The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
For details on how to fill out this form, see the documentation.
Make selinux-policy up-to-date with the latest kernel
Summary
Add new permissions, classes, and capabilities to the selinux policy so that system recognizes them and boots without an error message.
Owner
- Name: Zdenek Pytela
- Email: zpytela@redhat.com
- Name: Ondrej Mosnacek
- Email: omosnace@redhat.com
Current status
- Targeted release: Fedora 34
- Last updated: 2021-01-12
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Several new permissions, classes, and capabilities have been added to Linux kernel recently. The current SELinux policy does not reflect all the changes which means it does not make use of all the potential the kernel provides.
Feedback
Benefit to Fedora
Adding support for the new features to selinux-policy brings better granularity for granting permissions and have subsequent security benefits.
Scope
- Proposal owners:
- Add all relevant patches to upstream repository
- Ensure the system boots with the targeted policy
- Ensure the system boots with the mls policy
- Ensure the permissions are recognized
- Ensure there is no regression in services usage
- List of the new features:
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
Users should not be directly affected by this change.
N/A (not a System Wide Change)
How To Test
- Boot a system and check for error messages and audit records.
- Optionally, install and boot the selinux-policy-mls package.
N/A (not a System Wide Change)
User Experience
There's no visible change for end users with SELinux enabled.
Admins and custom policy authors need to get known with the new features for services which make use of them.
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)