08/07/2006 lspp Meeting Minutes:
===============================
Attendees
Lawrence Wilson (IBM) - LW
Janak Desai (IBM) - JD
George Wilson (IBM) - GW
Loulwa Salem (IBM) - LS
Thiago Bauermann (IBM) - TB
Nikhil Gandhi (IBM) - NG
Al Viro (Red Hat) - AV
Irina Boverman (Red Hat) - IB
Dan Walsh (Red Hat) - DW
Eric Paris (Red Hat) - EP
Linda Knippers (HP) - LK
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Robert (Atsec) - ROB
Darrel Goeddel (TCS) - DG
Chad Hanson (TCS) - CH
Joe Nall - JN
Ted Toth - TT
Tentative Agenda:
Kernel update
-------------
GW: let's get started, not much in here I think. Al, do you have any kernel
updates?
AV: Basically everything is in mainline. Now git tree doesn't have anything
that is not in mainline. I am not sure about the situation with
netlabel. Also rawhide kernel should be equivalant to lspp kernel.
GW: thanks Al for your help on this project
AV: no problem
GW: we'll get to net label in a bit. I was hoping Irena is on to give us an
update on the status of that.
IB: I am on George, what is the question?
GW: Al was saying that he didn't know the status of the lspp kernel
regarding net label. Is there an update on it's status?
IB: I understand that it is accepted in -mm tree. Our developers will pull
it in as soon as it is stable.
GW: any if it will go in, and when?
IB: CIPSO, and net label are both accepted. They have to go through the RH
acceptance process before going in RHEL5, but I believe it is accepted.
GW: anything you need from us or HP?
IB: Just make sure they are stable, don't break anything. Perform as much
testing as possible to make sure it is working right.
PM: you mentioned that net label is in -mm tree; I know it is in Dave
Miller's tree, not sure it is in -mm
IB: that is what Tim Burke told me.
GW: excellent, I will get with Fernando and see what he can test, he is
working part time. Joy is out for the entire week on personal business.
Ok, excellent, we are shutting down development and we can start real
regression testing in the kernel.
IB: we expect beta 1 to to be available for partners on 22nd of August
LK: is there a code freeze date for beta 2?
IB: I don't remember, there is a date I just don't have a schedule in front
of me. I'll let you know.
GW: It is useful to know the absolute cutoff point for user space. Thanks
everyone, we are making great progress.
AuditFS/inotify
---------------
GW: Steve is out, last he wrote, audit user space is a work in progress,
mainly in terms of API. I think there is one more change in auditctl but
nothing major.
LSPP kernel issues
------------------
Audit userspace
---------------
Print
------
GW: Matt, would you like to give us an update? Saw you had a patch out.
MA: yeah, Tim took it in rawhide, and I believe there was another iteration
of it as well. I am working with Eduardo in Brazil on an issue, it seems
you can't set ranges in character devices, so I put together a policy
file and sent to Dan to check and get back to us on that. Still have
problems with various foomatic printers, Linda and I are working on
that. once that is determined there will be a patch for that and
possibly another one for auditing. I am adding ability to audit title
of print job, it's also worth while to add range of printer device to
the audit config audit message. The patch looks like it went in the
first beta, so it's a matter of fixing few things and getting them to RH
to include in the next version
GW: good news. thanks Matt.
SELinux base update
-------------------
GW: The policy is probably gonna be a work in progress until we get near our
ship date. Anything you want to tell us about selinux base Dan?
DW: not much, I am negotiating regarding the init changes. We have a patch
and figuring out the best way to do this. I see Janak had questions
about policy, so I'll look into that, but I am on vacation today.
JD: don't worry about that, I got an answer from stephen smalley. The other
question is small and you can answer it later when you get back. I also
saw that you put changes to crontab, so I'll download that and test it.
DW: yeah, I'll be back tomorrow. crontab is running fine at least on my test
machine
GW: Janka, the dominance operator allowed you to transition into roles, but
not the union of types?
JD: Technically true, but you have to change into role to do those things.
Automatically changing into super role doesn't mean you get everything
GW: ok, different than what I thought, but the policy compiler didn't segv?
JD: no, I was able to create the dominance operators I needed.
DG: it's not the role, it's the type. the type is what you have to worry
about.
JD: right, so it's the type that matters.
[Later in the conversation]
JD: We have a library interface which changes initial value of a file that
someone can create. now there is fscreate in the /proc/self/attr
directory, but not for sockcreate. I don't know if there are plans to
put an selinux call for that. Are there plans for that?
EP: I can do it, at least the user space part of that.
JD: what type of audit record would that generate, a write to the file?
EP: yes, I think you would test it the same way you test fscreate, they are
basically the same thing but use a different path.
JD: Ok, I'll let klaus know, I think he was hoping it had a distinct audit
record. but I'll tell him.
EP: I don't know what the auditing will be, but it is similar to file
labeling.
MLS policy issues
-----------------
Roles
-----
GW: Mike Thompson is not here to complain about roles, and I have nothing
to add on this.
CIPSO
------
GW: we already talked a bit about this. paul anything technical you like to
add?
PM: Unfortunately I missed the beginning, and not sure what was said
earlier.
LK: someone hung up the phone accidentally, that was me :)
PM: David miller accepted the patch in 2.6.19, I found it is in -mm tree,
which is better. We need to do more testing sine this iteration includes
the MLS hooks from Venkat's patch. I think I might have run into small
problem with the code from Miller's git tree, so I am not sure it is in
net label patch, or something else. Also, I updated Klaus's policy
module to allow you to run with no problems. One last note, I will be on
vacation until end of August, so if you need anything send me
an email just don't expect a quick response; I will be back 1 or 2 days
in the middle of that.
GW: are your patches in the current lspp kernel.
PM: no, current lspp kernel is based on 2.6.18, but when I switched to
Venkat's patches those are in 2.6.19. There are two options, I can back
port my patch, or Venkat's patch gets back ported.
GW: This brings up good question of who will do the back porting. I know you
all committed to maintaining your code, does that include back porting.
PM: well, we need to find out if Venkat's patch needs to be pack ported, if
not, I have no problem back porting my patch.
GW: good question, who will back port venkat's patch?
DG: Venkat will back port his patch, he is on vacation for next 2 weeks
though.
LK: that's why I was asking for a date of beta 2, ideally we want those in
there as well.
IB: Yes, I insist they be in beta 2. I think the date was Oct9, but we might
pull to Oct 1. So the cutoff will be at least 2 weeks before so Sept 15.
I'll be talking to the person responsible for pulling in patches every
week to see when these will be included.
LK: also we have someone as a backup for Paul if something comes up
GW: when Joy comes back she can help back port, also serge has some free
cycles and can help, so let me know.
IB: I thought people were providing Steve with back ported patches.
LK: Yes they were, but not for the latest patches
IB: I suggest people should provide Steve with back ported patches
GW: Yes, this is an important point.
LK: I think we went out of sync with the kernels of lspp. Steve is back next
week, so we'll talk to him about that.
DG: once venkat's patch gets in, the net label patch should be trivial
GW: ok, if you need help, please raise the flag
IPsec: MLS, UNIX domain secpeer, xinetd
-----------------------------------------
GW: not a lot to say. Steve was working on xinetd patch before going on
vacation. there is also the SPD dump issue, I don't
know if there is intent to address that. We have to talk to Venkat when
he gets back to see if the hybrid approach is workable.
ipsec-tools: SPD dump and racoon base + MLS
---------------------------------------------
Single-user mode
-----------------
GW: Dan already talked about that, he is negotiating to get that working
with init.
Self tests
----------
GW: One of the reasons I came back from vacation is to work on that.
VFS polyinstantiation
----------------------
JD: I submitted the polyinstantiation patch, and so far one comment from
Carl for cleanup. He then said that I was following the format of the
command, so I wasn't sure if he was asking me to change my part since
it'll be inconsistent with the rest of command. I guess I'll have to
check on that.
GW: have we tried it with wrapper mail command
JD: no, I'll test with new policy and report on that.
GW: Ok, sounds good, any other issues anyone would like to raise?
JN: in the mac6T6 (??) world, there is a way to read socket and get some
attributes like, id, group id .. etc. there does not appear to be way to
do it for IP sockets. anyone has ideas on how to do that?
GW: no, I think because we are concerned with MAC control, not DAC.
JN: if we do a 1-1 mapping from SELinux and Linux context, we can maybe get
what we need.
CH: have you looked at something like xinetd
JN: I was looking at that this morning. I hacked code up to see if we can
branch the process and get the id. but that doesn't help with the
group.if anyone has ideas, I'd appreciate it. We had a call with RH, and
this was one of the issues we talked about.
DW: what about using CIPSO?
JN: it is not a sticking point, but if someone has ideas to fix this, then
I'd appreciate it. When we talked to RH last week, they told us netlabel
and ipsec patches are going in.
GW: sounds like a done deal.
IB: not 100% yet
GW: yes, we'll continue testing
JN: do we have test cases for IPsec
GW: we have tests, but they are not publicly available
JN: will they be available under NDAs maybe?
GW: possibly, we can discuss that.
JN: Also, we have about 20 developers now, so we might put lots of questions
on the mailing list.
GW: Sure, please don't hesitate to ask.
JN: Since Chad and Darryl are on the call, I was wanting to ask if they can
share their code for XACE(??) ?
DG: most of our fixes are to selinux extensions.
JN: last time I looked at tree, it was against 6.8
DG: yes, but there might be a tree out there against 7 from Allen
JN: ok, that is more positive than what I thought.
DG: there is more push in the community to get the framework in, once that
is in, SELinux module shouldn't be hard
JN: does that include window manager
DG: no
GW: is that gonna be open sourced, or you'll keep it
CH: there are different parts to it, so some will be closed and open
sourced.
GW: in particularly the Xwindow, and window manager support, will that
remain closed source
CH: some stuff we have out there, there is support for that
GW: ok, so we should take this discussion off line.
GW: ok, we are wrapping up. I will not be here again next Monday, and I'll
put that in the next meeting note, and find someone to run the meeting.
Thanks everyone, we are making progress and almost there.
Cron, tmpwatch, mail, etc.
--------------------------
More than 90% complete
Remaining tasks
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
