[redhat-lspp] LSPP Development Telecon 11/27/2006 Minutes
Michael C Thompson
thompsmc at us.ibm.com
Tue Nov 28 21:25:17 UTC 2006
11/27/2006 LSPP Meeting Minutes:
===============================
Attendees
George Wilson (IBM) - GW
Mike Thompson (IBM) - MT
Paul Moore (HP) - PM
Bill O'Donnel (SGI) - BO
Joe Nall
Lisa Smith (HP)
Irena Boverman (RH) - IB
Linda Knippers (HP) - LK
Larry Wilson (IBM)
Kylene Hall (IBM)
Kris Wilson (IBM)
James Antill (RH) - JA
Klaus Weidner (Atsec)
Steve Grubb (RH) - SG
Dan Walsh (RH) - DW
Amy Smith (HP)
Chad Hansen (TCS)
Joy Latten (IBM) - JL
Please forgive if anything was omitted or anyone's name was not captured.
Tentative Agenda:
Kernel / Beta / rawhide update
SELinux base and MLS policy update
PAM & VFS polyinstantiation
CIPSO
IPsec
xinetd
Self tests / aide
Cron, tmpwatch, mail, etc.
Bugs / remaining tasks
Final cutoff date
Bug Process
===========
GW - We have to mirror to issue tracker, and this is a post beta
process. This is for anything out of development. This is our
agreed upon process. RH will decide if they become bugzilla
IB - We want partners to use RHIT, but project managers are suggesting
to do bugzilla. Make it public, then file an issue tracker. This
prevents visibility issues and makes it easier to manage for RH.
You can continue to use IT, but making bugzillas public which
originated from IT is harder.
GW - Is this an agreed upon process?
IB - Yes
GW - Great, we'll do this. So we would create 2 bugzillas?
IB - Create RH bugzilla (via bugzilla.redhat.com) to get public entry.
Then do regular process using your bugzilla and link against the
public one. This is hard, but better than current process.
GW - This is a deviation from our existing process. We were told opening
direct bug a no-no.
IB - I think we can meet requirements by having an IT bug point to a
public bug.
GW - So this should let everyone have visibility, and permit everyone to
write bugs. I encourage people to write bugs when you see problems.
IB - Remember to not mark them as private.
Kernel / Beta / rawhide update
==============================
GW - Install painpoint is virtual ethernet issue on ppc LPARs. This is
bug is filed. There is the outstanding setrans.conf bug with the
c255 not c1023 (also filed).
LK - Having issue where can't create a user account someone can log
into. First time someone logs in, passwd is accepted but connection
is dropped. 2nd time the connection is completed, but you can't
access the home directory.
GW - Seeing messages in /var/log/secure?
LK - Need to check that. Definitely am having problem with
polyinstantiation. Still confused about how home directories are
being created in the first place. Could be related to /tmp
directories.
MT - No bugs have been filed regarding these issues, but we have seen
them.
DW - 3 steps with semanage to create a user. Add user to get uid,
semanage to link to staff user, and third step is to relabel home
directory.
LK - That might help, but I want to create a regular user.
DW - You should just need to use useradd and the defaults should be ok
(defaults to user_u).
KW - Even with regular user with non-default levels, you need to use
semanage to relabel home directory.
LK - Seeing weird things on users are being created with kickstart
script. First user is being created slightly differently than
second user. Will compile some information on this.
KW - Ok, not seen this... could be a problem with the tools.
LK - Wasn't sure if the first semanage caused a policy reload, which
could be causing the first/second user difference.
DW - semanage will cause a policy reload.
KW - It could be that the first user didn't have the policy loaded
correctly. There is an open bugzilla about post-install section of
the mls policy rpm not being run correctly.
DW - OK, will look for that bug. One thing admin might want to do is
automate these three steps with a simple shell script. Reason I
hesitate to do that is to have admin understand the actions when
adding a user.
DW - Another thing found, when you create a file on the system, the user
components of the file/diretory get assigned to the user who
created. if you login with ssh, you get staff_u, if you login
console, you get root:. Its consistant, but not expected.
SG - This sounds like a bug.
DW - Whats the bug.
SG - user winds up in a state which conflicts with the relabel of the
directory. If you did a restorecon, would that not correct it?
DW - When doing restorecon, you're loosing who created the file, you
set it to system defaults.
LK - Still, someone's home directory does depend on who did the useradd.
SG - Should be predictable, every time you do a relabel, its going to
change. Me, I would think we should fix that so aide doesn't
complain.
DW - If you relabel, aide is going to complain.
LK - I think i got a difference of behavior when adding a regular user.
SG - Create users, run for two weeks, do a relabel, and they're labels
change.
JA - If you create a user and relabel directory immediately, aide won't
care about its a short amount of time.
SG - Seems to me when it creates home directory, it should query policy
and get the context correct.
LK - Just created a user directory, and the home dir has user staff_u
but type userhome_dir_t. I agree with Steve, if we're going to
create the home directory, we should create it with the context it
is going to end up with.
SG - I think we should get a bug against this.
DW - I can argue the other side of that, but you're fixing a fundamental
problem about how the system works... this will happen in other
situations as well. This is how the user component of SELinux
works. I hesitate because there are other ways to create the user's
home diretory. Worried about polyinstantion, what does the user
component have when the directory gets created? its a bigger
problem than just useradd.
LK - I know kickstart script calls useradd.
SG - I guess we'll fix it in the obvious place and see where else it
pops up.
GW - Another thing we noticed was that trying to put system into single
user mode fails.
DW - Yeah, updated the policy (on my people page) to allow this. Will be
in the beta.
KW - mls policy rpm post-install RHIT 102563
SG - Did talking with people who do bugs, got a tentative agreement that
bugs that have LSPP in the subject will get accelerated to
engineering.
IB - Steve, we've agreed that HP and IBM will file bugzillas directly
and will then file RHIT and reference that bugzilla. This way
bugzillas will stay public. This eliminates the escalation issue.
GW - Any other issues with beta or lspp.55? Should we move to 55 kernel
or use next beta kernel?
SG - 55 has late breaking changes... not sure if they are integrated
into beta kernel. Stay with 55 for the moment.
BO - Question about lspp.55 kernel... been using lspp.51 for some time
for a demo, but I got 55 this morning, and getpeercon on local
ipsockets fail.... is that the expected behavior?
CH - I believe the expected behaviour is getpeercon will only get a
result when you have labeled networking.
PM - getpeercon can only work when you are using labeled networking.
BO - I don't know how to configure ipsec to use loopback... do you?
CH - Venkat had a suggestion, but I don't know if anyone has tested it.
The impression I got is the code is all there, just not tested. I
know James Morris doesn't like that approach
JL - I tried using getpeercon with regular ipsec, but I haven't tried it
with labeled networking. I'll try with non-labeled and labeled.
There was a sys-ctl had to use.
CH - Really hard to implement with ipsec, other than sys-ctl variable,
which for some reason, James does not like.
GW - Why is it off?
CH - Probably performance. Why would you want to do ipsec over
localhost. If you want to know, dig up the threads in the archive.
LK - After I run newrole to change roles, more doesn't work. I get one
page. Getting an EBADFD when more tries to read more input. But
this is only after doing a newrole.
<Lots of dialog about this issue>
SELinux base and MLS policy update
==================================
DW - No updates on base policy. Mostly all bug fixes at this point. Can
get latest policy from my people page.
GW - Will these be in the refresh?
DW - Yes, either this coming or the one following.
GW - Doing level selection testing, and on one of the tests I got a
stack trace (double free corruption). Have a little matrix going of
results.
GW - Stack trace was from logging in with ordinary user from console,
had default staff role, selected s0 as level, and got a stack dump.
Trying to go through all combinations.
SG - OK, does stack dump have debug information? Please forward to me.
GW - Still haven't tried with ordinary user in enforcing mode. Done with
root over console and ssh. root on the console seems to be what
works in permissive mode, and I htink the only thing I've gotten to
work correctly. I'll try the ordinary users over ssh.
SG - What was in the pam stack? anything different from the default?
GW - Not that I can see. Just put the selection keywork in the login,
sshd and remote.
JA - As Steve said, its something that is getting NULL'd out and freed.
Could it have been out of his MLS allowed range?
GW - Should have been.
JA - If the range isn't allowed, it goes to an error path, which might
be hitting the free.
GW - Tried with translated and untranslated to see if that was the
issue. This was untranslated. I'll send you the incomplete table.
JA - yes, Please send to steve and me. We need to see if the range check
failed.
GW - OK, will send to you privately and will try to complete the matrix.
JA - It would be good to find out if the MLS range check passed, because
that would show the policy failing when it shouldn't be.
GW - Yeah, used s0 and it has SystemLow-SystemHigh.
PAM & VFS polyinstantiation
===========================
< No more issues >
CIPSO & IPsec
=============
PM - CIPSO - no outstanding issues
GW - ipsec, doing stress runs?
JL - no, forgot. Will do tonight and do the localhost check. I think I
sent out the policy to get ipsec to run in enforcing. Chris sent
back comments, and we'll need to work on this a bit. Wondering if
ipsec should be run as sysadm domain or should run in ipsec
domain... chris thinks should run in ipsec domain.
GW - Then we need transitions.
JL - Already some transitiions, but we need to use it. Once we get that
ironed out, we can make those changes.
GW - Things working from an MLS pov?
JL - yup. won't add SA unless in range of policy and all that kind of
stuff.
SG - Not seen patch for ipsec stuff... did you send that to net-dev?
JL - Yeah, I tried to send it, but I haven't seen it yet. Steve, you
should have a copy.
SG - Didn't get it.
JL - OK, will resend.
xinetd
======
SG - No news, really close to working on it. Been spending time on audit
getting it to final version so its ready. One more thing to fix,
then starting working on xinetd.
audit
=====
SG - Going to put out 1.3 version of audit with lots of cleanup and tiny
bug fixes. Fixes to auserach and things like that. Ability to get
raw output out of auserach, so its in the same format as the audit
log (no changes). You can also pipe that to aureport so you can do
data processing.
Self tests / aide
=================
GW - Hacked on selftest, dan has given me more of a clue about what I
should de doing. Dan, should I do the enable function and that will
do the check?
DW - The enable function does all the stuff we want the python stuff to
do... Steve doesn't want people to check if the audit deamon is
running and then sending the audit message because that pounds the
hell out of the kernel. So there isn't an API to do that.
GW - Aide doesn't seem to return a bad return code if the check fails.
It just reports that it did the check. Will have to parse the
output.
JA - We should be able to fix that. You shouldn't be parsing the output.
SG - There should be some discussion about what consitute a failure. If
things get added or deleted, does that consitute a failure?
GW - Well, that depends on if you wanted that to get added. deleted. I
want a mode that returns a return code that says something changed.
JA - Like --check?
GW - Yeah.
SG - We need to talk to upstream about that. Its something we just
recently integrated. Aide itself will fire off an audit message if
something has changed.
GW - So do I look in audit log? I want to have a return code. Parsing
seems unclean.
SG - OK, we can just talk with the guys upstream. They might have
overlooked it.
GW - OK, can you talk to them?
SG - yeah, I'll talk t them.
Outstanding Issues
==================
DW - Asked about MLS contraints being removed, TCS says they are
required.
KW - The right constriants? Seen response, but not read it in detail. If
they are the way they are intended to be, then we need to
understand why and we should have the documentation patched so they
are better documented.
JL - Klaus, while you are on, for labelec ipsec, the ability to toggle
accepting labeled/ unlabeled is an LSPP requirement?
KW - Doesn't need to be a toggle, but you can't be able to circumvent.
Toggling isn't required, but being able to do so should be there.
JL - So we do need the ability to toggle?
KW - Doesn't need to be a run-time switch. Could be boot or even
install. But that's not very useful. If you claim to enforce, there
needs to be a way to do that.
KW - What we don't want is to have the system accept both labeled and
unlabeled by default. There is no requirement that you need to able
to weaken (i.e. accept unlabeled). Users might like it , but its
not required.
GW - What is the difficulty of providing the toggle?
JL - I need to post this to the mailing list.
GW - We were thinking about a boolean in the policy which would reject
unlabeled packets.
JL - I wanted to know if we even needed to be able to do that. I'll send
a reply to Venkat's post and ask what it would take to do that.
More information about the redhat-lspp
mailing list