04/23/2007 lspp Meeting Minutes:
===============================
Attendees
Lawrence Wilson (IBM) - LW
George Wilson (IBM) - GW
Kris Wilson (IBM) - KEW
Loulwa Salem (IBM) - LS
Debora Velarde (IBM) - DV
Michael Thompson (IBM) - MT
Joy Latten (IBM) - JL
Trevor Highland (IBM) - TH
Irina Boverman (Red Hat) - IB
Steve Grubb (Red Hat) - SG
Dan Walsh (Red Hat) - DW
Eric Paris (Red Hat) - EP
Lisa Smith (HP) - LMS
Matt Anderson (HP) - MA
Paul Moore (HP) - PM
Klaus Weidner (Atsec) - KW
Chad Hanson (TCS) - CH
Joe Nall - JN
Agenda:
General Issues
Bug Discussion
Repo:
http://people.redhat.com/sgrubb/files/lspp/
RHEL 5 LSPP Packages:
acl-2.2.39-2.1.el5
aide-0.12-9.el5
audit-1.3.1-4.el5
audit-libs-1.3.1-4.el5
audit-libs-devel-1.3.1-4.el5
audit-libs-python-1.3.1-4.el5
cups-1.2.4-11.8.el5
cups-libs-1.2.4-11.8.el5
ipsec-tools-0.6.5-7.el5
kernel-2.6.18-8.1.1.lspp.76.el5
kernel-devel-2.6.18-8.1.1.lspp.76.el5
libacl-2.2.39-2.1.el5
libacl-devel-2.2.39-2.1.el5
libselinux-1.33.4-4.el5
libselinux-devel-1.33.4-4.el5
libselinux-python-1.33.4-4.el5
lspp-eal4-config-ibm-0.45-1
mcstrans-0.2.3-1.el5
openssh-4.3p2-21.el5
openssh-clients-4.3p2-21.el5
openssh-server-4.3p2-21.el5
pam-0.99.6.2-3.19.el5
pam-devel-0.99.6.2-3.19.el5
policycoreutils-1.33.12-7.el5
policycoreutils-newrole-1.33.12-7.el5
selinux-policy-2.4.6-62.el5
selinux-policy-devel-2.4.6-62.el5
selinux-policy-mls-2.4.6-62.el5
selinux-policy-strict-2.4.6-62.el5
selinux-policy-targeted-2.4.6-62.el5
vixie-cron-4.1-67.el5
Tracker Bug:
https://bugzilla.redhat.com/bugzilla/showdependencytree.cgi?id=224041
GW: do we have all known bug fixes in kernel?
SG: We are picking up 6 bugs and Eric is building a kernel today.
EP: It is in the build system right now.
SG: There is a kernel, ipsec-tools and cron packages
GW: Any general issues we need to talk about? We need to go down to 0 bugs
soon
SG: we were looking at spinning a new kernel today, and if no problems
arise, we will have final kernel by Wed. We aim for 0 bugs by Friday
GW: yeah .. or sooner if possible. That said, I don't want not to discourage
anyone from opening bugs ofcourse.
KW: one important thing to know, the packages in people page right now, are
the packages going to be the same and just signed for final, or new
different packages that were built again?
SG: the engineering dept will take the exact binary files and sign that. We
plan to make those available as soon as we are down to 0 bugs
KW: While we go through the list, we should take notes of which packages we
are expecting new ones for and which will not be modified other than
signing.
GW: I can tell you we will have another lspp-config package, aide was not
working with cron and I need to make a few changes.
KW: I have few small bugs myself to add to that.
GW: also the changes that you put in Friday, those received little testing
so if folks can use those, it would be good. I think the config would be
last to change.
KW: There are new features and fixes based on last minute feedback. if you
have time to test please look into that. The posting on rhel-lspp list
has a summary of changes; this is the .45 version. while on the subject
if people have patches they want to include, this would be the best time
to do that.. or let me know if you still have any issues.
GW: ok, so if you see any issues, let klaus know or post it to the list.
KW: even if it's something that you think is behaving strangely, better to
ask about it.
GW: It's best to load and try on all platforms. anything else for general
discussion? ok, let's go through bug list..
Bug List Query:
https://bugzilla.redhat.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=RHEL%205.0%20LSPP&[EMAIL
PROTECTED]&order=bugs.bug_id
Bug List: (Sun Apr 22 16:48:03 EDT 2007)
ID Sev Pri Plt Assignee Status Summary
231392 hig med All [EMAIL PROTECTED] ASSI LSPP: Misc soft-lockups in x86_64
lspp.67 kernel
GW: It's been decided it's a not an issue correct?
EP: yes, we had 3 people look at it. the kernel we are building today should
make the messages not appear. it's not a bug, it just takes a while.
Basically we will make it intelligently not complain. All who looked at
it decided it is not a bug. There is not even a big performance issue
here either, and the system is still running..
GW: ok, we'll test on new kernel again once it comes out
234923 med med All [EMAIL PROTECTED] ASSI LSPP: update lspp.rules file for
evaluation
SG: I started looking at that last week, had a question or 2 that I sent
klaus an email about
KW: sorry did not get to those yet.. I will look at them shortly.
SG: I did not do much with it yet, been working on other things.
GW: this is a nice to have though
SG: it's a must have
KW: this is not requirement for evaluation. The system is capable of
auditing, but there is no requirement of having it out of box configured
with all the rules
GW: but it'd be good for us to have it ready out of the box
KW: yeah. I would consider it a high priority nice to have
236316 urg med All [EMAIL PROTECTED] ASSI LSPP: Unable to change expired
password on ssh login
SG: Tomas created a patch, and we integrated it over weekend. the way we
change the password has policy implications and Dan is working on that
KW: something to think about .. is it really something we want to change.
The patch is big and Tomas said it is invasive. I think it will affect
our work now and has documentation impacts as well. I know you put a lot
of work on it, but should we rush it in
SG: we think it is the most secure option to fix the problem
KW: we can just make it as a limitation and document it
DW: it's not just secure shell, but also login is affected
KW: never mind .. we need it fixed then. I thought it was only ssh
SG: if you have time, please review it ..
GW: so that is restricted to being used by secure shell binary
SG: well anything that is pam-ified
KW: only policy change would be to check password type, or would all pam
programs need new rules?
DW: yes, there is a new type called update_?? . it's an interface so not too
bad. You can run the program but it won't be able to access /etc/shadow.
KW: entire thing seems to be TE issue which does not affect MLS/DAC policy.
DW: main thing is we don't break some pam application to add functionality
PM: is there going to be an audit record if users log in directly.
DW: only root should run it
SG: if it's run by someone not root it will fail. As for the patch, a lot of
code is moved code of the helper function. I think he took something out
of original program that did not need to be set-uid root. The check
password program is more safe now that it is called only once
KW: do you have estimated time when we'll have pam package and policy to
test it
DW: tomorrow
SG: pam package is out, but I won't install it yet since it does not have
matching policy to go with it
DW: so I would say early tomorrow.
SG: By the way, week of may 8, we'll be hard to get hold of because of RH
summit. I will give you contact info in case of emergency.
GW: hopefully we'll be done by then. and have 0 bugs. Please keep trying to
find any bugs
237133 hig med All [EMAIL PROTECTED] MODI [LSPP]
userdom_admin_user_template and cron_per_role_temp...
SG: Dan changed status on that one. were we waiting on retest?
DW: waiting on retest of policy
MT: I checked. it compiles but doesn't seem to work
DW: to work, you have to do both ...[ more comments in bug ]. We pulled some
roles out of the template. you have to specify both roles
MT: is specifying sysadm there intentional.
DW: I'll check it. I don't have it in front of me ..
MT: ok, I'll talk to you about it offline
DW: looks like it might a copy/paste issue. it should be abat
237249 med med All [EMAIL PROTECTED] ASSI LSPP: polyinstantiation behavior
correct and documented
SG: need to document man page. We should have updated man page. this needs
review then closing. I'll take care of that.
237324 med med All [EMAIL PROTECTED] MODI LSPP: genhomedircon does not pick up
default user types c...
SG: It was pushed out. what it needs is verification that the package works.
DW: what happened there is if you go into semanage.. any user that does not
get specific mapping gets that user. if admin wanted to change, you
would change that line. you need to look at it and change your default
to be staff, then add the user for your home dir/labels to be correct
SG: after the meeting if you can check the fix and we can get rid of this
bug
GW: anything else
KW: I saw there is a new pam on lspp repo (.20) is that the new one?
SG: yes it is .. the one I pushed out an hour ago
KW: but we need the policy.
SG: yes. We also pushed out policycoreutils and ipsec-tools. there is fix
in ipsec-tools that had a security fix. only other package we will
rebuild is vixie-cron that takes care of a DoS attack. as far as I know,
we will get new kernel, audit, policy, and vixie cron
GW: we are trying to get all packages by Wednesday including kernel?
SG: yes. assuming no regressions occur, we'd like to build kernel without
debug
DW: Micheal I just updated the bugzilla. it was a copy/paste issue...
MT: thanks Dan
GW: anything else to cover? alright we'll adjourn the meeting .. thanks.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
