[redhat-lspp] LSPP Development Telecon 11/20/2006 Minutes
Michael C Thompson
thompsmc at us.ibm.com
Mon Nov 20 22:01:15 UTC 2006
11/20/2006 lspp Meeting Minutes:
===============================
Attendees
George Wilson (IBM) - GW
Linda Knippers (HP) - LK
James Antill (RH) - JA
Paul Moore (HP) - PM
Bill O'Donnel (SGI)
Chad Hansen (TCS)
Mike Thompson (IBM) - MT
Scott Lawler (Lightspeed)
Kylene Hall (IBM)
Steve Grubb (RH) - SG
Dan Walsh (RH) - DW
Joy Latten (IBM) - JL
Please forgive if anything was omiited or anyone's name was not captured.
Kernel / Beta / rawhide update
------------------------------
GW: Beta2 issues can not be discussed, since it is not an open beta
GW: There is an selinux translation issue filed, and there have been
testing w/ 55 kernel, no issues found
LK: What are the differences between lspp.55 and beta2
SG: Eric's and Paul's patches added
GW: Should we continue to use the lspp.55 kernel until we hear otherwise?
SG: Yes, its pretty recent and Joy is almost done with her ipsec patch
and paul has new patches, thus the need for an lspp kernel
LK: What policy should we be running?
DW: Run the rawhide policy, they are planning to be 1-1. RHEL5 policy
will be taken from rawhide policy
SG: If you see something that looks wrong, file a bug. If its not a
bug, we'll close it as such, otherwise, we'll fix it.
SELinux base and MLS policy update
---------------------------------------------
GW: There is a translation bug
LK: Matt said that its fixed in rawhide policy
DW: Yeah, this is fixed in rawhide
GW: Yes, we've seen it on one of the installs
DW: I'll look into it and verify that c1023 is used, not c255. Please
send me any policy bugs or questions in email
GW: Any other policy issues?
PAM & VFS polyinstantiation
---------------------------
GW: Been playing with James' level selection, but can't get it to work
in enforcing, or non-enforcing mode
DW: its failing to do the mkdir?
GW: no, getting a pam conversation error
DW: any avc messages?
GW: in enforcing mode, root ssh can't login, but session gets opened,
although conversation failed. On the console, root seems to work, I get
session opened, and I get to the selection prompt, but I get invalid
security context or if no, an authentication error (in enforcing). It
works in permissive for root at console, and nothing works for normal users.
JA: It could be policy
GW: Not getting avc, am doing on ppc64, are you on i386?
JA: Yeah, been testing on i386
GW: I'll try and get you more useful data, it will probably boil down
to policy. Will try to get Klaus to get a look at it once he is back
from vacation.
GW: Got aid policy built
newrole
-------
GW: Mike's newrole patches went up stream, Mike, anything to saw on that?
MT: yay, that's about it :)
CIPSO / IPsec
-------------
GW: ok, any news on cipso?
PM: no real news
JL: Labeled ipsec awaiting on Klaus to get back so we can get a read
on LSPP's requirements for IPsec toggles. Sent out the policy to get
ipsec working in enforcing mode
Audit
-----
GW: News on audit?
SG: Nope
Self tests / aide
-----------------
GW: Still hacking on self test, added some BLP checks, not sure how to
other more
DW: Can do testing through run_init
GW: Testing will start at SystemHigh, but we would like to change level
DW: Well, you could write scripts at different levels and use run_init
to execute them to test
GW: Still figuring python syntax, can create object to pass into
audit_get_reply
SG: Dan said he was going to work on the python bindings
GW: Not clear that it has bugs, i created a new object and it does
like that, but not sure on how to make use of that reply object
DW: That object is supposed to go to the next func, but that next func
is broken.
GW: Took aid policy module and got it built and inserted, compile
without any problems
Cron, tmpwatch, mail, etc.
--------------------------
GW: Has anyone had time to test cron and mail?
JA: The policy level selection code relies on policy like cron, so
there if level selection has problems, cron might have problems
GW: OK, we might want to run some cron jobs
Final cutoff dates
------------------
GW: The final cutoff dates are coming up soon
Final thoughts
--------------
GW: Please, write bugs for everything and open them up if you are
willing to do that
Happy Thanksgiving!
More information about the redhat-lspp
mailing list