Fedora 34 Change: Make selinux-policy up-to-date with the latest kernel (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/Make_selinux_policy_uptodate_with_current_kernel == Summary == Add new permissions, classes, and capabilities to the selinux policy so that system recognizes them, can boot without an error message, and use them in the actual policy for confined services. == Owner == * Name: Zdenek Pytela * Email: zpyt...@redhat.com * Name: Ondrej Mosnacek * Email: omosn...@redhat.com == Detailed Description == Several new permissions, classes, and capabilities have been added to Linux kernel recently. The current SELinux policy does not reflect all the changes which means it does not make use of all the potential the kernel provides. The new features include: * New classes: lockdown perf_event * New permissions: watch watch_mount watch_reads watch_sb watch_with_perm * New capabilities: bpf checkpoint_restore perfmon With these new features, selinux-policy will be aligned with the current kernel. == Benefit to Fedora == Adding support for the new features to selinux-policy brings better granularity for granting permissions and have subsequent security benefits. Additionally, systems can be run with the mls selinux policy: this is currently not possible as using mls policy may prevent a system from starting when there are permissions unknown to the policy which is true in the new kernels. It will also allow for complex selinux testsuites run instead of skipping parts of the tests, utilising not supported features. List of the new features and bugzilla links: * [https://bugzilla.redhat.com/show_bug.cgi?id=1901957 perf_event class ] * [https://bugzilla.redhat.com/show_bug.cgi?id=1915034 watch permissions ] * [https://bugzilla.redhat.com/show_bug.cgi?id=1915184 lockdown class ] * [https://bugzilla.redhat.com/show_bug.cgi?id=1915264 bpf, perfmon, checkpoint_restore capabilities ] == Scope == * Proposal owners: ** Add all relevant patches to the current development fedora version ** Ensure the system boots with the targeted policy ** Ensure the system boots with the mls policy ** Ensure the permissions are recognized by the system * Other developers: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == N/A (not a System Wide Change) == How To Test == * Boot a system and check for error messages and audit records. ** ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot ** dmesg ** journalctl * Optionally, install and boot the selinux-policy-mls package. == User Experience == There's no visible change for end users. Admins and custom policy authors may need to get familiar with the new features for services which make use of them. == Dependencies == N/A (not a System Wide Change) == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) == Documentation == N/A (not a System Wide Change) -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Fedora 35 Change: Retire python3.5 (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/RetirePython3.5
== Summary ==
The {{package|python3.5}} package will be retired without replacement
from [[Releases/35|Fedora 35]]. Python 3.5 has been End of Life since
September 2020 and was kept around only to test software targeting
Ubuntu 16.04 “Xenial Xerus” LTS and Debian 9 “Stretch” LTS. The
removal is more or less aligned with
[https://wiki.debian.org/LTS/Stretch Debian 9 EOL] (2022-06-30) --
Fedora 34 EOLs on 2022-05-17. Ubuntu 16.04 LTS EOLs sooner, in April
2021.
== Owner ==
* Name: [[User:Churchyard|Miro Hrončok]]
* Email: mhron...@redhat.com
== Detailed Description ==
The {{package|python3.5}} package with the Python interpreter in
version 3.5 is kept in Fedora only to make it possible for Fedora
users to test their software against the Python version shipped in
Ubuntu 16.04 “Xenial Xerus” LTS and Debian 9 “Stretch” LTS.
[https://wiki.ubuntu.com/Releases Ubuntu 16.04 “Xenial Xerus” LTS
standard support ends in April 2021].
[https://wiki.debian.org/LTS/Stretch Debian 9 “Stretch” LTS is End of
Life in 2022-06]. This very roughly corresponds with the
[https://fedorapeople.org/groups/schedule/f-36/f-36-key-tasks.html
Fedora 34 EOL]. Hence, we decided to retire (completely remove)
{{package|python3.5}} from Fedora 35, before it gets released. Users
who target Debian 9 can use Fedora 34 until it EOLs.
== Feedback ==
This was announced on the Python list prior to submitting the change
proposal:
https://lists.fedoraproject.org/archives/list/python-de...@lists.fedoraproject.org/thread/ITX7QFF6CLBOOAPE4RA52QTGPMEL5QII/
There was no pushback.
== Benefit to Fedora ==
The maintenance of Python 3.5 was getting harder and harder every
year. The support for Python 3.5 has disappeared from pip and
setuptools, and an older version of pip/setuptools has to be bundled
in {{package|python3.5}}, while pip and setuptools bundle even more
old libraries. Support from tox and virtualenv will eventually
disappear as well.
There is no direct benefit here, except that we don't want to maintain
it anymore and we don't think it's a good idea either.
Consider this change proposal a louder orphaning, except that we will
continue to maintain the package in older released and supported
Fedoras (33 and 34). If you wish to continue maintaining Python 3.5 in
Fedora, please [[SIGs/Python|speak to us]] first.
== Scope ==
* Proposal owners: Retire {{package|python3.5}}. Obsolete it from
{{package|fedora-obsolete-packages}} if it causes troubles on
upgrades. Make sure no Fedora package depends on it in any way (incl.
weak dependencies).
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
The package will no longer be available from the repositories, but it
may remain on existing installations. If it causes troubles on
upgrade, it needs to be obsoleted.
== How To Test ==
N/A (not a System Wide Change)
== User Experience ==
No more Python 3.5 to test user software on.
== Dependencies ==
N/A (not a System Wide Change)
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change)
* Blocks product? product
== Documentation ==
N/A (not a System Wide Change)
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
___
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Fedora 34 Mass Rebuild
Hi all, Per the Fedora 34 schedule[1] we will start a mass rebuild for Fedora 34 on Jan 20th 2021. We will run a mass rebuild for Fedora 34 for the changes listed in: https://pagure.io/releng/issues?status=Open=mass+rebuild Mass rebuild will be done in a side tag (f34-rebuild) and moved over when completed. Failures can be seen https://kojipkgs.fedoraproject.org/mass-rebuild/f34-failures.html Things still needing rebuilt https://kojipkgs.fedoraproject.org/mass-rebuild/f34-need-rebuild.html FTBFS bugs will be filed shortly. Please be sure to let releng know if you see any bugs in the reporting. You can contact releng in #fedora-releng on freenode, by dropping an email to our list[2] or filing an issue in pagure[3] Regards, Mohan Boddu. [1] https://fedorapeople.org/groups/schedule/f-34/f-34-key-tasks.html [2] https://lists.fedoraproject.org/admin/lists/rel-eng.lists.fedoraproject.org/ [3] https://pagure.io/releng/ ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
