Linux 7.1 Released

17 Jun 2026 tags: audit lsm selinux

Linux v7.1 was released this past Sunday, June 14th. I previously wrote about the LSM, SELinux, and audit changes that were submitted this release, and LWN.net did their usual good job of covering the first and second weeks of the merge window. However, there were additional changes that went into Linux v7.1 during the release candidate phase that are described below.

LSM

• Added a new LSM hook, security_unix_find(), to allow pathname based LSMs such as AppArmor and Landlock, to enforce access controls on named UNIX socket connections using the socket’s pathname.

• Fixed a problem where we were not taking the credential mutex when updating the current task’s LSM attributes using the lsm_set_self_attr(2) syscall.

SELinux

• Finished the deprecation and removal of the “/sys/fs/selinux/user” API which was used to list the SELinux security contexts that were reachable for a given user and starting context. The last known user, libselinux, stopped using this API in 2020 and the removal was scheduled for December 2025 or later. While the “/sys/fs/selinux/user” file still exists, writing to it has no effect other than to write a single error message to the system’s console.

• While the “/sys/fs/selinux/checkreqprot” and “/sys/fs/selinux/disable” APIs have been deprecated and made ineffective for some time, writing to those files would still trigger some kernel code. Starting with Linux v7.1 that code has been removed and writing to those files will only trigger a single error message on the system’s console.

• Fixed a problem where the per-task directory access cache introduced in Linux v6.16 was incorrectly caching information that controlled the generation of AVC audit records, leading to potentially missing audit records in some circumstances.

• Fixed a problem where SELinux was not properly accessing the SELinux state associated with a socket object in the kernel, leading to potential conflicts with other LSM simultaneously running on the system.

• Fixed a problem where SELinux would always reserve an extended attribute slot even if wasn’t going to be used. As the kernel stops parsing the list of extended attributes when it encounters an empty slot, depending on the system’s configuration there was a possibility that SELinux could obscure the extended attributes of other LSMs.

• Enabled multiple opens of “/sys/fs/selinux/policy” whereas previously only a single open was allowed across the entire system. The related code quality was also improved by shrinking locked sections and removing unnecessary BUG() macros.

• Improved the code quality in the SELinux policy loading code by shrinking the locked section.

Audit

• Fixed a problem where the inheritable capability set was incorrectly logged in the audit CAPSET records. The effective capability set was mistakenly recorded as the inheritable set.

• Fixed a problem where the audit configuration lock was not properly enforced on the AUDIT_TRIM and AUDIT_MAKE_EQUIV operations.