07/17/2006 lspp Meeting Minutes:
===============================
Attendees
Janak Desai (IBM) - JD
George Wilson (IBM) - GW
Loulwa Salem (IBM) - LS
Debora Velarde (IBM) - DV
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Thiago Bauermann (IBM) - TB
Eduardo Fleury (IBM) - EF
Fernando Medrano (IBM) - FM
Nikhil Gabdhi (IBM) - NG
Al Viro (Red Hat) - AV
Irina Boverman (Red Hat) - IB
Dan Walsh (Red Hat) - DW
Lisa Smith (HP) - LMS
Linda Knippers (HP) - LK
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Robert ... (Atsec) - ROB
Darrel Goeddel (TCS) - DG
Chad Hanson (TCS) - CH
Corey .... (TCS) - COR
Venkat Yekkirala (TCS) - VY
Joe Nall - JN
Lenny Bruzanak - LB
Tentative Agenda:
GW: Steve won't be joining today, he is in a plane during this meeting.
LK: Also Amy is finishing up a few things before she leaves to OLS, so she
is not coming. If we need her then I'll go get her.
GW: Ok sounds good.
Kernel update
-------------
GW: looks like .45 kernel is not a good kernel.
AV: Considering Linus won't be back for a while, it won't matter. Amy posted
several fixes last week. I did a patch doing lazy audit stuff for
situations when we have no rules at all. I Sent to Steve, and when he is
back, will get it in new kernel. That's about it.
GW: So hopefully we got everything close to completed
AV: All pending stuff, is manageable. As soon as Linux is back we'll feed it
to him.
IB: is it still 2.6.18?
AV: 2.6.18 does not exist, we have rc2. It is manageable in this cycle; some
outright fixes; some performance fixes.
GW: that's good news .. so the major outstanding feature is still
networking. Hopefully Venkat is close to getting ipsec patches done. We
still don't know the final decision on CIPSO. Hopefully these are all
the major issues to complete. We will get a new kernel when Steve gets
back.
IB: maybe sooner.
GW: That would be great if someone can get that out this week with updated
ipsec patches with networking in at all. Any issues with kernel -1?
we've been testing on it as well.
AuditFS/inotify
---------------
GW: anything on audit. Amy put in bug fixes.
LK: she submitted three bug fixes.
GW: Ok, great. We'll continue running audit tests to make sure there are no
problems and we did not regress
LSPP kernel issues
------------------
Audit userspace
----------------
Print
------
GW: Print, I saw the patches that Matt sent out. Anything you need to tell
us on this Matt?
MA: I sent out a patch; it works for me on MLS rawhide, but we are having
problems internally testing it on targeted.
LK: yes, I am running MLS and it is not working for me.
MA: We noticed the trailing of banner page has dropped out of this patch.
Also Lisa pinged me to add the audit failure case functionality. There
will be a re-spin of cups patch later this week once we find out why it
doesn't work for Linda. also a new one that works with "paps" package to
remove dependency. Hopefully we get something to work for people.
LK: needs to be before Thursday.
IB: better by Wednesday.
KW: need to be careful that even if "paps" is in rawhide, it might not be
picked up by rhel.
MA: thanks for bringing that to my attention Klaus, I'll check on that.
GW: It's a good idea to stop development. Irena wants us to stop by
Wednesday.
IB: Freeze is on Thursday. so we just need to make a push and finish
quickly. Are self tests part of rhel5?
GW: should be part of the certification.
IB: I was more concerned about user space packages.
GW: how easy is it to inject bug fixes. In case we need to fix print after
the freeze date.
LK: I think it's close. it works for Matt, but not me, it's probably
something small and we'll find it. if people want to try it it would
help to figure out if it is just Linda or if it is something different
in Matt's configurations.
DW: Besides cups stuff, I updated some policy to allow cups to run.
GW: thanks Dan.
MA: great news Dan, thanks. The stuff I sent you earlier, is now out of date
with the new changes. so if you can get the updated info please.
DW: most problems I find is lpr command being prevented to run by normal
users
MA: the issue around run init is that lpq wouldn't work from there.
DW: I put alot of fixes for that, I'll continue work and have it done
tomorrow.
Device allocation
------------------
GW: linda, klaus, and Casey brought up idea that device allocator is more
relevant to print. one of the big push back Dan is getting on it being a
trusted program, and there is no need for it to be trusted if used by
regular users. Are people ok with it being not trusted.
KW: it can be a trusted but not privileged (ie no setuid, or MLS
privileges).
CH: We want it.
MA: if we get rid of dev allocator and have admins manually setting things,
we would loose audit records.
CH: yes it is a requirement, who allocates devices.
LK: George was looking for ideas of what else it can be used for
CH: we use it for user devices, CDrom for example as well
KW: I don't know why you would need that. you need an admin to do that, not
a user
GW: wouldn't it need the ability to mount
DG: mounting devices doesn't work, ideal goal is yes. You allocate the
device and mount it
KW: if anybody can write secret data to a floppy and it gets relabeled as
unclassified it's a big hole
DG: not any user, only users allowed to access the device
CH: there is a user logged in, and they want to do something and they
allocate that device
GW: but that is for work stations
CH: you are claiming that there are normal users logged in to the server. if
there are cases for users, then they might need access to media devices.
GW: if you have it mounted...
CH: You can also tar the device.
DW: the push back was because people prefer to have some interaction with
HAL.
DG: there are ways to not have it setuid.
DW: right now with HAL, you stick a usb and it gets mounted and unmounted to
the user; obviously you can't do that with ls pp. but if there is a way
to communicate with HAL, that would work for us.
DG: we'll look into that. It needs ability to relabel somehow as well.
LK: doesn't it need setuid to audit
DG: right, good point Linda. We need it to audit as well.
GW: we decided to disable HAL after bootup
DW: You need to just disable mount, unmount only
GW: I believe we are shutting it off completely right now, Debbie correct me
on this.
DV: Yes, we are shutting it off completely after boot.
KW: there are some features that can be useful in workstation environment,
but they don't need to be used in certification.
GW: we initially thought that user don't need to be able to mount/unmount
devices, so this is late change in the game. Maybe we can have
configurations to set up this. Is it too late to consider these changes
Dan, or Irena. this doesn't seem like something we can get done by
Wednesday.
LK: Klaus mentioned that it can be included, but it doesn't need to be in
certification. If we make a change now, I am thinking I need to update
HLD, LLD, new test cases.
GW: Yes Linda, exactly what I am thinking.
IB: There are exceptions, but there are so many exceptions we can process
and still maintain schedule.
GW: yeah, so how important is it Chad.
CH: we can continue to work on it, and send it upstream, so it probably
doesn't have to be there at first, and we can just send it there.
GW: it isn't useful unless it is setuid and can audit. Well not necessarily
setuid, but there are ways to move around that; it needs to do some sort
of type transition to be able to relabel.
DG: the audit requirement is biggest for ls pp.
DW: it doesn't limit it to admin, you can't have unlabeled data exported to
labeled device, or labeled data to unlabeled device.
GW: if we can meet requirement, and not have it integrate with HAL, then
maybe Dan doesn't need to waste cycles on it.
KW: I think it is not helping to have type environment. if it is something
you can support yourself as you need then it is one less thing to worry
about for rhel5. I think the action involved can be audited at syscall
level.
GW: so if syscall audit will meet requirements, then is that Ok.
KW: what you are talking about is actually doing changecon, and setattrr
which creates audit records that should have the info we need already
GW: So are we telling Dan not to waste time on it ..
KW: in my opinion it is not needed to have it
DW: I agree, but I like to see it integrated in the future.
CH: we will keep it in sourceforge and keep it updated.
GW: ok, we reached consensus on that
SELinux base update
--------------------
GW: Anything for selinux Dan.
DW: I already talked about playing with cups stuff. there are fixes in
tonight's package. we should be releasing trouble shooter by Thursday.
The whole idea is to make selinux easy to use.
MLS policy issues
-----------------
GW: Any mls policy issues. Mike Thompson is one that seems to run into them
KW: considering we are heading to deadline, it would be nice to have the
policy pieces for networking loaded to the redhat package to have
consistency.
DW: if anybody needs updates get them to me and I'll get them into beta2
DG: I found issues, if you log in to terminal console, it will not allow you
to change password. it needs to be able to edit shadow.
DW: should be going for pam to do that, if you get any AVC messages, then
please send them to me
GW: Also the issue of the mix of 32 and 64 bit packages. This wasn't case in
the past, we brought it up with steve, but there was no resolution. Dan
you might help there. Seems if you installed, you got both 32 and 64
packages
KW: The critical issue is that pam for example has binaries and libraries
overwriting each other without warning or check to make sure a complete
set is left.
DW: ok, I'll get on that.
KW: we can have one set of the executors outside of PAM. the pam tally
functionality stopped working completely because they use different
modules
LK: sounds like a good candidate for bugzilla.
DW: ok, I'll handle it that way, that will be a bug fix.
GW: I'll take action to write bugzilla today.
Roles
------
GW: I think those are more crisply defined right now.
DW: there is an update where upstream maintainer is working on so that it is
an easier to assemble a role.
GW: how hard is it now?
DW: not too hard, the code is large, and it is a matter if breaking it up.
we are making it modular
LK: we did have this open issues how to create new roles based on old role.
We reached consensus on technical part of solution.
IB: we need to make sure we all agree on solution
KW: I think we need to involve David O Brian who is updating the security
target.
LK: We wanted to combine security guide with selinux guide, which sounds
like a good idea.
GW: so we need to hear back still
IB: yes
KW: which reminds me, do we have initial documents to go along with the
betas.
IB: we do have some. I'll talk to him to make sure we have some drafts. I'll
make sure to post drafts.
MA: one more thing about roles. if we can maybe get something into bash
around that, it would be useful for people.
GW: I think James Antel was working on that
DW: The worked on application to show that, he was working with bash
maintainer to get that in. not sure what happend with that. I actually
have a bash script to show me what role I am running. it's simple to
execute, it executes id -z to show me
MA: Ok, it is simple, but if we do it so many times, it would be worth to
have it as a script
CIPSO
-----
PM: not a whole lot since last week, did performance testing, and posted
results; consensus was positive. Nobody seemed to complain.
VAL: I replied, but there is one number I can't explain. We are chewing
resources there, I'm almost positive it's in the loops were we are
tearing and putting bitmaps together.
PM: I think it is good enough for first round. I'm happy to leave it where
it is until I hear anything. I pushed the netdev patch out. I got some
comments from James Morris and I put those in and sent it out again. I
don't think I'll hear anything since all are busy with kernel summit.
The issue is that the ls pp kernel is based on 2.6.17, but the netdev
community is expecting it on 2.6.18.
GW: hopefully we get a new kernel soon
PM: once things settle for a bit, maybe I can maintain two sets of patches
for netdev and ls pp.
IPsec: MLS, UNIX domain secpeer, xinetd
-----------------------------------------
GW: there are patches for IPsec, and it is better . Any word from Venkat.
VY: today I have patches out. hasn't heard back from Joy or Fernando about
any bugs. they mentioned a udp issue, but haven't heard anything.
GW: I believe it was a configuration issue, but Fernando is her
FM: yes .. all passed now. you suggested we run tahi, I had some delays
caused by setup issues, but they are being run as we speak
GW: joy, how is performance testing going?
JL: they are going good. Is CIPSO automatically enabled in ls pp. I run on
machines with fedcore5, I noticed that when I introduced the fc5
machine, I got msg from cipco, I got message about "admin prohibited"
when
ever I try to send a package. I am on kernel .44.
PM: cipso is enabled by default.
JL: when net performance sent that package I immediately got that message
from the .44 kernel.
PM: you know if there was an ip option set.
JL: I didn't, but that is what I was gonna do next
PM: ok, look at that and post anything you find out.
JL: I didn't realize that CIPSO was enabled.
PM: I am not surprised cipso is responsible.
JL: I disabled ipsec just to make sure it wasn't what was causing this, and
still got the same issue.
PM: take a look and see if there are an ip option.
GW: so tests have been running and you have not seen problems.
JL: I had some base policy changes, and I'll send to Dan to see if they make
sense.
DW: I got to drop off right now, anything you need added, please send to
me in email.
ipsec-tools: SPD dump and racoon base + MLS
---------------------------------------------
GW: we still need a fix to the SPD dump for the certification, I haven't
checked if it made it.
Single-user mode
-----------------
GW: I meant to remove this
Self tests
-----------
GW: I'll get back on that.
VFS polyinstantiation
----------------------
GW: Janak, anything
JD: nothing new, pam namespace is upstream. been playing with loadable
policy issues. Concern is that I didn't send anything to cron
maintainer, I'll see if someone can ping the person holding on the vixie
cron. I emailed him when I heard he is doing it to see if I can help.
KW: if pam namespace isn't in rhel5 already, should we do a bugzilla to make
sure we don't leave it out.
JD: I'll check on that
KW: also amtu is missing for rhel5
GW: how do we want to track these issues
IB: we can track these issues in bugzilla.
GW: ok, so we will be opening bugzillas
IB: please keep me update to make sure they are handled. There are 2 more
entries, for kernel and user space, also one of ipsec. there are bunch
of entries.
GW: we will start opening bugzillas, and you want us to CC you on them
IB: yes, also if you put in the header ls pp, we can search on that.
GW: anything specific for format.
IB: I'll just search for keywords in case people don't copy me on bugs. We
had a specific kernel feature of concern, we need to get rid of tux on
computer.
KW: make sure it doesn't get autoloaded
CH: there is a kernel module black list, not sure what it is.
DG: can't you do something with modprobe, way to turn modules off.
IB: as long as they don't have dependencies.
KW: also might be nice to disable kernel keyring as a module.
GW: that one we may have to permit for admins.
KW: We only need bug fixes.
GW: it's only a policy changes.
Cron, tmpwatch, mail, etc.
--------------------------
Kernel features of concern--tux, hypfs
---------------------------------------
GW: some of these other features like keyring, config filesystem, we need to
keep if users can use them. We need to make decisions about those late
breaking features. Is there way to disable tux? there is a module in
rhel5 alpha.
MA: can you look in /etc to see if there is a modprobe -d.
LK: is that a question we have for RH, which packages are gonna be included.
GW: we really need to narrow that list of packages down for ls pp. we may
want to have separate meeting to go through the package list.
GW: we'll exchange mail on this. if we see something missing now we need to
keep track of it
KW: can you post it (the list)
IB: I have to check with project manager.
GW: we can maybe exchange it through email.
IB: we need to find out who will participate in this discussion.
LK: I want it
GW: klaus, and me would like to see it too
ROB: me too please.
IB: ok, I'll see if I can post it
LK: when is rhel 5 beta available
IB: the freeze is this Thursday.
LK: is there a target date?
IB: there is, I just don't have a schedule infront of me, but it should be
really soon.
GW: ok, any more issues? Alright everyone, we'll adjourn.
More than 90% complete
Remaining tasks
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
