01/08/2007 lspp Meeting Minutes:
===============================
Attendees
George Wilson (IBM) - GW
Kris Wilson (IBM) - KEW
Loulwa Salem (IBM) - LS
Debora Velarde (IBM) - DV
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Kylene J Hall (IBM) - KH
Irina Boverman (Red Hat) - IB
Steve Grubb (Red Hat) - SG
Dan Walsh (Red Hat) - DW
Eric Paris (Red Hat) - EP
Lisa Smith (HP) - LMS
Linda Knippers (HP) - LK
Amy Griffis (HP) - AG
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Chad Hanson (TCS) - CH
Joe Nall - JN
Ted Toth - TT
Tentative Agenda:
Kernel / Beta / rawhide update
===============================
GW: let's start with the 1218 beta. can we talk about that?
SG: I suppose.
GW: Ok, it's been a pretty good build so far. The bad news is that not all
our features will make final build release candidate and GA. Steve can
you give us a run down of what did not make it?
SG: sure, 2 patches from paul about netlabel. Also a bug open for ppc and
syscalls and one more bug that I cant remember now. Well we knew all
along that we might have to carry kernel and selinux policy packages but
wanted to minimize the packages we had to do that with. We are still
fixing thing and will end up carying a few ones around
AG: what is the state of user space stuff? is that in?
DW: yes
SG: we might be able to squeaze few user space things in today and tomorrow.
but by friday it better be critical. we will carry any packages we need
in a separate repo if we have to
GW: as you said we knew that all along, and we wanted to carry as less as
possible. Is the newrole patch the tty labeling patch?
DW: yes that's it
GW: great, that will make they system more usable. We didn't get much run
time, but the 18 build with .60 kernel is pretty good
SG: Eric gave me the .61 kernel.
GW: ok, we still need to continue testing and continue writing bug reports
IB: continue following bugzillas also
GW: so no change in process, except changes won't make it into GA
SG: I will restructure lspp repo so that I have room for other packages.
Right now, I carry ppc64 and ppc64-iseries, are both of those used?
GW: we don't need the iseries one.
SG: ok, I'll clean those up. Is there anything else there I can delete, is
the x390 still tested?
KH: yes, we are using it
SG: ok then, so I'll drop to carying 2 versions instead of 3 to make room
GW: that sounds fine
LK: we can all keep our own local copies if we needed to.
SG: I was trying to keep few around for regression if we needed to
GW: So what I am gathering is that we need to get any userspace fixes in
pronto.
SELinux base and MLS policy update
==================================
GW: Dan, any selinux and policy issues?
DW: mainly good news. I am building packages as we speak. I got all the
stopper bugs fixed in there. main changes are .. Paul Moore and I came
to a conclusion about netlabel. basically deciding on which domains can
or can't use netlabel. all the other bugzillas are fixed. Klaus there is
a bug on ybin not working, is that still true.
KW: I am not aware of that.
GW: there is another klaus .. This was opened by klaus kiwi.
DW: I wanted to know if it is fixed or not
GW: you are talking about RH issue tracker 109965.
DW: other than that, there is a discussion about cron .. I beleive we have a
misunderstanding on how polyinstantiation works. The IBM tester is
trying to run cronjob on systemhigh and put "id -Z" output in file to
check they have right context. When using polyinstantiation, to check
the file, they su, so you get a different namespace, and the cron job
runs in another namespace so you get a file in a different test output
directory, which is really how polyinstantiation is supposed to work. To
get it to work, maybe you make the test write to a non polyinstantiated
directory. Also newrole works fine. ssh selection of roles works, Thomas
put a fix to let ssh do that. to me those were the big issues that were
outstanding
KW: active level selection does not work. but works with label network on.
DW: you cannot select role if not using labeled networking
KW: yes .. then you will not be able to ssh to whatever level you need
DW: and then newrole won't work
KW: there is a feature that says to ssh to a user @host
DW: that was put in many years ago and not sure if it is being maintained
KW: good idea if labeled netowrking is not working, but code seems to not be
working at the moment.
DW: I don't know if that patch still exists
KW: it is there, but it seems to get a null context from selinux
DW: so if patch is there, I can go debug it
KW: yeah .. it is there but it gets a null context. I think it needs an
extension to accept level as well
DW: btw, bugzilla on ybin is 220598
GW: anything else with respect to policy?
DW: only thing is I got strict policy working again over the holiday. I've
been running it, and I fixed many problems .. hopefully we had more
runtime. at least TE problems will be fixed
LK: is that in RHEL5
DW: yes that works. for strict policy, you really need to know what you are
doing to get it working. for example it will lock your mail client
..locking down userspace is not easy
GW: is policy going to freeze when code freezes
DW: no, policy will still be fixed. usually we are adding permissiveness
than taking away functionality, so that should be ok.
GW: great because I imagine we will find more policy bugs
TTYs and newrole
================
GW: newrole patches are in and hopefully make the system more usable, not
sure if anyone tested them
LK: I am running it and seems to be working fine
GW: great, thank you.
PAM and VFS polyinstantiation
==============================
GW: any pam and level selection issues. when Dan looks at the level
extension patch with ssh that would be good
DW: conculsion is that ssh doesn't know about it
KW: when you run pam session code, you don't have pty, so sshd needs to know
in order to label the pty it creates. I think it would be nice to revist
this code so they agree on who does what in this process.
DW: the patch you talked about is also good for scp-ing as well.
KW: things get even more fun if you have polyinstantiation turned on
CIPSO
=====
GW: Any cipso issues Paul?
PM: other than the fact that we decided to take cipso off agenda, before
things blew up. everything is under control. I think all patches I
pushed out last week are good. some of the patches are not gonna make GA
as Steve said. Other than that we have policy changes in there, so we
are in good shape
IPsec
=====
GW: how's ipsec Joy?
JL: I posted an email about loop back to start a discussion, the other
biggest thing, if you enter a single ipsec policy, you can no longer
send or receive packets. I was wondering if there is a bug there. Also,
I tried Dan's toggle in upstream kernel and that worked fine. I am about
to send latest policy out. I think that's it. I'll alert chris when I \
send it so he can review it.
SG: what was the outcome of testing with local host. did we get labeled
networking working?
JL: that's not working. The whole issue is that racoon can't negotiate with
itself. you can set manual SA but racoon can't do that on loopback. I
queried ipsec tools mailing list and the answer I got is that "we were
never able to do this"
SG: does it need to. maybe because of localhost there was no need to
negotiate a key. it may have not been designed to do this, now that we
use it for different purpose, might be someting it needs to do
GW: I guess you can't hard wire it.
JN: your local ip address gets handled different than remote machines
KW: applications are going to break anyway if first packet gets dropped
JN: first packet gets dropped since it is negotiating the SA
KW: it returns an error so the connection doesn't try again
EP: if you do 127.0.0.1 or local host you get the same thing?
JN: localhost, 127.0.0.1 and whatever your ip address is, it won't
negotiate. As long as there are two racoons it works
EP: so it is not the ip address, it is that racoon can't talk to itself.
SG: we might need a mode to do this
JL: has something to do with keying material. somehow it creates same keying
material when negotiating with itself
SG: I think we need this to work though
GW: I think we all agree with that, but will need work on racoon
KW: it is acceptable if we had restriction on localhost, but it is not
practical. you can use cipso on localhost and ipsec on outside
GW: we said we were not going to mix them a while back
KW: and I am not sure if it is easy to separate them clearly
JN: need a consistant socket semantics. if there is a way to bypass racoon,
that is fine. the applications don't care how it works as long as it is
consistent
SG: maybe something we can patch the kernel to do
PM: the kernel pathes, don't you want them to be upstreamable Steve?
SG: yes
PM: well, I think the stuff they are talking about were not accepted before
SG: I think we can explain to them what it is needed,a nd maybe they'll
accept it
JN: Paul, had a question for you. In netlabel, I think there is short
circuit code that says you are on local host, can you beef that up to
fix this problem?
PM: there is really no short circuit code, it just works on local host. this
is something on my agenda, but whenever I mention that I get push back
from James Morris. David miller has gotten more receptive to netowrking
patches, but I doubt he will accept additions to skbuff. adding fields
is not going to happen, they already let one in for secmark and doubt it
will happen again.
CH: they did that cause they agreed ..
SG: we need to have discussion to see how we can fix this problem.
JL: did you say it was ok for loopback to bypass racoon?
GW: we are thinking of ways to do this. maybe easeier to just patch racoon
JL: maybe we can add policy to raccon to bypass ipsec
GW: we need it to do the labeling though
JN: well, I think you are on a good path. can you go into a mode where there
is no keying at all
GW: that's what you use to look up the label, you will have to do that
negotiation and pass it to kernel.
JL: if we wanted to do ipsec and don't need to have a label ..
GW: but we care for label, just don't care if it is encrypted
PM: you need an SA negotiation ..
GW: so either hack in kernel or racoon. Chad, not sure if venkat has any
thoughts on that
CH: he hasn't really talked about this, we've been working on other stuff
with ipsec.
GW: can you share
CH: we shifted temporarily to open swan . it has better key support since
ipkey tools were denying ...
MA: are you still using secid passes in kernel ..
CH: we will have a small patch to do that, not sure we figured out what it
is... to address the issue with not being able to add to skbuff ..
GW: sounds like you guys are throwing up your hands
CH: we decided to drop it since we were not getting any agreement. so yeah
we sort of did .. we hope for everything to get in there, and we got
alot in there but not quite the finish line.
GW: some people liked the secid reconcilliation patches ..
JN: we are still stuck on .51 since it worked.
CH: we can try to use something small, but it is not upstreamable
SG: Fed core 7 is open for business. for evaluation we agreed some stuff
can't be done, but we said some work can go into future versions
PM: I think everyone is busy on evaluation, and work will pick up once it
wraps up
GW: I agree, getting through certification will absorb us. but I also agree
with Steve, to see a whole solution go upstream
SG: for FC7, we can get secmark and ipsec stuff. some of our people are
getting freed up that are ready to get working at these things even
though we are busy with lspp
GW: if you have resources, it would be good to have our networking solution
pushed in.
CH: we will be adressing some of these issues as well once some product
cycles are through
SG: I guess some other time we will have conversation on what to do about
this in long term. just keep an eye up for secmark stuff in case it
turns it will make problems
GW: we might want to carry a list of future items so we don't loose them.
just like Paul said, we will be absorbed with lspp
SG: how long will you be tied up, when would be a good time to talk about
future work?
GW: our time line is on the Niap site and I think we won't have resources
free before evaluation
SG: so that will be FC8 development cycle
CH: we might talk about it again in march
GW: that would be a good venue chad
JN: I got a bit confused maybe, does that mean no one is intended to work
out issues for localhost for rhel?
SG: oh no, those are 2 different issues
GW: we will have patches to fix these, but there is a list of future items
to make sure we have complete upstream solution. That was our goal and
still is, mainly for maintenance reasons. Anything else?
xinetd
=======
SG: Paul was mentioning having cipso pulled off the agenda. xinetd can be
pulled off as well, but if you can add the localhost issue so we don't
forget about it.
GW: sure, adding it now
Self tests / aide
==================
GW: I didn't do any work on it over the holiday. I'll try my best to work on
it this week. I am trying to work on some policy for that. I might need
some policy to get runcon working to be able to do the BLP test. aide is
working fine though
DW: what are you trying to do?
GW: I am trying to change to lower context so that I can try to read up. I
can write and give them their own policy. I created a policy for self
test based on aide's policy and I need to get that domain access to
runcon
DW: instead of using runcon, I try to use a shell and label it, not sure if
that helps you or not. which domain are you trying to get into .. or are
you just going from Systemhigh to low?
GW: yes, systemhigh to low, but I ran into TE rules issues
DW: you can do something with newrole.
GW: I am trying to do something that shouldn't be easy to do but an admin
should be able to. when I get stuck I'll catch you on irc Dan
DW: sure
Cron, tmpwatch, mail, etc.
==========================
GW: For cron, I think our tester was mis-configuring things slightly, so
things should be working better now after clarification
DW: Don't try to write to the test directory, maybe write to a new directory
that is not polyinstantiated.
KW: or be the same user as the test when you check the file. We can take
that off line
Bugs / remaining tasks
======================
GW: kernel is locked down and user space will be locked down soon.
SG: If there are major bugs we will incorporate fixes; privileged
escalation, and data corruption qualify. should cron be taken off
agenda?
GW: sure if it is working now
SG: what about the mail with cron, any one tried that?
GW: someone added -m flag, but not sure if anyone tested it
KEW: camillo is trying to figure out how to test it. is it still in then?
GW: yeah, we are trying to use it
KEW: I think he is trying to see an example on how to use it ..
GW: ok, I'll talk to him. Anything else
DW: selinux-policy.24 is out on people.
GW: ok, we'll adjourn. let's keep testing and writing bugs. thanks everyone
Final cutoff date
==================
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
