Friday, 2015-03-20

« Thursday, 2015-03-19 Index Saturday, 2015-03-21 »
*** tkelsey has joined #openstack-security00:28
*** tkelsey has quit IRC00:32
*** markvoelker has quit IRC00:37
*** bknudson has joined #openstack-security00:51
*** edmondsw has quit IRC01:01
*** markvoelker has joined #openstack-security01:17
*** markvoelker has quit IRC01:22
*** ukbelch has joined #openstack-security01:28
*** ukbelch has quit IRC01:32
*** bpokorny_ has quit IRC01:33
*** browne has quit IRC01:48
*** markvoelker has joined #openstack-security02:18
*** browne has joined #openstack-security02:21
*** markvoelker has quit IRC02:22
*** jamielennox is now known as jamielennox|lunc02:32
*** jamielennox|lunc is now known as jamielennox|food02:32
*** tmcpeak has quit IRC02:36
*** jamielennox|food is now known as jamielennox03:01
*** subscope_ has joined #openstack-security03:05
*** ukbelch has joined #openstack-security03:17
*** markvoelker has joined #openstack-security03:19
*** ukbelch has quit IRC03:21
*** markvoelker has quit IRC03:23
*** markvoelker has joined #openstack-security04:19
*** markvoelker has quit IRC04:24
*** tkelsey has joined #openstack-security04:36
*** tkelsey has quit IRC04:41
*** dave-mcc_ has joined #openstack-security04:57
*** dave-mccowan has quit IRC04:57
*** ukbelch has joined #openstack-security05:06
*** ukbelch has quit IRC05:10
*** markvoelker has joined #openstack-security05:20
*** markvoelker has quit IRC05:25
*** dave-mcc_ has quit IRC05:30
*** markvoelker has joined #openstack-security06:21
*** markvoelker has quit IRC06:26
*** jamielennox is now known as jamielennox|away06:35
*** subscope_ has quit IRC06:42
*** ukbelch has joined #openstack-security06:52
*** ukbelch has quit IRC06:56
*** browne has quit IRC07:03
*** markvoelker has joined #openstack-security07:22
*** markvoelker has quit IRC07:27
*** openstackgerrit has quit IRC08:22
*** openstackgerrit has joined #openstack-security08:22
*** markvoelker has joined #openstack-security08:22
*** markvoelker has quit IRC08:27
*** ukbelch has joined #openstack-security08:41
*** ukbelch has quit IRC08:46
*** ukbelch has joined #openstack-security09:02
*** jamielennox|away is now known as jamielennox09:14
*** tkelsey has joined #openstack-security09:19
*** markvoelker has joined #openstack-security09:23
*** tkelsey has quit IRC09:24
*** ukbelch has quit IRC09:24
*** tkelsey has joined #openstack-security09:24
*** markvoelker has quit IRC09:28
*** markvoelker has joined #openstack-security10:24
*** markvoelker has quit IRC10:29
*** tkelsey has quit IRC10:56
*** tkelsey has joined #openstack-security10:56
*** ukbelch has joined #openstack-security10:58
*** tmcpeak has joined #openstack-security11:01
*** ukbelch has quit IRC11:08
*** ukbelch has joined #openstack-security11:44
*** ukbelch has quit IRC11:51
*** ukbelch has joined #openstack-security11:56
*** markvoelker has joined #openstack-security12:03
*** ukbelch has quit IRC12:16
*** ukbelch has joined #openstack-security12:26
*** bknudson has quit IRC12:29
*** edmondsw has joined #openstack-security12:39
*** singlethink has joined #openstack-security12:52
*** bknudson has joined #openstack-security12:54
*** jamielennox is now known as jamielennox|away13:36
*** ljfisher has joined #openstack-security13:38
*** tkelsey has quit IRC13:51
*** raginbajin has joined #openstack-security13:55
*** ukbelch has quit IRC13:56
*** sicarie has joined #openstack-security14:09
openstackgerritNathaniel Dillon proposed openstack/security-doc: Adding new introudctions for chapters missing one  https://review.openstack.org/16488314:23
*** singlethink has quit IRC14:36
*** dave-mccowan has joined #openstack-security14:41
*** singlethink has joined #openstack-security14:41
*** voodookid has joined #openstack-security14:43
*** voodookid has quit IRC14:47
*** browne has joined #openstack-security14:50
*** elo has joined #openstack-security14:57
*** voodookid has joined #openstack-security15:02
*** dwyde has joined #openstack-security15:02
*** bpokorny has joined #openstack-security15:18
*** openstackgerrit has quit IRC15:21
*** openstackgerrit has joined #openstack-security15:22
*** ukbelch has joined #openstack-security15:22
*** singlethink has quit IRC15:30
sicarieDoes anyone here know of decent SELinux/AppArmor profiles for OpenStack?15:43
sicarieI found  https://github.com/openstack/tripleo-image-elements/tree/master/elements/selinux15:43
sicarieBut was curious if anyone knew if more was out there15:43
nkindersicarie: there is quite a bit of openstack stuff in the base selinux-policy on RHEL/CentOS/Fedora15:44
sicarieawesome, thanks nkinder15:45
nkinderAlso, there is an openstack-selinux package that has additional policy that layers on-top15:45
sicarieInteresting, I was not aware of that15:45
nkinderI don't really see people writing additional policy on a per-deployment basis (maybe labelling some custom paths or things like that)15:45
sicarieYeah, I'm trying to put together some stuff for the secgude on the compute section15:46
sicarieThe Philly notes were really interesting15:46
*** browne has quit IRC15:46
nkinderthe ops meeting?15:46
sicarieyeah15:46
*** dwyde has quit IRC15:47
sicarieI don't remember if it was in there, or in a bug linked from there, but they were talking about pushing the responsibility for the selinux/apparmor profiles to the individual operators15:47
nkinderyeah, some interesting stuff15:47
*** elo has quit IRC15:47
nkinderwow, that seems like a lot to ask of an operator15:47
nkinderwriting policy can be pretty tough15:47
*** dwyde has joined #openstack-security15:47
sicarieI was surprised by that statement as well15:47
*** singlethink has joined #openstack-security16:15
openstackgerritDave Belcher proposed stackforge/bandit: Fixed -n flag processing  https://review.openstack.org/16630116:19
*** ukbelch has quit IRC16:26
sicarieComments/critiques welcome on my current outline for Compute chapter: https://bugs.launchpad.net/openstack-manuals/+bug/141297516:31
openstackLaunchpad bug 1412975 in openstack-manuals "Security Guide - Compute Section" [Low,Confirmed] - Assigned to N Dillon (sicarie)16:31
sicarienkinder: I didn't include rdo/rhel selinux policies in there as I couldn't see them in a public repo, digging into rdo's is on my todo list16:31
sicarieThis is just my cursory pass, I have more to do on each section16:32
*** browne has joined #openstack-security16:35
*** ljfisher has quit IRC16:37
nkindersicarie: it's all public16:41
sicarienkinder: what I saw on the rdo site (and again, this is with ~10seconds of Googl'ing) linked to an empty git repo16:42
nkindersicarie: SRPM is the best way to get at it16:42
tmcpeakif it doesn't exist in 10 seconds of googling, it doesn't exist ;)16:42
sicarieSo what I found right away was: https://github.com/redhat-openstack/openstack-selinux16:43
nkindersicarie: ftp://ftp.redhat.com/redhat/linux/enterprise/7Server/en/RHOS/SRPMS/16:44
sicarieintegrated into rdo definitely deserves a mention, but I want to be able to call out what does and doesn't hav epolicies16:44
sicarieAwesome16:44
nkinderthat will have the openstack-selinux SRPMS for RHEL OSP16:44
nkindersicarie: RHEL SRPMS are now hosted via centos16:45
nkinderhttps://git.centos.org/project/rpms16:45
sicarienkinder: thanks, did not know about this yet!16:46
*** openstackgerrit has quit IRC17:21
*** openstackgerrit has joined #openstack-security17:21
*** ljfisher has joined #openstack-security17:27
openstackgerritDave Belcher proposed stackforge/bandit: Fixed -n flag processing  https://review.openstack.org/16630117:28
*** ukbelch has joined #openstack-security17:33
openstackgerritDave Belcher proposed stackforge/bandit: Fixed -n flag processing  https://review.openstack.org/16630117:34
*** ukbelch has quit IRC17:39
*** rkgudboy has joined #openstack-security17:43
openstackgerritNathaniel Dillon proposed openstack/security-doc: Moving introduction sections 'up' from section_* files to ch_* files  https://review.openstack.org/16452617:45
*** rkgudboy has quit IRC17:50
*** dwyde has quit IRC17:53
*** bpokorny_ has joined #openstack-security17:56
*** bpokorn__ has joined #openstack-security17:58
*** bpokorny has quit IRC17:59
*** bpokorny has joined #openstack-security18:00
*** bpokorny_ has quit IRC18:02
*** JAHoagie has joined #openstack-security18:02
*** bpokorn__ has quit IRC18:04
tmcpeaknkinder: you around?18:04
nkindertmcpeak: yep18:06
tmcpeakno judgies: http://pastebin.com/bAGv7RBU18:06
tmcpeaksuper hack city18:06
tmcpeakbut it works18:06
tmcpeakopen question - how to handle newlines18:06
nkindertmcpeak: well, we're going to need a program to do the inverse conversion (YAML -> e-mail format)18:07
tmcpeakThat should be easy18:07
nkinderI think that's where we will have logic to put newlines at the correct wrapping width18:08
tmcpeaksure, yeah that's no problem18:08
nkinderSo in YAML, I'm not too picky about where the newlines would be18:08
tmcpeakthe difficult part with this is, sometimes we obviously want to preserve newlines, like around code segments18:08
nkinderYes, so maybe we have no newlines except those that we want to preserve18:08
nkinder...in YAML18:08
nkinderthen we wrap long lines in the YAML->OSSN automagically18:09
tmcpeakyeah, but how do you programatically determine which newlines you want to preserve?18:09
nkinderwell that's the rub :)18:09
tmcpeakyeah, prob not possible18:09
nkinderI don't think we can18:09
tmcpeakyeah, so I think this is as close to magic we can do for this18:09
tmcpeakhas dropped text into yaml format sensibly18:09
tmcpeaknow we just need to clean up18:09
tmcpeakshouldn't be too much labor18:09
nkinderyeah, just a bit of mindless manual work :)18:10
tmcpeakyep yep18:11
tmcpeakso.. my weekend tribute to you nkinder is that hacky script :P18:11
nkinderthanks!18:11
tmcpeaksure thing18:11
tmcpeaknkinder: when we're ready for other way around I can bang something up that will wrap lines back18:12
*** dwyde has joined #openstack-security18:14
*** dwyde has quit IRC18:15
openstackgerritDave Belcher proposed stackforge/bandit: Fixed -n flag processing  https://review.openstack.org/16630118:21
*** ukbelch has joined #openstack-security18:21
*** tkelsey has joined #openstack-security18:21
*** ukbelch has quit IRC18:35
*** sweston has quit IRC18:38
*** erw has quit IRC18:39
*** dwyde has joined #openstack-security18:49
*** ukbelch has joined #openstack-security19:02
*** tkelsey has quit IRC19:03
*** dwyde has quit IRC19:07
*** ukbelch has quit IRC19:26
*** jeanmanuel has joined #openstack-security19:54
*** singlethink has quit IRC19:55
jeanmanuelhola19:55
jeanmanuelquien habla espaƱol19:55
*** jeanmanuel has left #openstack-security19:55
*** jeanmanuel has joined #openstack-security19:56
*** jeanmanuel has left #openstack-security19:56
*** singlethink has joined #openstack-security20:05
*** erw has joined #openstack-security20:15
*** sweston has joined #openstack-security20:16
openstackgerritShellee Arnold proposed openstack/security-doc: Fix for restatement of duplicated work  https://review.openstack.org/16394620:35
*** hyakuhei has joined #openstack-security20:46
*** ljfisher has quit IRC20:57
*** tkelsey has joined #openstack-security21:00
*** tkelsey has quit IRC21:04
*** bpokorny_ has joined #openstack-security21:09
*** sicarie has quit IRC21:12
*** bpokorny has quit IRC21:13
*** hyakuhei has quit IRC21:24
*** singlethink has quit IRC21:36
*** jamielennox|away is now known as jamielennox21:49
*** singlethink has joined #openstack-security21:52
*** edmondsw has quit IRC21:53
*** JAHoagie has quit IRC22:03
*** jamielennox is now known as jamielennox|away22:05
*** JAHoagie has joined #openstack-security22:31
*** singlethink has quit IRC22:34
*** bknudson has quit IRC22:36
*** JAHoagie has quit IRC22:47
*** voodookid has quit IRC22:49
*** dave-mccowan has quit IRC23:20
*** tkelsey has joined #openstack-security23:31
*** tkelsey has quit IRC23:35
*** dave-mccowan has joined #openstack-security23:38
*** markvoelker has quit IRC23:42
*** JAHoagie has joined #openstack-security23:50
« Thursday, 2015-03-19 Index Saturday, 2015-03-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!