[redhat-lspp] LSPP Development Telecon 02/06/2006 Minutes
Debora Velarde
dvelarde at us.ibm.com
Fri Feb 10 01:12:31 UTC 2006
-----------------------
LSPP Meeting 02/06/2006
-----------------------
Known Attendees:
Matt Anderson (HP)
Tim Chavez (IBM)
Janak Desai (IBM) - jd
Darrel Goeddel (TCS)
Amy Griffins (HP) - ag
Steve Grubb (Red Hat) - sg
Chad Hanson (TCS)
Dustin Kirkland (IBM) - dk
Linda Knippers (HP) - lk
Joy Latten (IBM)
Paul Moore (HP)
Michael Thompson (IBM)
Debora Velarde (IBM)
Dan Walsh (Red Hat)
Klaus Weidner (atsec) - kw
George Wilson (IBM) - gw
Kris Wilson (IBM)
Catherine Zhang (IBM) - cz
Tentative Agenda:
IPsec labeling, getockopt(), xinetd
ipsec-tools
VFS polyinstantiation
AuditFS completion
Audit enhancements
Audit by role
Audit of network events
Print
Device allocation, udev, DBUS
SELinux base update
MLS policy gaps
Cron, mail, etc.
Self tests
Unit and functional tests
Documentation
Remaining tasks
-----------------------------------
IPsec labeling, getockopt(), xinetd
-----------------------------------
Joy needs to do testing on that
winding down Catherine's work on this
secpeer patch?
- worked on patch last week
- addressed comments from James
- found that tcp getsock peer is not working 2.6.16 kernel
- some changes on permissions needed for setting setkey operations and
other operations
- that was another patch we discussed, the labelling patch,
- caused some bizarre behavior of tcp connection
- part encrypted and part not
- finishes successfully, when trying to get label, says no srm
- chased it down to the missing permission
- sent a patch out to netdev this morning and waiting for comments
- hopefully will be close to last round
--------------------------------
ipsec-tools
--------------------------------
Chad found issue with pfkey used by racoon
not reliable when have a large number of associations
which ipsec tool uses
fixed interface, sent email to netdev
feedback from Dave Miller, should be using netlink
ipsec tools package, uses pfkey instead of netlink
openswan does use netlink
ipsec-tools part of RHEL?
dump via netlink
should probably ask them if they'd take the patch before you invest a lot
of time to that?
will post that tomorrow
upstream with those guys would be better
sg: should post them to Dave Miller's email
is there a preferred solution for ipsec in Redhat DB?
is openswan used more?
rawhide is up to 6, 6.3 and they released 6.5 today
they're behind
version of ipsec tools isn't up to date
Joy: openswan was generated from freeswan, it had its own hooks that went
into the kernel
ipsec tools was the port of kame
ipsec-tools - all the work to add the context, not in openswan
licensing issue - have to redo it technically
ideal to try to get the netlinks to work DB inside ipsec-tools
chad will be investigating that plan
Joy had another patch on that
gw: ipsec tools patch?
Joy: the maintainer was busy wouldn't get a chance to look at that for 2
weeks
that was 2 weeks ago, so maybe will this week
--------------------------------
VFS polyinstantiation
--------------------------------
Al had doctor appointment was hoping to be back
rc2 2.6.15 had some syscalls added but not unshare
Janak wanted to ask Al how to proceed
Janak will ask him on audit irc channel
syscalls that were added were ppoll and pselect (ppc only)
glibc implications, better to get it in sooner than later
Al had said there was a possibility of getting a syscall number reserved
if unshare can't make it until 17, at least reserving the number would
help
keeping us from merging pam
Janak to ask Al
------------
test kernels
------------
- sg made a test kernel last week
- sg spoke w/ Andrius about how to distribute
- going to on partners page, but ran out of disk space
- adding more disk space, then can upload kernels
- not there yet but will be at:
ftp.partners.redhat.com/lspp-devel
- need to post on Russell's site
--------------------------------
AuditFS completion
--------------------------------
Amy:
1-3 parts have not been any changes since last week
audit inotify client
- still working out locking issues there
- posted work she had so far to linux audit list
- feedback on locking approach
- most code there, highlighted issues she still sees and thinks she needs
to work on
sg: ready for test kernel?
ag: no, added code at the end that hasn't been tested
interface patch and the inotify could go in
keep inotify client out for the time being
hopefully in a week
dk: would like to see her patch in the kernel
gw -> ag: which kernel will that make it into?
sg -> ag: are you driving towards any kernel in particular?
ag: haven't been targeting any particular kernel
to expedite it folks could take a look at the patch posted
sg: in the past Tim had worked out the locking in parallel with folks
reviewing and testing
dk: potential problems, would it only surface if folks watch a file?
folks won't be hitting it as long as they aren't adding rules to watch
files
dk: that would allow us, that wouldn't mind knocking it around, to try it
and wouldn't hurt other people not trying the new features
lk: guess it would be good to add it
sg: to get better feedback
lk (or ag?): get one kind of feedback,
ag: will do a little bit of compatibility testing
she's using UP system, no MP
am: but if folks are running this on an MP system, can't tell you what its
going to affect
sg: ability to list, add, delete watches
at least we can start testing that
am: a lot of that in the interface patch, don't need this to test that
sg: probably would get better feedback if rolled the kernel and put the 4
patches on that
gw: would get more eyes on it
ag: how many people are running the kernel?
4 or 5 people responded
ag: and you'll look at the code too?
dk: when something breaks I will
gw: getting your code perfect before publishing vs publish early and
publish often
dk: going to rpm, install it on diff archs and see how it works
ag: when i posted it, wasn't with the intention of it to be applied
ag: include 2 of those 3 patches
then next week maybe would be ready to try the 3rd
gw: consensus?
lk: go with the 2 patches that are ready
sg: Amy, can you email me the 2 specific patches ready to be rolled into
kernel?
ag: yes
dk: or post to list dropping RFC on these 2 patches
--------------------------------
Audit enhancements
--------------------------------
Tim finished on Friday
had machine problems
put a fresh install
patched Viro kernel and building
once tried it (selinux enabled, disabled, etc)
will post it to the list
--------------------------------
Audit by role
--------------------------------
Dustin put out a patch for role based filtering
Stephen Smalley not on the line, had suggested
a couple important things that should be done differently
dk didn't make any modifications to selinux code
ss suggested we make a couple new functions and create a public API that
audit can use
dk going to try to do that
sg and dk asked if he could do that, ss said no
chad: which functions?
dk: mallocing a new string and retrieving the full context label
colon separated label
slicing and dicing that into proper fields in audit
security get role, return the role
selinux would make the decision as to what the role is rather than
audit
in process of reworking that
chad: why separating category and sensitivity?
dk doesn't understand those last 2 roles, asks chad for
chad: category and sensitivity creates the MLS range
combination of sensitivity and category make up the sensitivity labels
sensitivity and category make one label, such as TopSecret
chad: don't need to separate category from sensitivity,
Darrell: probably shouldn't, don't have meaning by themselves
dk: next iteration will be a minimal, only role for LSPP
chad: do need to be able to filter by label per CC
RBAC but in the LSPP section of that
dk: 2nd question, anyone have selinux kernel expertise that can help make
these changes?
Darrel will take a look at the thread and let dk know if he can help out
with that piece
sg: ss brought up another point
subject, object, or either that we're auditing against?
sg: need to be able to audit either
adds a wrinkle to the patch
no suggestions on what to do, but need to be able to specify either
filter on the subject or filter on the object
kernel has to be able to distinguish between the subj and obj
dk: field flags array - each field has 32 possible flags
can I assume that I could flag one of those fields to indicate if it
applies to subj, obj, or both
sg: userspace, you would give
-F subj_role=admin_r -F obj_role=
name on the left is the field
Is TCS on audit irc channel?
no, what channel is it?
#audit on irc.freenode.net
--------------------------------
Audit of network events
--------------------------------
--------------------------------
Print
--------------------------------
print cups-1.1-23.30
looking at the audit messages
make sure they contain all the info needed
no audit msgs for failed jobs (outside the range)
looking into determining if user is submitting a job outside the range and
get that failure to them in command line and audit
audit 1.1.3
MLS policy - wasn't able to bind to the port he needed
patch to the MLS policy to fix that problem?
looked into the packages that thinks he'll need
all were in security target for RHEL4
looks like they are
Dan: if get it to me then he can look at the policy
if print fails, audited
85% done
lk: do people want to see this as a work in progress policy?
Matt: can send this to the list
--------------------------------
Device allocation, udev, DBUS
--------------------------------
Cory sent updated src rpm to debora
chad: putting the MLS utils package
should have a newer one
allocating different devices
debora working on updating from the old policy
chad: could have another guy look at the policy too
--------------------------------
SELinux base update
--------------------------------
put a lot of stuff on the fedora wiki
lot of people testing with MLS
capability that allows you to fix the policy
send avc messages we're seeing and Dan can make updates
we'll try to screen the problems here first
--------------------------------
MLS policy gaps
--------------------------------
going to have updates
test on it
get errors out of it at a minimum
better to get patch updates and send to Dan
--------------------------------
Cron, mail, etc.
--------------------------------
no new updates
going to setup an MLS machine to test cron on
--------------------------------
Self tests
--------------------------------
need to identify areas to make progress
--------------------------------
Unit and functional tests
--------------------------------
reminder: share existing unit tests
--------------------------------
Documentation
--------------------------------
Dan putting info on fedora wiki
if not a link on Russell's page need to put one there
--------------------------------
Remaining tasks
--------------------------------
sg: trading emails with Stephen Smoogen posted to lspp list
configuration tool to lockdown a machine
curious if anybody is interested in that kind of thing?
a lot of people that would like a tool like that
automatic lockdown capability - verifies configuration
sounds like self test
sounds like Bastille on steroids, written to follow a STIG?
something worth writing? - see if someone will volunteer
kris: Test 3 mentioned, when will we see that?
slipped by a week
should ship 2 weeks from today
lspp wiki: http://cable.coker.com.au:800/wiki/index.php/Main_Page
More information about the redhat-lspp
mailing list