04/02/2007 lspp Meeting Minutes:
===============================
Attendees
Robin Redden (IBM) - RR
Lawrence Wilson (IBM) - LW
George Wilson (IBM) - GW
Kris Wilson (IBM) - KEW
Loulwa Salem (IBM) - LS
Debora Velarde (IBM) - DV
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Klaus Kiwi (IBM) - KK
Trevor Highland (IBM) - TH
Steve Grubb (Red Hat) - SG
Dan Walsh (Red Hat) - DW
Eric Paris (Red Hat) - EP
Lisa Smith (HP) - LMS
Linda Knippers (HP) - LK
Amy Griffis (HP) - AG
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Chad Hanson (TCS) - CH
Joe Nall - JN
Agenda:
General Issues
Bug Discussion
Repo: http://people.redhat.com/sgrubb/files/lspp/
RHEL 5+ Packages
acl-2.2.39-2.1.el5
* aide-0.12-8.el5
audit-1.3.1-3.el5
audit-libs-1.3.1-3.el5
audit-libs-devel-1.3.1-3.el5
audit-libs-python-1.3.1-3.el5
cups-1.2.4-11.8.el5
cups-devel-1.2.4-11.8.el5
cups-libs-1.2.4-11.8.el5
ipsec-tools-0.6.5-6.2.el5
kernel-2.6.18-8.1.1.lspp.72.el5
kernel-devel-2.6.18-8.1.1.lspp.72.el5
kernel-doc-2.6.18-8.1.1.lspp.72.el5
libacl-2.2.39-2.1.el5
libacl-devel-2.2.39-2.1.el5
libselinux-1.33.4-4.el5
libselinux-devel-1.33.4-4.el5
libselinux-python-1.33.4-4.el5
mcstrans-0.2.3-1.el5
openssh-4.3p2-20.el5
openssh-askpass-4.3p2-20.el5
openssh-clients-4.3p2-20.el5
openssh-server-4.3p2-20.el5
* pam-0.99.6.2-3.18.el5
* pam-devel-0.99.6.2-3.18.el5
selinux-policy-2.4.6-45.el5
selinux-policy-devel-2.4.6-45.el5
selinux-policy-mls-2.4.6-45.el5
selinux-policy-strict-2.4.6-45.el5
selinux-policy-targeted-2.4.6-45.el5
vixie-cron-4.1-67.el5
lspp-eal4-config-ibm-0.25-1 (likely 26 for *'d above)
rbac-self-test (TBD in config RPM)
Tracker Bug:
https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=224041
Query:
https://bugzilla.redhat.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=RHEL%205.0%20LSPP&[EMAIL PROTECTED]&order=bugs.bug_id
GW: Someone saw a lockup I think
LS: that was Joe, he sent out an email to the list.
JN: yeah. I saw a lockup, I sent the dmesg output where you see the lockup.
If I stress it I see
where it hangs and is not responsive at all. I am not sure how to debug
it
GW: is this on .72?
JN: both 72 and 71. I am trying to get another machine since mine right now
has all these user space applications on it as well
EP: when it's hung, does the magic sys-request key work?
JN: I can't get what you're saying. but it just hangs
MA: for final kernel are we disabling that?
GW: it's usually disabled through proc. Ok, any general issue before we get
started on the bug list. We were discussing the lockup Joe was seeing,
he is running in a virtualized environment is that 32 bit kernel?
JN: yes
GW: ok, other issues .. I'll note there are at least 3 bugs I know of that
we need to add to the list.
SG: I think I also took three bugs off the list
GW: we are down to 9. very good
Bug List:
218386 med nor pow [EMAIL PROTECTED] ASSI LSPP: labeled ipsec does not
work over loopback
JL: I think I have it working. I prefer to have one more day of stress for
my peace of mind. So far no problems. I'll ifdef all our changes. I
think it'll be better chance to get them upstream that way.
JN: are we gonna package configurations that set local ipaddress for ipsec?
or will it be manual configs later
KW: good idea to add that to configuration script.
JN: It's dramatically slow with initial sockets now when you make connection
PM: I'd be nervous about turning ipsec on unless we have to
KW: So we can add the sysctl to the kickstart script
JN: My question is are we gonna have labeled sockets by default
KW: no, but if people activate ipsec, that should work then.
JL: you mean in the script to have it on by default?
KW: this is based on a mail that paul sent to the mail list. My
understanding that this won't do anything unless you turn it on, which
will then enable negotiation with localhost.
PM: I misunderstood your initial statement Klaus, now I think that's an
excellent idea.
JL: I think it's a good idea too. it'll throw people off at first if they
think it is not working.
KW: if you have kind of labeled networking then people think it is not
protecting local host
JN: if you are not enabling by default, would domains talk to each other if
allow rules allow it
KW: yes
JN: how would you get lspp certification then?
KW: it says you have to enable ipsec or cipso for the evaluation. The
evaluator says it's ok that you have to choose one or other in
configuration to have the evaluated system
JN: so it's not on by default
KW: yes. you have to do the configuration
JN: we have been using an rpm that does our configuration for us for some
time
PM: once Joy posts this updated patch, would it be possible to spin an ipsec
tools package so we can test with it
SG: that would be the plan, question is how long it takes to happen? The
maintainer is in England so if we get it early on, we might be able to
get one in the same day, otherwise we might wait until next day
GW: So we're gonna carry an ipsec package, do we need a bug for that then?
SG: it has one
EP: is that bug still against kernel
JL: we need to change it against tools
GW: I'll change it now and I put a comment that joy will do another day of
testing.
225443 med nor ppc [EMAIL PROTECTED] ASSI LSPP: No
console login on first boot
SG: I closed it. Dan has that in a new policy.
GW: I have not verified it
LK: we want that open
GW: yeah, until we verify it at least
KW: did it work for Debbie? she sent me a note on Friday
SG: policy change that dan made was about 1 hour ago, and it's still not
pushed out
KW: ok, so probably she didn't have it then
DV: yeah, I'll try with the new policy
GW: Klaus.. by the way, I also sent you a patch for pam and aide.
SG: I'll push policy as soon as telecon is over
GW: I'll test with it
228366 med nor All [EMAIL PROTECTED] ASSI LSPP: audit does not log obj
label for signal recipient
SG: Eric, I think we need an update on that bugzilla. I think it was
included and it's status is awaiting test
EP: yes correct
GW: ok, I'm making note of that
231090 med urg ppc [EMAIL PROTECTED] ASSI LSPP: getattr
causes python Segfault
GW: needs to be retested, this was a bug opened by Kylie
KK: is it specific to s390?
GW: no, ppc
KK: Ok, I can test it, can you add me to CC list?
GW: yes, thank you
231392 hig med All [EMAIL PROTECTED] NEW LSPP: Misc soft-lockups in x86_64
lspp.67 kernel
EP: most of those were solved, but one was still seen. stephen Smalley and I
looked at it, and we are not sure what the problem is. I don't think it
is a blocking thing, since it shows that the cpu was slow getting back
to us. I'll look at it but if we and IBM can't reproduce it, I think
it'll fall to the side
231529 hig med All [EMAIL PROTECTED] ASSI [LSPP] bogus audit records with
cups printing
SG: I'm still working on it, I haven't decided one way or another on that
one yet
GW: putting note in bug.
233153 med med x86 [EMAIL PROTECTED] ASSI LSPP: semanage not always
removing entry from /etc/selinu...
LS: joy and I are looking at it, we are trying to figure out how the test
case is functioning. It seems like the test case is not cleaning up
properly. We will run it and see if we still see the same behavior.
GW: noting that in the bug
234077 med med ppc [EMAIL PROTECTED] NEW LSPP: ppc 32-bit pread not
correctly auditing 4th arg (of...
EP: that one looks like it's not lspp blocker so I can take it off the list.
It is working as designed and I just need to explain that
MT: ok, can you please explain it.
EP: we were passing 64 bit offset and since we are in 32 bit in userspace,
it gets broken into registers, so we always get 0 for the upper
registers.
MT: have you tried logging in something that will show a value
EP: I'll work on that today if I get chance. It looks like pwrite will also
have this problem. All the calls that have this 32/64 issue will, and
possible they always did but no one noticed before. I sent a message to
David Woodhouse who is the ppc/audit guy asking if he has ideas on how
to log this. Looks like that one will likely get explained in there as
not
a bug
MT: klaus you also said that it is not a security bug as well.
234485 med med All [EMAIL PROTECTED] ASSI LSPP: when searching for larval
SAs check the protocol too
JL: It's done. I tested and it's been accepted into upstream kernel.
GW: I am updating the bug
SG: was that in .72 kernel?
JL: I put a note in the bug in .. it was in the .70 kernel
EP: this fix has been in there for quite a number of releases
JL: I don't know if I have power to change states in RH bugs, so I am adding
notes to them
EP: that's what you should be doing. thanks
234491 med med All [EMAIL PROTECTED] ASSI LSPP: kernel sends additional
ACQUIRES that racoon is not...
JL: already submitted patch to ipsec tools but they didn't pick it up yet
SG: did you attach bug to bugzilla
JL: let me check ..
GW: would you please attach the patch?
SG: if we can get that one along with the other patch, we can probably put
them in the same release.
JL: I sent the patch out on the list at some point, but I'll attach it to
the bug
GW: I'll make a not in the bug
234781 incorrect info in pam selinux audit record
GW: linda reported this one
LK: I had a conversation with our evaluator. It's not blocking anything.
it's just wrong
SG: we should make sure it's fixed and pushed out so it's not lost in the
cracks. It sounds likes it's simple to fix
LK: If it was simple I would make a patch, but it seems the info is not
available to the audit record, so we either need to change where we
audit from or pass more info around
GW: I'll add it's not lspp blocking but good to fix to the bug
234885 aide pol causes ..
GW: just opened this, I attached a policy module to make aide work
correctly. one issue is the /var/log/aide directory is getting set to
low
DW: there is a bug in file context description, a "?" mark was missing. I
took most of your changes and added couple of extra ones. Hopefully the
-50 policy will fix the problem.
GW: ok.. thank you
234889 cups jobs with sysadm_r...
KK: I was talking with Matt and I wanted to hear klaus W and other's opinion
on this. Everyone on system has fileread perms to read up, but not true
for print jobs. This seems stricter than mls for me. just wanted to get
other people's opinion about it
KW: in general it is not a problem if you are being more strict .. but good
to have it
LK: my question, when did sysadm_t get the overrides?
DW: secadm used to have it, and then sysadm needed it to change level and
such
KW: I think late last year that happend when secadm got deprecated
DW: sysadm needed to do change con
KW: sysadm needed to do all that secadm used to do
LK: ok, I see. I remember that I just wanted to check.
DW: ..
KK: we need to change to lpr_t, and since lpr_t does not have the attribute,
it can't read up. It is just adding mlsfilereadup in the ldp_t
interface.
DW: I'll take a look at it
MA: as long as there is a note on there. it seems all they get is job title
which we don't consider it to be sensitive info.
KK: only role using this interface is sysadm .. so I think it is secure to
allow it to mlsfileread to lpr_t.
DW: I'll look at it
GW: Anything else
MT: I have question for steve and klaus. when you do autorelabel, is there
supposed to be audit message generated?
SG: yes, I've seen it before
KW: not a requirement to have it since this is not a normal system use
EP: Is audit even running then
SG: answer is yes and no .. It's auditing but it's not going to audit log
EP: probably going to the console then picked up later
SG: in the past we talked about having mode of audit daemon when it starts
up, it can queue everything and then dump it there, to make sure it is
not full.
KW: it's not critical to do that.
SG: if we do something on boot up and it gets AVC that don't get audited,
that might be a customer issue.
MT: second question; we are using pam_tally2 to record failed loging. when
you successfully log in it resets it.
KW: it is exactly what it should behave like
MT: ok we were not sure
KW: it is there to limit attempts you can make.
GW: anyone else has anything to talk about
KW: george qustion for you .. do you think self tests are ready to be
integrated?
GW: yes, it's close. Even if it is not 100% there, I think we should package
it and push it out anyway so people can run it and give me feedpack.
I'll try to make spec file changes and produce a patch for you
SG: at some point we also need to go over the audit lspp.conf file. I took a
short look at that couple of weeks ago, but I think we need to expand
watches considerably. so far we have not come up with what files are
security relevant.
GW: we have idea what they are
SG: I think we need to open a bugzilla for that to track it and as group we
can decide
GW: and I think those would be similar to what the aide policy is checking.
we might want to watch a significant subset of what we watch with aide
SG: is there an aide configurations separate than what is shipped
GW: I think it might be similar
SG: aide is directory oriented, but watches are based on file buy file so
audit system can be fine grained. I'll open a bugzilla. I wanted to wait
until the end, and it looks like we are close to the end. I wanted to
see what packages make it, for example printing and selinux subdirs that
we didn't worry about in CAPP need to be added now
GW: this aide has specific files in it too, I am just looking at
configuration now
SG: there is an overlap, but aide is directory oriented while audit system
can't do recursive auditing on directories so...
GW: we can harmonize audit configurations then. Any other issues. we are
getting near the end. What about things that need to make it into the
update. you said some need to make it in ..
SG: that was some internal milestones. all these lspp changes are in any new
development we are doing.
GW: ok. Anything else anyone wants to talk about. ok .. we'll adjourn ..
thanks everyone
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
