to allow the admin to specify an audit rule that has
a string field instead of integer field
in lspp kernel
haven't gotten any feedback on it in a couple of weeks now
hasn't planned to make any more changes in it
1b or 2b. audit watch rule field
new struct for the kernel to store the audit rules
mistake of statically allocating the structure
does plan to change that and resubmit
only reason hasn't done that is been working on other parts
flag as known issue, to be done later
3. kernel API, need to make the separation cleaner
inotify and the code used for the kernel space inotify
going to need to rework that patch, functionally the same,
interface cleanup needs to happen
4. inotify client, part of that work to the list
finishing up the locking models
planning to submit patch, next day or two
Request For Comments (RFC)
SMP testing
Do we have a development kernel process in place?
sg: built a kernel today and it oopsed
sg: working with Andrius for a place we can put these
maybe off the partners ftp site
av: have tree on kernel.org
sg: wanted something so we could test the pam module with
dk -> av: if he could email location
av: mw2 is now viro,
------------------
Audit enhancements
------------------
Amy: as we move forward, more and more of a
userspace audit tools for the new interface
not clear whose doing that work, maybe Steve or Dustin
-------------
Audit by role
-------------
dk: enough in a modified tree for role filtering
Steve, I'm happy to commit that
put that patch out on the list, is that how you want to do it?
sg: if you have time, nice to get it close, if not I'll take it from where
you leave it
dk: audit field pair
larger block of code, maybe deprecated at some point
re-based Jan 10th to Jan 17th patch
-----------------------
Audit of network events
-----------------------
no additional analysis
gw had mentioned to try to bring up a system, w/o a policy
don't get an audit msg
might need to be clarified a little bit so when we come back to it we know
what it was
depending on the peer sec patch
assume want to get the labels off the inbound connections
still TBD analysis and ownership of that item
----------------------------
Audit API and binary records
----------------------------
might not need for lspp
dropping binary records uncontroversial
audit api is a little controversial
not strictly required for lspp
in order to write testcases, would like to write tests once
could do one internally only
sg: there will be an API, maybe sg and someone else writes it
one of the goals for RHEL5, that's going to happen no matter what
gw: so then it isn't a point of contention
-----
Print
-----
Matt:
sent out patch internally for review, waiting for feedback,
might still be using older audit interfaces,
need to make sure using up to date
hope to be getting that out
packages that we might normally exclude but we need to include because of
cups
able to do things with ps
ant config and config type, less pixilated output
maybe printing output would look weird
-------------------
SELinux base update
-------------------
Dan is not on the call
sg: patch out for newroles setuid
should now send audit msgs, in rawhide tomorrow morning
one change to init, ideally that's going to cover audit of userspace
sg: changecon, why wasn't getting any audit msgs
audit rules, so anything that makes a syscall gets logged
need to dig into it
gw: changecon, should be
---------------
MLS policy gaps
---------------
need to flush out bugs and write mls policy patches
were there any issues to the password policy?
Janak had found the one issue,
jd: agree with the patch that he sent, not sure what's involved
severe restriction that they can't change their password if they log in at
anything above system_low
strict mls policy, as Janak finds more things will report it
-----------------------------
Device allocation, udev, DBUS
-----------------------------
debora will produce a write up on that
Documentation mentioned that CUPS uses DBUS.
Matt doesn't need DBUS for what he's doing with CUPS.
----------
Self tests
----------
don't need any heavy weight thing with that
let it be run by an admin in a cron job
still need an owner
just because the percent is there doesn't mean that its an owned task
hopefully someone can put something like that out on the list and we can
start criticizing it
----------------
Cron, mail, etc.
----------------
Janak still hasn't gotten to it
wrapper or prog mail
---------------
Remaining tasks
---------------
if you come up with items please bring them up and George will make the
changes
Will add one item to be tracked - Chad's item
large # of rules - ipsec
------------
Package list
------------
-------------------------
Unit and functional tests
-------------------------
if you're writing new code, if could, make test available
unit or fvt tests
if you don't have tests and writing new code, it would be nice if you
could to show correct operation of new code
could turn them into certification and ltp tests
-------------
Documentation
-------------
old instructions on Russell's wiki
simplified instructions, with networking hooks
hoping to have more up-to-date documentation on the wiki
lspp wiki: http://cable.coker.com.au:800/wiki/index.php/Main_Page
More information about the redhat-lspp
mailing list