[Security_sig] 11/10 Conf. call minutes

Chris Wright chrisw at osdl.org
Thu Nov 10 10:43:48 PST 2005

	Mary Edie Meredith (OSDL)
	Dennis Wells (Unisys)
	Chris Wright (OSDL)
	Matt Anderson (HP)


	- DCL security gap list



Chris: Mary's LUAC feedback suggests SELinux usability is a high
priority issue.

Mary: Is there more setup to SELinux than writing policy?

Matt: You do need to label files.

Chris: Distro should do this during initial install.  3rd party
applications will still be an issue, but there are tools to do.

Mary: Application policy comes from application or distro?

Chris:  For the things you mentioned, MySQL, Tomcat, Apache, those are
packages that come with the ditro, so policy should come from there as
well.  The difficulty is which things like apache, where applications
have different policy needs than basic apache.

Mary: Seems like that's the issue LUAC has, too difficult to get
started.  Do we need to create better templates?

Matt: There is effort for reference policy already.

Chris: We don't want to host this.  Policy can quickly get distro
specific.  Better is to get people having issues talking to selinux
community.  It's active and helpful, and is the right place to address
usability issues.

Mary: I like that, makes sense.  We'll see about facilitating it.

Mary: Are there other issues that are top priority?

Matt: LDAP, Active Directory integration is an issue.

Chris: I agree, and brought it up earlier.  Ed replied that it's still
an area where distro's maybe differentiating themselves.

Mary: Doesn't samba4 solve this?

Chris: I don't know current state, but I didn't think it was fucntional

Mary: Tridge said a lot of the code hadn't been written yet, but that
samba4 redesign work was largely due to wanting to support this.

Chris: OK, so it's in progress.  But that's only for actual
integeration.  Just having a distributed authentication scheme for Linux
is still maturing.

Matt: Maybe just collecting the pointers to various bits of
documentation would be helpful.

Mary: Where would I go for this?  There are books, but they are out of

Matt: Samba has a docs page which should help.

Mary: Other priority issues?

Chris: From the list we have, perhaps from a marketing checkbox
perspective...we're missing vserver (solaris zones).  But it's never
been clear (from customers) that it's what is needed.  And it's not
clear we'll get that support in mainline.

Matt: CIPSO <grin>

Matt: Maybe capabilities.

Mary: What's the gap?

Chris: We have partial functioning system, but doesn't handle the one
case people want.  There are patches to do this, but so far they've been
higher risk, and small demand.

<more discussion of distributed authentication issues and where to
get documentation>

More information about the security_sig mailing list