Linux 4.8 Released18 Oct 2016 tags: audit selinux
This post is also a bit late, Linux 4.8 was released on October 2nd, but better late than never. Here is a quick rundown of the SELinux and audit highlights.
Support for RFC 5570, Common Architecture Label IPv6 Security Option (CALIPSO). The CALIPSO implementation included in Linux 4.8 has been tested for interoperability with Solaris TX.
Bounds checking is now only applied to source types which should make it much easier to write SELinux policies for sandboxing tools that make use of PR_SET_NO_NEW_PRIVS. Additional details can be found in the commit description.
A number of bug fixes related to NetLabel, especially the handling of category bitmaps.
Fixes to ensure that AF_IUCV sockets are properly labeled.
Expand the exclude filter to include PID, UID, GID, AUID, LOGINUID_SET, and the various SUBJ fields.
Internal fixes to both executable name filter and the execve() argument auditing code to ensure safety and proper operation.
Add syscall argument masking for s390 applications running on s390x kernels.