https://fedoraproject.org/wiki/Changes/Make_selinux_policy_uptodate_with_current_kernel
== Summary == Add new permissions, classes, and capabilities to the selinux policy so that system recognizes them, can boot without an error message, and use them in the actual policy for confined services. == Owner == * Name: Zdenek Pytela * Email: zpyt...@redhat.com * Name: Ondrej Mosnacek * Email: omosn...@redhat.com == Detailed Description == Several new permissions, classes, and capabilities have been added to Linux kernel recently. The current SELinux policy does not reflect all the changes which means it does not make use of all the potential the kernel provides. The new features include: * New classes: lockdown perf_event * New permissions: watch watch_mount watch_reads watch_sb watch_with_perm * New capabilities: bpf checkpoint_restore perfmon With these new features, selinux-policy will be aligned with the current kernel. == Benefit to Fedora == Adding support for the new features to selinux-policy brings better granularity for granting permissions and have subsequent security benefits. Additionally, systems can be run with the mls selinux policy: this is currently not possible as using mls policy may prevent a system from starting when there are permissions unknown to the policy which is true in the new kernels. It will also allow for complex selinux testsuites run instead of skipping parts of the tests, utilising not supported features. List of the new features and bugzilla links: * [https://bugzilla.redhat.com/show_bug.cgi?id=1901957 perf_event class ] * [https://bugzilla.redhat.com/show_bug.cgi?id=1915034 watch permissions ] * [https://bugzilla.redhat.com/show_bug.cgi?id=1915184 lockdown class ] * [https://bugzilla.redhat.com/show_bug.cgi?id=1915264 bpf, perfmon, checkpoint_restore capabilities ] == Scope == * Proposal owners: ** Add all relevant patches to the current development fedora version ** Ensure the system boots with the targeted policy ** Ensure the system boots with the mls policy ** Ensure the permissions are recognized by the system * Other developers: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == N/A (not a System Wide Change) == How To Test == * Boot a system and check for error messages and audit records. ** ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot ** dmesg ** journalctl * Optionally, install and boot the selinux-policy-mls package. == User Experience == There's no visible change for end users. Admins and custom policy authors may need to get familiar with the new features for services which make use of them. == Dependencies == N/A (not a System Wide Change) == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) == Documentation == N/A (not a System Wide Change) -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
