Make selinux-policy up-to-date with the latest kernel
Summary
Add new permissions, classes, and capabilities to the selinux policy so that system recognizes them, can boot without an error message, and use them in the actual policy for confined services.
Owner
- Name: Zdenek Pytela, Ondrej Mosnacek
- Email: zpytela@redhat.com, omosnace@redhat.com
Current status
- Targeted release: Fedora 34
- Last updated: 2021-02-02
- FESCo issue: #2561
- Tracker bug: #1924100
- Release notes tracker: #650
Detailed Description
Several new permissions, classes, and capabilities have been added to Linux kernel recently. The current SELinux policy does not reflect all the changes which means it does not make use of all the potential the kernel provides.
The new features include:
- New classes: lockdown perf_event
- New permissions: watch watch_mount watch_reads watch_sb watch_with_perm
- New capabilities: bpf checkpoint_restore perfmon
With these new features, selinux-policy will be aligned with the current kernel.
Feedback
Benefit to Fedora
Adding support for the new features to selinux-policy brings better granularity for granting permissions and have subsequent security benefits.
Additionally, systems can be run with the mls selinux policy: this is currently not possible as using mls policy may prevent a system from starting when there are permissions unknown to the policy which is true in the new kernels.
It will also allow for complex selinux testsuites run instead of skipping parts of the tests, utilising not supported features.
List of the new features and bugzilla links:
Scope
- Proposal owners:
- Add all relevant patches to the current development fedora version
- Ensure the system boots with the targeted policy
- Ensure the system boots with the mls policy
- Ensure the permissions are recognized by the system
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
Users should not be directly affected by this change.
N/A (not a System Wide Change)
How To Test
- Boot a system and check for error messages and audit records.
- ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot
- dmesg
- journalctl
- Optionally, install and boot the selinux-policy-mls package.
N/A (not a System Wide Change)
User Experience
There's no visible change for end users.
Admins and custom policy authors may need to get familiar with the new features for services which make use of them.
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)