[redhat-lspp] LSPP Development Telecon 11/20/2006 Minutes

Michael C Thompson thompsmc at us.ibm.com
Mon Nov 20 22:01:15 UTC 2006 

11/20/2006 lspp Meeting Minutes:
===============================
Attendees
   George Wilson (IBM) - GW
   Linda Knippers (HP) - LK
   James Antill (RH) - JA
   Paul Moore (HP) - PM
   Bill O'Donnel (SGI)
   Chad Hansen (TCS)
   Mike Thompson (IBM) - MT
   Scott Lawler (Lightspeed)
   Kylene Hall (IBM)
   Steve Grubb (RH) - SG
   Dan Walsh (RH) - DW
   Joy Latten (IBM) - JL

Please forgive if anything was omiited or anyone's name was not captured.


Kernel / Beta / rawhide update
------------------------------
  GW: Beta2 issues can not be discussed, since it is not an open beta
  GW: There is an selinux translation issue filed, and there have been 
testing w/ 55 kernel, no issues found

  LK: What are the differences between lspp.55 and beta2
  SG: Eric's and Paul's patches added
  GW: Should we continue to use the lspp.55 kernel until we hear otherwise?
  SG: Yes, its pretty recent and Joy is almost done with her ipsec patch 
and paul has new patches, thus the need for an lspp kernel

  LK: What policy should we be running?
  DW: Run the rawhide policy, they are planning to be 1-1. RHEL5 policy 
will be taken from rawhide policy

  SG: If you see something that looks wrong, file a bug. If its not a 
bug, we'll close it as such, otherwise, we'll fix it.

SELinux base and MLS policy update
---------------------------------------------
  GW: There is a translation bug
  LK: Matt said that its fixed in rawhide policy
  DW: Yeah, this is fixed in rawhide
  GW: Yes, we've seen it on one of the installs
  DW: I'll look into it and verify that c1023 is used, not c255. Please 
send me any policy bugs or questions in email
  GW: Any other policy issues?

PAM & VFS polyinstantiation
---------------------------
  GW: Been playing with James' level selection, but can't get it to work 
in enforcing, or non-enforcing mode
  DW: its failing to do the mkdir?
  GW: no, getting a pam conversation error
  DW: any avc messages?
  GW: in enforcing mode, root ssh can't login, but session gets opened, 
although conversation failed. On the console, root seems to work, I get 
session opened, and I get to the selection prompt, but I get invalid 
security context or if no, an authentication error (in enforcing). It 
works in permissive for root at console, and nothing works for normal users.
  JA: It could be policy
  GW: Not getting avc, am doing on ppc64, are you on i386?
  JA: Yeah, been testing on i386
  GW: I'll try and get you more useful data, it will probably boil down 
to policy. Will try to get Klaus to get a look at it once he is back 
from vacation.
  GW: Got aid policy built

newrole
-------
  GW: Mike's newrole patches went up stream, Mike, anything to saw on that?
  MT: yay, that's about it :)

CIPSO / IPsec
-------------
  GW: ok, any news on cipso?
  PM: no real news

  JL: Labeled ipsec awaiting on Klaus to get back so we can get a read 
on LSPP's requirements for IPsec toggles. Sent out the policy to get 
ipsec working in enforcing mode

Audit
-----
  GW: News on audit?
  SG: Nope

Self tests / aide
-----------------
  GW: Still hacking on self test, added some BLP checks, not sure how to 
other more
  DW: Can do testing through run_init
  GW: Testing will start at SystemHigh, but we would like to change level
  DW: Well, you could write scripts at different levels and use run_init 
to execute them to test

  GW: Still figuring python syntax, can create object to pass into 
audit_get_reply
  SG: Dan said he was going to work on the python bindings
  GW: Not clear that it has bugs, i created a new object and it does 
like that, but not sure on how to make use of that reply object
  DW: That object is supposed to go to the next func, but that next func 
is broken.
  GW: Took aid policy module and got it built and inserted, compile 
without any problems

Cron, tmpwatch, mail, etc.
--------------------------
  GW: Has anyone had time to test cron and mail?
  JA: The policy level selection code relies on policy like cron, so 
there if level selection has problems, cron might have problems
  GW: OK, we might want to run some cron jobs

Final cutoff dates
------------------
  GW: The final cutoff dates are coming up soon

Final thoughts
--------------
  GW: Please, write bugs for everything and open them up if you are 
willing to do that


Happy Thanksgiving!

More information about the redhat-lspp mailing list