03/26/2007 lspp Meeting Minutes:
===============================
Attendees
Lawrence Wilson (IBM) - LW
George Wilson (IBM) - GW
Kris Wilson (IBM) - KEW
Loulwa Salem (IBM) - LS
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Kent Yoder (IBM) - KY
Klaus Kiwi (IBM) - KK
Irina Boverman (Red Hat) - IB
Dan Walsh (Red Hat) - DW
Eric Paris (Red Hat) - EP
Lisa Smith (HP) - LMS
Linda Knippers (HP) - LK
Amy Griffis (HP) - AG
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Chad Hanson (TCS) - CH
Agenda:
General Issues
Bug Discussion
Repo: http://people.redhat.com/sgrubb/files/lspp/
RHEL 5+ Packages:
acl-2.2.39-2.1.el5
audit-1.3.1-3.el5
audit-libs-1.3.1-3.el5
audit-libs-devel-1.3.1-3.el5
audit-libs-python-1.3.1-3.el5
cups-1.2.4-11.6.el5
cups-devel-1.2.4-11.6.el5
cups-libs-1.2.4-11.6.el5
cups-lpd-1.2.4-11.6.el5
ipsec-tools-0.6.5-6.2.el5
kernel-2.6.18-8.1.1.lspp.70.el5
kernel-devel-2.6.18-8.1.1.lspp.70.el5
kernel-doc-2.6.18-8.1.1.lspp.70.el5
libacl-2.2.39-2.1.el5
libacl-devel-2.2.39-2.1.el5
libselinux-1.33.4-4.el5
libselinux-devel-1.33.4-4.el5
libselinux-python-1.33.4-4.el5
mcstrans-0.2.3-1.el5
openssh-4.3p2-20.el5
openssh-askpass-4.3p2-20.el5
openssh-clients-4.3p2-20.el5
openssh-server-4.3p2-20.el5
pam-0.99.6.2-3.17.el5
pam-devel-0.99.6.2-3.17.el5
selinux-policy-2.4.6-45.el5
selinux-policy-devel-2.4.6-45.el5
selinux-policy-mls-2.4.6-45.el5
selinux-policy-strict-2.4.6-45.el5
selinux-policy-targeted-2.4.6-45.el5
vixie-cron-4.1-67.el5
lspp-eal4-config-ibm-0.21-1
rbac-self-test (TBD in config RPM)
Tracker Bug:
https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=224041
Query:
https://bugzilla.redhat.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=RHEL%205.0%
20LSPP&[EMAIL PROTECTED]&order=bugs.bug_id
GW: while we are waiting, has anyone been able to get aide to run from
command line as any role or level? I get a policy TE violation. I'm
thinking I'll send patch to maybe fix that.
PM: is there a chance I can get copy of .47 policy?
DW: it is on my people page now and when Steve gets back I'll ask him to put
it on his repo page
PM: I'll try to verify the bug about netlabel
DW: Loulwa tried it
LS: It didn't work for me .. I still see the same error and get that
SELINUX-ERR record.
DW: try to reinstall it
LS: the policy?
DW: yeah .. force install it to make sure it loaded correctly. I don't see
this behavior on my system
GW: I need to ask Steve about success case audit record for self tests. I
am using ANOM_RBAC_FAIL record type, even in success case, but that
doesn't make sense... if anyone has ideas or if we need to add one more
type.. Any other comments on self tests are appreciated, I made changes
to them and I know they are not perfect, but need to get aide working
for them to succeed
DW: generate policy module and load it, see if it works
GW: exactly, I need to do that and send you a patch. once I get comments for
that I'll work with Klaus to incorporate it into his spec file and put
it in KS config. This will be one of final pieces. We are looking good
in .70 kernel. Looks like we have soft lockups ...
LS: yes.. I saw it after trying to execute an semanage command to configure
our ealuser, when I was talking to Dan on IRC.
GW: looks like we made good progress ... but the soft lockup issue is not
put to rest. if folks can run stress that may help recreate it. if that
is problematic, we might have another fix. should Loulwa open a bug or
append to existing bug.
IB: append it to the same one if you think it's the same
LS: I don't think it's the same.. the bug I was verifying when this happened
is related to netlabelctl.
LK: what arch are you seeing this on?
LS: ppc
LK: there is a bugzilla that Eric was working on that he decided it might
have been related to debug option being on x86_64. It solved my problem
.. that's why I was asking about arch .. but the issue you are seeing
sounds different
LS: I'll just add to it. Linda do you know the bug number?
LK: 231392
LS: thanks
GW: any other general issue we need to discuss, ok let's go through the bug
list
Bug List:
218386 nor nor pow [EMAIL PROTECTED] ASSI LSPP: labeled ipsec does not
work over loopback
JL: working on it right now ..
GW: do you have ETA
LS: on Friday .. but hopefully before
GW: so the 30th.
223840 hig nor All [EMAIL PROTECTED] ASSI [LSPP] getfacl fails to
correctly display all information...
KK: fixed
GW: can we close it
KK: yes
KW: there is package that is on Steve's page, assuming we get final package
similar to that one. If RH is going to exclude any patches from the
package, I ask that you please let us know .. so far now we are assuming
all packages on lspp repo will be part of the certification
IB: can you test it and add comments and say you tested it please
KK: yes .. I can
225328 nor nor All [EMAIL PROTECTED] ASSI LSPP: ipsec drops first packet
when using IKE daemon
JL: I sent patch friday evening to Dave miller and he sent reply back that
he will look at it. I have not heard back from him. but I tested with
that patch and didn't see double SAs anymore. I'll use that in case he
likes it.. for now I am waiting on feedback
GW: do you know when that will occur
JL: no, he said he had some ipv6 stuff to do then he'll look at this..
hopefully today or tomorrow.
GW: if you don't get feedback we need to follow up
JL: I'll ask Eric to ping him then .. [eric joins]. Eric can you ping Dave
miller if I don't hear from him in couple of days.
EP: yes ..
225443 nor nor ppc [EMAIL PROTECTED] ASSI LSPP: No
console login on first boot
DW: should be fixed by -47 patch.
LK: I reopened it since I didn't see it.
DW: I checked the policy to make sure it is fixed in there.. it should be
LK: can you update bugzilla?
DW: yes ... just about to do that
228107 nor nor All [EMAIL PROTECTED] ASSI [LSPP] Labels for labeled
printing don't linewrap
LK: I know he submitted a patch .. not sure if it is in the current package
IB: it's hard to say .. I'll send mail to Tim asking about status of this
patch.
228366 nor nor All [EMAIL PROTECTED] ASSI LSPP: audit does not log obj
label for signal recipient
AG: I sent Eric patch and think it'll be in next kernel.
EP: hopefully kernel will come out tomorrow morning.
GW: Eric, you weren't in when Loulwa talked about the soft lockup ..
EP: no ..
GW: Loulwa will append info to current soft lockup bug .. is that ok, or
should she open a new one?
EP: yes, append to old one is fine
230613 urg nor All [EMAIL PROTECTED] ASSI [LSPP] cups is allowing users to
delete other user's job
GW: I think it's not in current cups package
KK: it's waiting for upstream acceptance
GW: we have at least another iteration of cups and kernel then
KW: if we don't have the patch in, the plan is to require authentication for
every cups action .. when we use authentication, we need to use rules
like pam tally. .. that will be easy to update the pam files but will
need a policy change as well. If patch gets accepted we can turn off
authentication
MA: pam tally was already addressed in policy so we shouldn't have problems
there. The config prompt entry is the same, if patch is accepted we
won't get password prompt and if we don't get patch accepted then we'll
get password prompt.
KW: should I have it deal with the two options?
GW: will that have documentation affect
MA: ...
KW: if patch is included and authentication is bypassed does that mean it
doesn't call pam at all?
MA: yes, it is not calling pam at all .. what happens is the server calls
getpeercon ..
KW: to verify that in that case you are not authentication user so you don't
need audit record. Does cups have auditing?
MA: it does have audit when you try to run as a user.
KW: ok .. that's good
GW: Joy is working loopback patch which will take until Friday .. and this
issue is pending acceptance.. I am trying to decide what's the one with
the long hold here
MA: Tim is concerned about not getting acceptance from upstream. but his
patch and mine got good testing from me and Klaus so we can position it
for that
GW: when will we make that position .. to run with what we have or wait for
upstream acceptance
LK: Steve can create a package for us with all we need .. basically until it
is in an rpm, limited number of people are testing it.
GW: exactly what I was thinking.
IB: I'll talk to Steve
230620 med nor All [EMAIL PROTECTED] ASSI LSPP:
xfrm_add_sa_expire bug
JL: waiting to run test to verify
GW: target today?
JL: yes
230663 med urg s39 [EMAIL PROTECTED] ASSI LSPP: random problems with
the python rpm
GW: kylie is not on ..
IB: in her comment she was able to complete test successfully.
GW: is this a memory corruption issue ...
IB: it looks like label issue
GW: what do we need to do on that one
IB: she needs to confirm it works .. so we can close it
GW: I'll put a note in there.
231090 med urg ppc [EMAIL PROTECTED] ASSI LSPP: getattr
causes python Segfault
GW: says it's blocking as of the 21st
IB: basically Steve spoke with Jeremy and he wasn't able to reproduce it
KW: can you retest with .70 kernel as well
GW: ok .. putting note in there
231178 urg med s39 [EMAIL PROTECTED] NEW LSPP: setfattr
Segfaults on s390x
GW: I thought that one also potentially was a manifestation of memory
corruption
IB: there is a note in there as well .. so can it be closed?
GW: yes I'll put a note in there
231371 med med pow [EMAIL PROTECTED] ASSI LSPP: audit=0 appears not to
disable syscall auditing
GW: I need to verify that one.
231529 hig med All [EMAIL PROTECTED] ASSI [LSPP] bogus audit records with
cups printing
KK: we had discussion about that one
MA: I think it can be closed
GW: Klaus do you think it's working?
KK: yes .. I think so
LK: I believe Steve wanted it open
KW: I don't think we have time to make that change
LK: It needed a big change in cups ..
DW: I don't think the change will make an effect on security either. I'll
talk to Steve about it
232508 nor med All [EMAIL PROTECTED] ASSI LSPP: racoon segfaults between a
64bit platfom and a 32 b...
JL: I'll verify .. as soon as I get my hands on x86_64
232524 med med All [EMAIL PROTECTED] NEW LSPP: the audit record for ipsec
when printing ipv6 addre...
JL: will verify if it is in there already. This is the small space issue.
233153 med med x86 [EMAIL PROTECTED] ASSI LSPP: semanage not always
removing entry from /etc/selinu...
DW: I don't understand how you got this nodes.local .. not sure where it
comes from
JL: I think kylie opened that one .. cause when she was trying to remove a
tunnel device, the entry was not being removed from the nodes.local
GW: he is asking where the nodes.local is coming from
DW: right.. but I don't see the nodes.local
JL: ok.. I'll look through that right now.. I didn't see how kylie wrote up
the bug report
GW: I am commenting on bug with 'please verify bug report is accurate.. what
is the notes.local, and where does it come from'
KW: also try to verify the .70 kernel while you're at it
233186 med med All [EMAIL PROTECTED] ASSI LSPP: Add audit rule bit
operators patch
GW: This is a steve's one... it's assigned
EP: I thought that should have been off the list
IB: why should it be off the list .. it looks like Steve has patch ..
EP: oh. that's the user space portion, ok .. nevermind
KW: this is not required for evaluation, so we can remove it from this
tracker ..
IB: Steve wanted it in and I believe he thinks it's important .. I'll check
with him
233387 med med All [EMAIL PROTECTED] NEW LSPP: security check needed when
flushing SAD and SPD
JL: I just sent my reworked patch to netdev and Dave miller .. I sent it
before and they didn't like it .. so hopefully this is it ...
GW: do you have any other issues ...
MT: Yes .. on ppc, we have what I think is an audit issue with the pread
syscall.. pread has 4 args, the fourth argument (a3 in audit log) is
always logged as 0 regardless of value we provide. it works fine on 64
bit. It could be anything from glibc to audit issue. I don't know how
pread is implemented.. but it does function correctly
EP: is it only on pread
MT: yeah ... that's all I see it on..
EP: open a bug and assign to eparis
KW: not an evaluation issue either .. but report it to track it
GW: but it would be good if it's fixed and included in
KW: I have a kickstart update.. that has a listing of all packages with a
version number .. please I would appreciate feedback if this works for
everyone. Other than minor issues like cups for example.. I think it
should be complete. Linda you wanted to have a way to remove the role
selection .. but try to do it as part of your program
LK: ok
MA: Does this version mention the cups-lpd package
KW: no, it does not .. do you expect it to?
MA: no, it shouldn't .. I just wanted to check
EP: on that last note.. if cups-lpd is in the repo, and shouldn't be then go
ahead and let Steve know.
KW: if people follow instructions, then the kickstart should not install it
anyway.
MA: yeah, I remember I only saw it on george's list
GW: yup .. I took my list off the repo... what I should do is maybe take it
directly from klaus's list. Ok .. so if there is nothing else .. then
we'll adjourn .. thanks everyone.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
