20080312

Meeting

Agenda for this meeting

These items will be discussed at the next meeting:

  • CVE review - KeesCook

  • Contributing to ubuntu-cve-tracker - what's the best way?

  • To-Do List (Expanding our Roadmap) - JoeJaxx (postponed will not be able to attend Sad :( )

  • MOTU-SWAT membership (postposed until motu-swat admins are available)

  • SELinux progress - ChadSellers

  • SELinux GUI Utils - JoeJaxx (postponed will not be able to attend Sad :( )

  • Hardening Wrapper testing - KeesCook

  • Penetration Test Team Organizzation - emgent

    • CoC approvation
    • private mailinglist status
    • switch name to ubuntu-whitehat

  • Ubuntu Security IRC organizzation room emgent

  • Next meeting time

Log

TZ UTC-4 

(03:00:28 PM) keescook: #startmeeting
(03:00:29 PM) MootBot: Meeting started at 19:00. The chair is keescook.
(03:00:29 PM) MootBot: Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE]
(03:00:37 PM) keescook: [topic] introductions
(03:00:37 PM) MootBot: New Topic:  introductions
(03:00:46 PM) ***propagandist waves
(03:00:55 PM) keescook: okay, are people here for the security team meeting?  :)  hi propagandist
(03:01:20 PM) keescook: [link] https://wiki.ubuntu.com/SecurityTeam/Meeting
(03:01:20 PM) MootBot: LINK received:  https://wiki.ubuntu.com/SecurityTeam/Meeting
(03:01:30 PM) keescook: there is the agenda for today's meeting
(03:01:44 PM) emgent: @schedule rome
(03:01:45 PM) ubotu: Schedule for Europe/Rome: 12 Mar 22:00: Server Team | 14 Mar 21:00: MOTU | 14 Mar 22:00: REVU Coordination | 19 Mar 22:00: Server Team | 26 Mar 22:00: Server Team
(03:01:59 PM) emgent: hi keescook
(03:02:06 PM) keescook: heya emgent
(03:02:28 PM) keescook: looks like joejaxx isn't here, but I'd like to still cover the TODO list/Roadmap
(03:02:50 PM) emgent: jdstrand, :)
(03:02:52 PM) keescook: is anyone from motu-swat here to do membership stuff for that team?
(03:03:26 PM) ***jdstrand got confused with the recent change to EDT
(03:03:49 PM) keescook: well, and I tried to trick every one by moving it an hour in UTC too.  :P
(03:04:05 PM) jdstrand: very sneaky indeed
(03:05:04 PM) keescook: Fujitsu: are you here?  (ScottK, Nafallo, and sistypot aren't -- the other motu-swat admins)
(03:05:51 PM) keescook: okay, well, I'll mark the motu-swat agenda item as postponed for now.
(03:06:07 PM) keescook: alright, moving forward...
(03:06:10 PM) keescook: [topic] CVE review
(03:06:10 PM) MootBot: New Topic:  CVE review
(03:06:32 PM) keescook: the only item I have here is to call attention to the -proposed version of mysql that jdstrand prepared.
(03:07:05 PM) jdstrand: hey I was going to do that
(03:07:12 PM) keescook: have at it.  :)
(03:07:37 PM) keescook: [link] https://lists.ubuntu.com/archives/ubuntu-devel/2008-March/025173.html
(03:07:38 PM) MootBot: LINK received:  https://lists.ubuntu.com/archives/ubuntu-devel/2008-March/025173.html
(03:07:40 PM) jdstrand: the bug is #201009
(03:07:53 PM) jdstrand: bug #201009
(03:07:54 PM) ubotu: Launchpad bug 201009 in mysql-dfsg-5.0 "[mysql-dfsg-5.0] fix for several open vulnerabilities in -proposed" [High,Fix committed] https://launchpad.net/bugs/201009
(03:08:19 PM) jdstrand: we need testing of the -proposed packages with feedback put in that bug
(03:08:50 PM) keescook: anyone running mysql that can give it a go?
(03:08:56 PM) jdstrand: the summary is that there were several CVEs that are fixed, but two of them, CVE-2007-6303 and CVE-2007-2692 were fairly intrusive
(03:08:58 PM) ubotu: MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6303)
(03:08:59 PM) ubotu: The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before 5.1.18 does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2692)
(03:09:08 PM) jdstrand: you go ubotu
(03:09:46 PM) jdstrand: anyhoo, the packages have gone through quite a bit of testing already and are in good shape as far as I can tell, but it be nice to get more testing
(03:10:13 PM) jdstrand: dapper - feisty primarily
(03:10:27 PM) sdh: oops, hi
(03:10:37 PM) jdstrand: gutsy is close enough to upstream that it wasn't affected be these
(03:10:53 PM) jdstrand: that came out weird
(03:11:00 PM) jdstrand: gutsy isn't affected by those
(03:11:28 PM) jdstrand: heh
(03:11:37 PM) jdstrand: ok, that was wrong
(03:11:49 PM) keescook: heh :)
(03:12:00 PM) jdstrand: gutsy is affected by 6303, but is close enough to the current upstream that its patch wasn't intrusive
(03:12:15 PM) ***jdstrand tried to be too brief in his summary
(03:12:44 PM) keescook: cool.  so, anyone listening, please enable -proposed and give some feedback.  :)
(03:12:54 PM) keescook: any other CVE issues people want to bring up?
(03:13:37 PM) keescook: [topic] Contributing to ubuntu-cve-tracker
(03:13:38 PM) MootBot: New Topic:  Contributing to ubuntu-cve-tracker
(03:14:17 PM) keescook: okay, so, the Ubuntu CVE tracker is used to ... track CVEs
(03:14:28 PM) keescook: [link] https://launchpad.net/ubuntu-cve-tracker
(03:14:28 PM) MootBot: LINK received:  https://launchpad.net/ubuntu-cve-tracker
(03:15:03 PM) keescook: we're all doing lots of CVE updates, and I'd like to have more people from motu-swat reviewing the open CVEs
(03:15:17 PM) keescook: Fujitsu did a few great passes at it, but it still needs more work
(03:15:26 PM) keescook: the process is fairly well documented in the README
(03:15:32 PM) keescook: [link] http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/files
(03:15:32 PM) MootBot: LINK received:  http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/files
(03:15:59 PM) jdstrand: in addition to getting it up to date, ubuntu-cve-tracker is the main method we use to coordinate wok on the CVEs
(03:16:27 PM) keescook: before the next meeting, I'll make sure we have a published "open CVE" list so it's easier for people to see the work
(03:16:41 PM) keescook: [action] keescook to get HTML publication finalized
(03:16:42 PM) MootBot: ACTION received:  keescook to get HTML publication finalized
(03:16:51 PM) jdstrand: it is important that if we are preparing updates that we check ubuntu-cve-tracker to see if the CVE is assigned to someone, so there isn't duplicate work
(03:17:07 PM) jdstrand: (this happened recently)
(03:17:09 PM) keescook: emgent: have you had a chance to check out a branch of this?
(03:17:34 PM) jdstrand: if it's assigned to someone, then ping that person to see what's going on
(03:17:42 PM) emgent: yep
(03:17:54 PM) emgent: i use this for working
(03:18:08 PM) keescook: emgent: cool.  if you have any changes, please push up a branch and we can merge in your updates
(03:18:20 PM) emgent: ok i will do.
(03:18:50 PM) jdstrand: seems that is the best way to go
(03:18:53 PM) keescook: okay... moving on
(03:18:53 PM) keescook: [topic] To-Do List (Expanding our Roadmap)
(03:18:54 PM) MootBot: New Topic:  To-Do List (Expanding our Roadmap)
(03:19:06 PM) asac_ is now known as asac
(03:19:09 PM) keescook: [link] https://wiki.ubuntu.com/SecurityTeam/Roadmap
(03:19:09 PM) MootBot: LINK received:  https://wiki.ubuntu.com/SecurityTeam/Roadmap
(03:19:17 PM) jdstrand: motu-swat people check out their branch, keep it up to date with master, and keescook and I will pull in the changes
(03:19:43 PM) jdstrand: lp has a way to request a merge that makes it very convenient
(03:19:51 PM) keescook: I'd like to see more things listed on the ST roadmap :)
(03:19:54 PM) jdstrand: Fujitsu did that the other day and it worked great
(03:20:14 PM) keescook: if people have ideas about stuff they want to work on, please add it to the roadmap.
(03:20:19 PM) jdstrand: yikes, I didn't think we were done with u-c-t yet
(03:20:28 PM) keescook: I'd love to get all the non-exec stack bugs closed, too.
(03:20:49 PM) keescook: jdstrand: np, it was kind of a short topic -- not a big group today
(03:21:35 PM) keescook: [action] keescook to add non-exec stack bug list to roadmap
(03:21:35 PM) MootBot: ACTION received:  keescook to add non-exec stack bug list to roadmap
(03:21:41 PM) emgent: :)
(03:21:42 PM) keescook: anyone have anything else they want to see on the TODO list?
(03:22:15 PM) emgent: not now, for me
(03:22:17 PM) jdstrand: though it overlaps with the server team
(03:22:28 PM) jdstrand: I think apparmor profiles would be great
(03:22:29 PM) keescook: one idea I had was to add a "wishlist" section to the roadmap, and point anyone there that had ideas they wanted to see implemented.
(03:22:34 PM) keescook: ooh, yeah
(03:23:20 PM) gaten: what about something like a bastille script for ubuntu??
(03:23:31 PM) keescook: I don't mind having TODO items duplicated between teams -- more chance people will work on it :)
(03:23:59 PM) jdstrand: while I haven't tried it, wouldn't Debian's bastille work fine on ubuntu?
(03:24:01 PM) keescook: I'd also like to add "build FAQ" to the TODO list
(03:24:27 PM) gaten: +1 for the wishlist
(03:24:37 PM) jdstrand: I like the wishlist idea too
(03:24:48 PM) emgent: +1 too
(03:25:02 PM) gaten: jdstrand: quite possible. sounds like a TODO
(03:25:27 PM) mathiaz: keescook: one of the problem with a whishlist section in the Roadmap is that it can become a long landry list
(03:25:50 PM) keescook: mathiaz: true.  I figure if it gets that way, we can move it to another page.
(03:25:51 PM) mathiaz: keescook: That's why the server Team has a IdeaPool page that is separate from the Roadmpa
(03:25:51 PM) gaten: jdstrand: but i would like to see a hardened default config
(03:26:12 PM) mathiaz: keescook: the desktop team has a vision wiki page for long term and todo for short trem
(03:26:16 PM) keescook: gaten: "hardened" means so many things.  what parts did you have in mind?
(03:26:48 PM) mathiaz: keescook: and people tend to start discussing things under the wishlist point
(03:27:37 PM) keescook: mathiaz: I'm all for generating discussion.  any significantly large discussion can be turned into a Blueprint.  :)
(03:27:43 PM) gaten: keescook: the basics first. umask, ulimit, read access to logs etc
(03:28:09 PM) gaten: and i would like to see a firewall thats enabled and has some actual rules on by default.
(03:28:39 PM) sdh: agreed on firewall
(03:29:04 PM) keescook: gaten: some of that already exists -- it's be great to document a checklist.  Can you write a wiki page for that, and link to it in the Wishlist section?
(03:29:14 PM) jdstrand: gaten: not sure if you are referring to ufw there, but after an install, a simple 'sudo ufw enable' and you've got a good host-based firewall
(03:29:34 PM) keescook: (I've added Wishlist and FAQ to the Roadmap now)
(03:29:41 PM) gaten: keescook: sure. when will this whislist be available?
(03:29:44 PM) gaten: ahh, nvm
(03:30:21 PM) keescook: also, I'd like to see the "KnowledgeBase" link to something useful.
(03:30:23 PM) gaten: jdstrand: ahh, wasn;t aware it shipped w/ rules available. but it should still be part of the setup, like 'Do you want to enable the firewall on startup'
(03:30:50 PM) keescook: I figure lists of links to other information could be handy there (oss-security link, CVE tracker link, you name it)
(03:31:45 PM) gaten: another item I have brought up on the list-server but have done nothing about: chrooted packages (ie apt-get install LAMP-chroot)
(03:32:15 PM) jdstrand: gaten: that is a hard problem and very site-specific
(03:32:40 PM) jdstrand: however, the 'M' in LAMP is now in apparmor enforcing mode
(03:32:49 PM) keescook: :)
(03:33:03 PM) jdstrand: gaten: I have been thinking about how to deal with 'A'
(03:33:06 PM) gaten: jdstrand: what about using bind-chroot as a stepping stone? and another thing, does chroot become moot if apparmor/selinux are implimented?
(03:33:06 PM) Rinchen` is now known as Rinchen
(03:33:37 PM) jdstrand: gaten: re> chroot moor -- basically yes
(03:33:39 PM) keescook: gaten: depends ... I'd say that might be true if kvm/xen are used too
(03:33:45 PM) jdstrand: gaten: you get a lot of pain for little gain
(03:33:54 PM) keescook: some people use chroots to split up service configs.  *shrug*
(03:33:56 PM) gaten: well apache is the easiest to chroot of em all, and there are so many scripts out there for it. also you've got mod-chroot if you wanna take the easy way out, still don't think its as secure though
(03:34:13 PM) jdstrand: gaten: and it isn't apache that is the problem, it is wirtual hosting and added packages
(03:34:23 PM) jdstrand: virtual even
(03:34:34 PM) gaten: yes, and updating. ive played that game before
(03:34:40 PM) jdstrand: me too
(03:34:54 PM) jdstrand: which is why apparmor and selinux can help quite a bit here
(03:35:02 PM) gaten: which is why i have wet dreams of apt-get update lam-chroot ;)
(03:35:08 PM) keescook: hehe
(03:35:21 PM) emgent: hahha
(03:35:24 PM) keescook: okay, move on?
(03:35:35 PM) gaten: ok, so hold off on that for now then
(03:35:40 PM) jdstrand: however, more thought needs to be done on the packaging of the added software and dealing with virtual hosts in a sane way that is easy to profile
(03:35:50 PM) keescook: we're skipping MOTU-SWAT membership since we lack any motu-swat admins
(03:35:58 PM) jdstrand: gaten: it is absolutely an idea though, feel free to add it :)
(03:35:58 PM) keescook: [topic] SELinux progress
(03:35:59 PM) MootBot: New Topic:  SELinux progress
(03:36:09 PM) keescook: propagandist: all yours
(03:36:19 PM) propagandist: hey everyone
(03:36:21 PM) propagandist: A new bug fix release of SETools was released today which includes transitional packages (and should resolve the major complaint with the last FFE request).
(03:36:38 PM) keescook: excellent
(03:36:43 PM) keescook: oh, ubotu just left
(03:36:43 PM) propagandist: An official release of SELinux was done last week as well.
(03:37:00 PM) keescook: for the logs, setools FFe is bug 198391
(03:37:11 PM) propagandist: I'll be integrating these into the packages and reposting to REVU.
(03:37:17 PM) keescook: propagandist: ah! that's good news.  I'm glad to see that SELinux release.
(03:37:27 PM) propagandist: for SETools that means updating the ffe as well
(03:37:35 PM) propagandist: for the rest of them do I need to do an FFE?
(03:37:41 PM) propagandist: keescook: ;o}
(03:37:47 PM) keescook: propagandist: is it a new upstream version?  if so, yes.
(03:38:01 PM) keescook: what do we gain by updating SELinux?
(03:38:38 PM) keescook: [link] https://launchpad.net/bugs/198391
(03:38:39 PM) MootBot: LINK received:  https://launchpad.net/bugs/198391
(03:38:41 PM) jdstrand: is this 3.3.4 or a more major update?
(03:39:00 PM) propagandist: not too much I would think
(03:39:06 PM) propagandist: its 3.3.4
(03:39:33 PM) jdstrand: as this FFE isn't accepted yet, could it just be updated?
(03:39:39 PM) propagandist: the upstream selinux ones would only have the advantage of using an official release (but they are basically the same as what we have now)
(03:40:03 PM) keescook: propagandist: if the changelog is small, I'm for it, just to be on a "known" release version.
(03:40:09 PM) propagandist: jdstrand: yes for setools, i will update the ffe
(03:40:10 PM) keescook: [link] http://www.nsa.gov/selinux/code/download-trunk.cfm
(03:40:10 PM) MootBot: LINK received:  http://www.nsa.gov/selinux/code/download-trunk.cfm
(03:40:19 PM) keescook: I see it's at 2.0.59
(03:41:08 PM) propagandist: yup and we are curretly on 2.0.55
(03:41:23 PM) keescook: propagandist: so, beyond those things, how is SELinux on Hardy for you guys?  Has it tested out well?
(03:42:17 PM) propagandist: keescook: it looks good to me, there is still a mislabeled cups file i need to fix, and some upgrade problems with sepolgen, but in general it looks good
(03:43:11 PM) propagandist: keescook: of course I will be fixing those -^
(03:43:18 PM) keescook: propagandist: okay -- beta freeze starts tomorrow IIRC, so I'd recommend focusing on bug fixes first, then FFe later -- the FFes might not get through :)
(03:43:30 PM) propagandist: keescook: kk
(03:43:45 PM) propagandist: anyone else  had a chance to poke at it?
(03:44:21 PM) keescook: I booted it once found myself in unconfined X11 session, but it all appears to be running.
(03:44:35 PM) keescook: I haven't tried the relabeling since the fsck/usplash integration work was finished.
(03:44:41 PM) keescook: I think it'll just look like a regular fsck
(03:45:22 PM) keescook: ajmitch, siretart: you guys here?  have you played with SELinux in Hardy yet?
(03:46:23 PM) keescook: propagandist: did you reproduce the unconfined X session, or do I just have a weird install?
(03:46:46 PM) propagandist: keescook: I haven't been able to reproduce it :(
(03:47:03 PM) keescook: heh, okay.  I'll give it another shot now that I've got kvm running sanely.
(03:47:16 PM) keescook: alright, shall we move on?
(03:47:17 PM) propagandist: keescook: but maybe i'm misunderstanding because you should be unconfined_t
(03:47:29 PM) keescook: oh, that's what I was seeing
(03:47:41 PM) propagandist: ah
(03:47:46 PM) propagandist: ;o} well all is good then
(03:47:46 PM) mathiaz: propagandist: keescook you may wanna ask on ubuntu-hardened for more selinux testing on hardy
(03:47:48 PM) keescook: I'm still an SENewb :)
(03:48:06 PM) propagandist: ;o}
(03:48:12 PM) propagandist: mathiaz: will do
(03:48:16 PM) mathiaz: and add ubuntu-server@lists.ubuntu.com in the game also
(03:48:17 PM) keescook: mathiaz: good idea
(03:48:43 PM) keescook: [action] propagandist to bring up SELinux testing on u-hardened and u-server lists
(03:48:44 PM) MootBot: ACTION received:  propagandist to bring up SELinux testing on u-hardened and u-server lists
(03:49:39 PM) propagandist: kk, i'm all out of status
(03:50:22 PM) keescook: okay...  Selinux gui utils is skipping (joejaxx is gone)
(03:50:30 PM) keescook: er, skipped
(03:50:41 PM) keescook: [topic] Hardening Wrapper testing
(03:50:41 PM) MootBot: New Topic:  Hardening Wrapper testing
(03:50:55 PM) keescook: so, I recompiled all of "main" will the wrappers enabled.
(03:51:21 PM) keescook: I tried full, no-pie, and no-hardening.
(03:51:29 PM) keescook: overall, the results were good
(03:51:34 PM) keescook: [link] http://people.ubuntu.com/~kees/hardening/
(03:51:35 PM) MootBot: LINK received:  http://people.ubuntu.com/~kees/hardening/
(03:51:39 PM) keescook: I have all the build logs saved
(03:51:48 PM) keescook: but I threw out the .debs since I didn't have space for it
(03:52:28 PM) keescook: if people are interested in going through the "ok-nohardening.txt" file to figure out what's failing, and opening bugs for it, that would rock
(03:52:41 PM) keescook: (same goes for ok-nopie.txt, but those are likely a bit trickier)
(03:52:45 PM) jdstrand: keescook: did you get a chance to try the rebuild with the i386 personality?
(03:53:01 PM) keescook: jdstrand: oh!  no, I didn't.
(03:53:10 PM) keescook: I will start one up over the weekend.
(03:53:22 PM) gaten: keescook: do we have a priority for certain packages in nohardening?
(03:53:27 PM) keescook: I'm also considering generating a PPA that is exclusively hardened builds.
(03:53:42 PM) jdstrand: <mrburns>excellent</mrburns>
(03:54:02 PM) keescook: gaten: no real priority -- my goal is to have those two text files be 0 length by the end of intrepid.  :)
(03:54:14 PM) keescook: but I know it's going to be a lot of work.
(03:54:16 PM) gaten: heh, roger that
(03:54:46 PM) keescook: I want to run the PPA idea past the soyuz folks so I don't get poked in the eye :)
(03:55:57 PM) siretart: keescook: re selinux in hardy: yes, at my departmend we had a course (a week fulltime) were two students played with selinux in hardy
(03:56:04 PM) keescook: a concern brought up on the Debian devel mailing list is one of performance.  All the measurements I've done show less than 1% loss for PIE
(03:56:25 PM) keescook: siretart: the new stuff that tresys has worked on?
(03:56:39 PM) siretart: exactly. I instructed them to use the ubuntu-hardened PPA
(03:56:49 PM) keescook: PIE> I am not a statistician.  :)
(03:56:56 PM) keescook: siretart: cool!
(03:57:01 PM) propagandist: siretart: !!
(03:57:04 PM) siretart: the objective was writing 2 policy modules: one for mt-daapd and one for boxbackup
(03:57:22 PM) propagandist: siretart: awsome :o} how did it go?
(03:57:23 PM) siretart: propagandist: the __sns__ guy was one of the two students, you remember? ;)
(03:57:33 PM) siretart: both were successfully
(03:57:43 PM) siretart: some tools behaved a bit strange compared to fedora
(03:58:17 PM) propagandist: oh? which ones?
(03:59:43 PM) siretart: IIRC adding new selinux users, and listing selinux users. it looked like ubuntu had a different version of the tools or something
(04:00:01 PM) siretart: I have to admit that I don't remember exactly
(04:00:08 PM) propagandist: ah i see
(04:00:09 PM) jdstrand: siretart: how long ago was this?
(04:00:47 PM) siretart: 18.2.2008-22.2.2008
(04:00:51 PM) siretart: was that course
(04:02:17 PM) keescook: emgent had to leave early due to stuff out of his control, so he asked that his topics be postponed
(04:03:16 PM) jdstrand: well, seems the selinux reprise is over
(04:03:25 PM) siretart: anyways, I had a rather good impression of selinux in ubuntu
(04:03:31 PM) keescook: \o/
(04:03:36 PM) propagandist: siretart: thanks for the feedback :o} its great to hear that it worked for them
(04:03:40 PM) jdstrand: keescook: has there been any more discussion of enabling hardening-wrapper on specific packages
(04:03:43 PM) jdstrand: ?
(04:03:56 PM) siretart: what was most surprising is that the "new" unconfined module in ubuntu was behaving very differently than most documentation out there
(04:04:02 PM) jdstrand: keescook: ie what I added to the Roadmap?
(04:04:10 PM) jdstrand: I admit I haven't done anything with it
(04:04:12 PM) siretart: e.g. we didn't manage to get the gpg module work in ubuntu at all
(04:04:16 PM) keescook: jdstrand: there hasn't been -- I've been waiting to get feedback from doko about the hardened builds.
(04:04:23 PM) ***jdstrand nods
(04:04:49 PM) keescook: for us to build stuff with hardening enabled vi Build-Deps (not the buildds) we'd need to promote hardening-wrapper to main, etc
(04:05:01 PM) siretart: I think what's needed here most is more documentation/explanation how the unconfined module is supposed to work in ubuntu.
(04:06:13 PM) keescook: jdstrand: so, at least we could provide PPAs for hardened builds too.
(04:07:15 PM) jdstrand: keescook: that would be a good alternative.  I'm just really excited about hardening wrapper and thinking about how this is an LTS release
(04:07:15 PM) NthDegree: yes indeed siretart
(04:07:37 PM) propagandist: siretart: kk, i'll look at adding it to the wiki, if you can send me more information on the problems you had getting gpg working that will help
(04:07:39 PM) keescook: jdstrand: yeah, I wish it could have happened earlier, but this is how it worked out.  :(
(04:07:55 PM) doko: keescook: yeah ...
(04:08:42 PM) keescook: doko: oh! hey there.  :)
(04:09:02 PM) NthDegree: just to satisfy my curiosity:  how is unconfined going to handle mprotect ideally?
(04:10:13 PM) doko: keescook: just found me doing uploads for reports assigned to some k...c...
(04:11:10 PM) keescook: doko: oh?
(04:11:13 PM) siretart: propagandist: well, afaiu, the gpg module is not supposed to run from the unconfined role, and a role transition was neccessary to do that. I think a small howto or example module or something how to enable the gpg module for 'normal' users would be a great example!
(04:11:35 PM) propagandist: NthDegree: Can you clarify?
(04:11:49 PM) NthDegree: propagandist: preventing execstack, execmem, execmod etc.
(04:12:09 PM) NthDegree: Fedora prevents that in normal "unconfined".. will Ubuntu have it the reverse way?
(04:12:30 PM) NthDegree: as in tagging apps gradually that can safely be restricted, and leaving the rest truly unrestricted
(04:15:15 PM) keescook: say, let's move the selinux discussion to #ubuntu-hardened, and I can close up this meeting.  :)
(04:15:25 PM) keescook: we've got no more topics
(04:15:28 PM) propagandist: kk :o}
(04:15:30 PM) keescook: [topic] schedule
(04:15:30 PM) MootBot: New Topic:  schedule
(04:15:37 PM) keescook: next meeting in two weeks, same time?
(04:15:54 PM) jdstrand: good with me
(04:16:11 PM) ***jdstrand will be sure to remember his timezone next time
(04:16:43 PM) keescook: heh
(04:16:53 PM) keescook: okay, thanks very much everyone!  great work all around.  :)
(04:16:58 PM) keescook: #endmeeting
(04:16:58 PM) MootBot: Meeting finished at 20:16.
(04:17:02 PM) jdstrand: thanks keescook!

MeetingLogs/Security/20080312 (last edited 2008-08-06 16:16:06 by localhost)