14:50:13 <flock-ectr112> #startmeeting
14:50:13 <zodbot> Meeting started Sat Aug 10 14:50:13 2013 UTC.  The chair is flock-ectr112. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:50:13 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:50:37 <flock-ectr112> #topic domains
14:50:46 <flock-ectr112> 735 total domains (process types)
14:50:59 <flock-ectr112> 71 of them are unconfined
14:51:28 <flock-ectr112> some domains are allowed to run unconfined so that some third party processes can run properly
14:51:58 <flock-ectr112> remove unconfined domains using semodule -d unconfined
14:52:03 <flock-ectr112> will disable most of the unconfined modules
14:52:53 <flock-ectr112> brings it down to 11 unconfined domains
14:53:04 <flock-ectr112> new confined domains in F19
14:53:25 <flock-ectr112> pkcsslotd_t, slpd_t, sensord_t, mandb_t, glusterd_t, stapserver_t, realmd_t, phpfpm_t
14:53:44 <flock-ectr112> new domains are run in permissive mode
14:54:12 <flock-ectr112> rawhide/fedora users are guinea pigs to see what restrictions are needed
14:54:58 <flock-ectr112> #topic sepolicy tool chain
14:55:03 <flock-ectr112> new set of tools
14:56:04 <flock-ectr112> booleans - describe booleans
14:56:32 <flock-ectr112> communicate - can domains communicate with each other
14:56:40 <flock-ectr112> generate - generate selinux policy module template
14:56:51 <flock-ectr112> gui - new application sentry gui
14:57:33 <flock-ectr112> interface - QA tool to see policy interfaces
14:57:51 <flock-ectr112> manpage - generate selinux man pages
14:59:14 <flock-ectr112> network - see network information
14:59:32 <flock-ectr112> transition - see how domains can transition to the target domain
15:00:03 <flock-ectr112> #topic selinux demonstration
15:02:34 <flock-ectr112> SELinux Policy Manager demonstration
15:04:17 <flock-ectr112> makes it easy to add/change file context labeling
15:06:25 <flock-ectr112> transitions tab shows you all the application and file transitions for the selected context
15:06:43 <flock-ectr112> network tab shows ports and protocols used
15:06:52 <flock-ectr112> for inbound and outbound connections
15:08:30 <flock-ectr112> can be run in userspace
15:09:38 <flock-ectr112> #topic SELinux and containers
15:10:01 <flock-ectr112> for the cloud
15:12:03 <flock-ectr112> (video)
15:15:02 <flock-ectr112> #topic mislabeled file objects
15:15:45 <flock-ectr112> when selinux causes problems, usually its because content is mislabeled
15:15:52 <flock-ectr112> #topic classic selinux issue
15:16:06 <flock-ectr112> ~/index.html
15:16:15 <flock-ectr112> move to system web directory
15:16:23 <flock-ectr112> when viewing, get permission denied
15:16:45 <flock-ectr112> because mv preserved permissions (incl selinux label)
15:17:19 <flock-ectr112> look in /var/log/httpd/error_log
15:17:28 <flock-ectr112> tells you permission denied
15:17:48 <flock-ectr112> permissions look ok. darned selinux must be causing the problem
15:18:03 <flock-ectr112> kernel sends message to audit daemon
15:18:12 <flock-ectr112> auditd writes message to /var/log/audit/audit.log
15:18:44 <flock-ectr112> now you know what happened
15:19:05 <flock-ectr112> setroubleshootd will tell you what went wrong and writes message to /var/log/messages
15:19:31 <flock-ectr112> tells you to run sealert for additional information
15:19:51 <flock-ectr112> sealert gives you the diagnosis and what to do to fix
15:20:16 <flock-ectr112> lots of good tools to tell you what's wrong, but it's written all over the place
15:20:59 <flock-ectr112> solution? setroubleshoot integration with journald
15:21:20 <flock-ectr112> setroubleshoot isn't writing about itself, it's writing about something else though
15:22:24 <flock-ectr112> now can us esystemctl status -l to see problems
15:22:43 <flock-ectr112> message is truncated, but you can go into the journal to see the full message
15:23:04 <flock-ectr112> #topic secure linux containers
15:23:19 <flock-ectr112> (demo of containers)
15:25:10 <flock-ectr112> #topic labeled NFS
15:25:44 <flock-ectr112> taken 7-8 years to get extended attributes to work over NFS
15:26:13 <flock-ectr112> fedora is currently the only distro that supports labeled NFS
15:26:45 <flock-ectr112> currently in F20
15:27:10 <flock-ectr112> q: will it be supported on RH storage server?
15:27:16 <flock-ectr112> a: not for a while
15:28:08 <flock-ectr112> labeled NFS is standardized now, so should be getting implemented soon
15:28:39 <flock-ectr112> #topic confining users
15:28:58 <flock-ectr112> FreeIPA supports selinux confined users
15:30:12 <flock-ectr112> can also have confined admins
15:30:35 <flock-ectr112> confined users active directory being worked on
15:30:38 <flock-ectr112> #topic future
15:30:52 <flock-ectr112> new core utils
15:31:19 <flock-ectr112> -Z flag for mv, cp, install, mkdir
15:31:34 <flock-ectr112> label files correctly
15:32:31 <flock-ectr112> new files/directories are labeled according to the parent dir
15:33:12 <flock-ectr112> should show up in F20
15:33:20 <flock-ectr112> friendly EPERM
15:34:44 <flock-ectr112> would like side channel avail to a process to tell it why permission was denied
15:35:04 <flock-ectr112> kernel only tells process "permission denied". process doesn't know why
15:35:57 <flock-ectr112> still being worked on
15:36:04 <flock-ectr112> #topic questions
15:36:14 <flock-ectr112> q: what about seandroid?
15:36:31 <flock-ectr112> a: you know this is a fedora conference, not an android conference?
15:36:41 <flock-ectr112> seandroid is based on MCS separation
15:36:52 <flock-ectr112> (we don't work on it)
15:37:04 <flock-ectr112> every app gets a separate MCS label
15:38:50 <flock-ectr112> q: is there an easy way to tie selinux to a storage LUN
15:38:59 <flock-ectr112> every device on the system is labeled
15:39:16 <flock-ectr112> default label of a fixed device is fixed_disk_t
15:39:23 <flock-ectr112> very few apps get permissions to access
15:40:16 <flock-ectr112> q: is there any way to make sure selinux configs weren't changed
15:40:50 <flock-ectr112> a: currently not done, probably should make some tools to do this
15:44:05 <flock-ectr112> #endmeeting