Linux 5.1 Released11 May 2019 tags: audit selinux
Linux v5.1 was released on Sunday, May 5th, 2019. Below are the SELinux and audit highlights for the release:
If SELinux is asked to perform an access control check on a file with an invalid SELinux label, the invalid label is now recorded in the SELinux AVC audit record using the "trawcon" field. An example is shown below:
Support was added for proper labeling of kernfs based filesystems. This is of particular interest to those running containers as the cgroup2 filesystem is based on kernfs.
A number of improvements were made to the MDP (Make Dummy Policy) tool which is included in the kernel source tree. While the MDP generated SELinux policy remains more of a demonstration policy rather than a useful, minimal policy; this work brings the MDP policy up to date such that it should be able to work on a modern SELinux system. Those wishing to play with the MDP policy should be sure to boot their system in permissive mode first to verify that everything works as expected.
A number of changes throughout the SELinux code to support the newly added LSM stacking code. While this is a rather significant change to the LSM layer, it should have little effect on existing systems as long as the administrator does not enable the LSM stacking functionality.
The constant sized flex_array structures were converted to use vmalloc allocated memory. Since these were constant sized arrays the flex_array mechanism only added unnecessary complexity.
The SELinux VFS code was updated to use the new internal kernel mounting API. This should have no visible impact to users, administrators, or policy developers.
Fix a problem with labeled NFS where mounting a NFS filesystem twice would result in disabling support for the SELinux labels.
Fix a problem where SELinux file access control denials might not have been logged when in permissive mode.
A few smaller bug fixes not worth mentioning here, but which are still visible in the git log for those who are interested.
The CONFIG_CHANGE records are now associated with other relevant records into a single audit event. Prior to this change the CONFIG_CHANGE records were always standalone records in their own audit event.
An "op" field was added to the "lock" and "set" CONFIG_CHANGE records. This should help provide some needed context for the audit event.
The filesystem type filter was expanded and now applies to all of the inode auditing code.
File capabilities are no longer recorded when unmounting a filesystem. This prevents a potential hang when unmounting a filesystem and due to the nature of the unmount operation, this should have little practical impact on the data recorded in the audit log.
Added support for file capabilities version 3.