[redhat-lspp] LSPP Development Telecon 01/29/2007 Minutes
Ted X Toth
txtoth at gmail.com
Thu Feb 1 17:25:28 UTC 2007
I think there was a discussion about naming of polyinstantiated
directories that didn't make it into the notes. I don't remember all of
the details of that discussion but I have submitted a pam_namespace
patch and I'm just curious as to whether some version of it is going to
make it into RHEL5?
Ted
Loulwa Salem wrote:
> I think I confused voices in these notes, so feel free to correct me
> if I attributed something to you that you didn't say.
>
> 01/29/2007 lspp Meeting Minutes:
> ===============================
> Attendees
>
> George Wilson (IBM) - GW
> Lawrence Wilson (IBM) - LW
> Kris Wilson (IBM) - KEW
> Loulwa Salem (IBM) - LS
> Michael Thompson (IBM) - MT
> Joy Latten (IBM) - JL
> Kylene J Hall (IBM) - KH
> Irina Boverman (Red Hat) - IB
> Steve Grubb (Red Hat) - SG
> Dan Walsh (Red Hat) - DW
> James Antill (Red Hat) - JA
> Lisa Smith (HP) - LMS
> Linda Knippers (HP) - LK
> Matt Anderson (HP) - MA
> Paul Moore (HP) - PM
> Klaus Weidner (Atsec) - KW
> Chad Hanson (TCS) - CH
> Joe Nall - JN
> Ted Toth - TT
>
> Tentative Agenda:
>
> Kernel / Beta / rawhide update
> ===============================
> GW: Thank you Paul for the loopback fix patch
> PM: Was joy gonna do stress testing on that. I want to stress it
> is a proof
> of concept patch so probably there is stuff missing. I posted that to
> spur some discussion. It won't surprise me if it breaks once you test
> with it
> JL: I am hoping for good results
> PM: I noticed other issues other than racoon. The SA in phase two,
> there is
> no directionality since src and dst address are the same, it is
> unusual
> so I don't know the ramifications of that.
> JL: I looked at your code and it is the same places I was looking
> at. when I
> was playing with manual stuff, I only needed one SA and it didn't
> need
> direction. I had 1 SA and it worked both ways. so i think it's
> going to
> be ok
> PM: only thing that concerns me is sequence number and window. it is
> loopback so you are guaranteed delivery
> JL: I'll look at seq number. To be honest, I'm thinking who cares
> about seq
> number on loopback. but I'll look. I think seq number was to make
> sure
> we are not forging packets
> PM: if there are lots of senders and receivers, what happens in
> that window
> will we have packet loss
> JL: I'll look at that. To be honest I'm not sure we need to be
> concerned. I
> think seq number is optional sometimes that's why I'm saying it might
> not matter. So let's just make sure
> PM: Ok thank you
> GW: that's extremely good for everybody .thanks Paul. How is
> current kernel
> looking
> LS: it's good I'm using it. I have not seen any problems so far
> GW: how is networking
> JL: yes, it's looking good for me too
> GW: with current policy and 18 kickstart, if I applied updated
> packages
> during post install phase system rebooted instead of panic-ing, so
> it's
> good. Now I don't get console login prompt. I'll look at that more. I
> don't see AVC either. anyone else not seen console prompt?
> LK: I've seen that problem on ia64 on first boot. just on the console
> PM: I think I've seen it as well
> DW: is there a getty for that
> GW: there is a getty on console as far as I can tell. I'll look
> into it
> more.
> DW: 2 things to check, check the getty and check the device is
> labeled
> correctly.
> GW: good point since it is a hvc0
> DW: it might be problem ...
> GW: I'll look into that since this is a virtual console
> LK: if you reboot system, it'll be fine .. that's why it's weird.
> I went to
> single user mode and it came back
> DW: the console came back
> LK: yes, also even though you don't get prompt, I can still log in
> to the
> system
> JA: when this happens is it running first boot graphical?
> GW: I don't think so. is it even running on first boot?
> JA: depends on your kickstart
> MA: if it is a java console ...
> KW: I've run it on VM ware and I don't see that, so I don't think
> it is
> related to that.
> LK: I'll try to reproduce
> GW: I tried to look at AVC . on first boot you can't log in as admin
> anywhere. so it becomes alot more of pain. but we are making
> progress we
> can reboot without panic-ing. Any other issues?
>
> SELinux base and MLS policy update
> ==================================
> GW: Any policy issues
> DW: we have to find out why some of you are not able to ssh as
> some roles
> KW: seems to be related to translation, if I comment that out it
> works.
> what's happening is that it has separate categories for A and B
> and it
> combines them. it doesn't like that sometimes
> DW: you added that to bugzilla? cause I'll look at it
> KW: I didn't see the bugzilla, I added that to the mailing list
> MA: there were other categories that worked .. weren't those
> merged together
> KW: it wasn't doing that with some others
> DW: if I have two categories defined it translates the entire string
> KW: I think it would make sense to give translation to each label.
> if it is
> supposed to do that then it should work
> DW: you still need to do it for each sensitivity, which is more
> than desired
> KW: people at lower level don't need to see higher levels. It gets
> translated, but other libraries don't agree on syntax
> LK: can someone log in with raw context? should they be able to
> KW: translation should be at user interface level. I am slightly
> surprised,
> it is using sometimes the translated and sometimes the raw context
> DW: I'll look into it now that I have more info
> KW: mostly it is related to specific ones.
> DW: library might be broken
> KW: might be too late to change that. I feel more comfortable if
> tools use
> the translated level all the time
> DW: everything should be translated to raw
> KW: be careful when you are testing that because successful and
> unsuccessful
> ssh attempt look ok
> GW: so you are advocating not being able to use translation on login
> KW: should be a convenience but not affect security
> MT: what's the fallout
> KW: ...
> DW: maybe ssh is broken, I'll figure out what's going on
> MT: just for my info. going forward there was talk about defining
> categories, individual components but not entire context. Is that
> still
> the case?
> CH: that would be wonderful.
> MT: the permutations get big, so I see that as being useful
> DW: is A,B the same as B,A
> MT: should be sanitized. categories are independent listing
> CH: raw context has to be same
> PM: question are the compartments related to each other if c1 c2
> c7 are
> set, by convention they will display to user in order
> DW: access decision is fine
> KW: currently it allows us to give range of categories. if someone
> comes
> along and renumbers things, a tool might include things that you
> might
> not have expected. admin shouldn't use category ranges
> DW: I don't think you can use ranges. only reason I say this is
> that the
> whole system would break. there is way to translate and it can
> definitely use smarter engine
> MA: and what about changing your translated file
> KW: polyinstantiation uses translated labels. it is something
> people need to
> be aware of that their home dirs may go away.
> MT: it should be changed to use raw
> PM: there was same discussion for s-tar. stephen smalley came out
> and said
> he likes translated context than raw since it makes more sense
> CH: it might make sense especially if you have different numbering
> schema
> JN: polyinstantiated dirs used to translate names ..
> JA: do we have any translation which have / in them
> JN: in the us government on labels it has / all over the place
> LK: is there a need to have context as part of directory name
> MA: this came up in last SELinux symposium.
> JA: that should give you usability plus it is guaranteed unique
> GW: hashed would be safest
> PM: I understand this is convenient but how often is it done
> KW: there is no reason why security user logged in as secret can't
> read his
> unclassified dir.
> LK: if you check file level will you get full context
> KW: kickstart uses level and category to set up polyinstantiation
> not full
> context. it doesn't need to be fully unique. it's a nice thing it
> doesn't polyinstantiate based on user name.
> JA: ..
> KW: my gut feeling is keep it way it is with translated format.
> raw format
> has problems
> JW: right we don't want to move everything to raw
> KW: especially for tools ... it would be better if they use ...
> CH: if old setrans file tried to concatenate A and B together...
> KW: there are 2 different definitions
> CH: translation library says there is no match, so I'll take A and
> B and put
> comma between them.
> KW: if it uses syntax with commas I expect that to pass
> CH: I would expect that to fail if it can't translate
> KW: seems it can't translate back
> GW: Other issues?
> JL: kylie , lou and I saw we can't so ssh as secadm .. is there a
> boolean
> for that?
> DW: there is a boolean. you can't specify to secadm?
> KH: I'll check on that
> KW: isn't secadm deprecated in this policy?
> DW: might be a policy issue
> GW: should we expect them to be deprecated
> KW: it is not possible for sysadm to start setrans daemon in
> enforcing.
> DW: did you run through init?
> KW: yes. I'll send an email
> PM: maybe because it runs as systemHigh
> KH: auditadm works ok, but not secadm.. wait I wasn't in enforcing
> JL: sysadm only works, secadm and auditadm doesn't
> DW: ok, it should be an easy fix.
> JN: has joy changes made it to latest policy?
> DW: I put them in latest
> JL: I sent patch so setkey can look at directories. I sent you
> patch so
> setkey can't look in user home dirs for config files and such.
> DW: where is user likely to create these things?
> JL: I don't know where. I figured setkey should only run as
> sysadm, so I
> don't need to be looking in user directories. SO I changed it to
> look in
> sysadm user dir, /etc/ and maybe /tmp
> DW: Ok, I saw the patch. I'll take another look at it
> KW: problem with setrans, if you use runinit it doesn't seem to
> know there
> are others running, so it creates another one. It seems to have a pid
> file.
> DW: if you say run-init status what does it show you?
> KW: shows stopped
> DW: so it is not seeing pid file. what is label on pid file
> KW: systemhigh
> PM: what happens if you try to query if you are at systemhigh
> KW: I get no such file or directory for pid file.
>
> PAM and VFS polyinstantiation
> ==============================
>
> ssh level selection
> ====================
>
> IPsec localhost, IPv6, 1st packet drop
> ======================================
> GW: talked about most of networking. first packet drop is not
> going to get
> fixed anytime soon since it is a big fix. I am wondering the
> ramifications
> JN: I think it is a big impact
> JN: there was email with james morris and he said he had a patch
> but it
> wasn't ready for prime time. he said I should use openswan. I was
> surprised he did that
> JL: openswan doesn't use native ipsec either
> CH: it does now
> JN: he said if he didn't use pfkey symmantics he didn't see it. I
> wasn't
> sure
> CH: I think this can't be fixed . if you use netlink
> JL: regardless of socket API .. shouldn't be the same
> CH: I think we still do...
> JN: james said he had patch which fixes blocking packet. even if
> it is 60 or
> 80% solution, it is better than nothing. In our solution I put a
> check
> and just make it try again, but this is not a solution for 3rd party
> tools
> JA: we can put that in glibc. obviously not the right thing to do
> GW: if we don't do anything, labeled ipsec solution will be useless
> JN: I think it'll be problematic.
> CH: It is not completely useless. it does work, but just has
> initial setup
> problem
> GW: I think most people are setting VPN tunnels
> IB: is there a defect number.
> JL: I'll open one now
> IB: there are 2 that I can see but not what you are discussing
> GW: joy will open a bug today. Thanks Joy. I am thinking what is
> this going
> to mean for certification.
> JL: it will be problematic
> SG: what we need is to get bug open and I'll get that to kernel
> managers and
> see who we can get assigned to it.
> JL: ok, I'll open a bug now and mail number on lspp list
> GW: is there some hope that we can fix this for cert
> JA: if we have to we can input that in glibc
> SG: not sure they would let us do that though
> JA: yeah. just if we have to
> SG: start with a bug and I'll talk to kernel managers. once we
> have estimate
> we'll decide.
> LK: are you going to open bug for no prompt on first boot george
> GW: yes, I wasn't sure first if it was a real bug
> JN: I think this packet dropped discussion is good
> LK: what kernel are you running Joe
> JN: we have .63 and hacked up version to make racoon work with
> local host
>
> Self tests / aide
> =================
> GW: I've done nothing since last week. been trying to get runcon
> transitions
> to work, not able to get that to happen from python.
> MA: is runcon supposed to work in mls policy
> GW: it should if you give it sufficient policy. another process is
> to have
> processes running at high and low beforehand
> DW: it would work if you are changing your policy. so it runs on
> command
> line, but not in the python
> GW: i get invalid context ..
> DW: how are you doing exec in python
> GW: os.system
> PM: I wonder if that invalid context is cause of your problem
> GW: I can do it on command line ..
> PM: wonder if you are getting bit by that translation problem
> MA: you are using system high and low right, not messing with weird
> combinations.
> GW: yeah .. I think if I give perms to use everything, then it
> should have
> permission
> PM: does python have its own domain
> DW: no
> LK: there was some stuff on selinux about python recently
> GW: fact that says it can't write to /tmp file is weird
> JA: is that on ..
> DW: is python throwing an exception
> GW: no it is what get puts on stderr. I feel it is coming from runcon
> MA: is your runcon still bin_t
> CH: further testing of translation .. it seems A,B doesn't translate
> backward... there is old definition we had compartment problem. it
> seems
> translation daemon had smart in it to make A,B valid.
> KW: there are 2 things AB is specific translation, which is not
> good idea if
> you have to define each combination. second issue is in forward it
> translates A,B but in backward it can't translate, I expect them
> to be
> reversible
> GW: anything else? ok .. we'll adjourn. I'll post self test
> results see if
> anyone sees any issues. Thank you all.
>
> Cron
> ====
>
> Bugs / remaining tasks
> ======================
>
> Final cutoff date
> ==================
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
More information about the redhat-lspp
mailing list