Linux 7.2 Merge Window

19 Jun 2026 tags: audit lsm selinux

Linux v7.1 was released on Sunday, June 14th, with the Linux v7.2 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

• Updated the security_inode_listsecurity() LSM hook so that individual LSMs could make use of the xattr_list_one() helper function, simplifying their code and making it more robust against future extended attribute changes.

SELinux

• Added a number of additional validations to the SELinux policy parsing and loading code. Not only does this help ensure only valid policies are loaded into the kernel, it will also help administrators identify and correct faulty SELinux policies at load time.

• Removed nontransitive comparisons in the SELinux sorting code to help ensure predictable sorting results. Qualys documented a similar issue in glibc’s qsort code with a detailed explanation of the problem and the fix.

• Updated the code to consistently use the u16 type for SELinux security classes.

• Moved some memory page allocations to use kmalloc() based allocations. This change should increase scalability and open the door to additional debugging mechanisms. Expect more work in this area in the next Linux kernel release.

• Move from kmalloc_objs() to kzalloc_objs() in the SELinux policy loading code. This should help protect the kernel against ill-formed policies.

• Reorder some of the processing in sel_kill_sb() to better match other pseudo-filesystems.

• Simplify the code with the use of QSTR() instead of QSTR_INIT().

• Minor comment fixes.

Audit

• Fixed a recursive deadlock when duplicating executable file rules. The fix involved passing resolved inodes through the audit code to avoid triggering additional inode lookups and potentially causing a deadlock.

• Fixed a problem where it was not possible to delete an executable file watch after the file was deleted. The fix involved removing a negative dentry check that was preventing the kernel looking up the file watch associated with deleted file.

• Updated the code to consistently use the unsigned int type instead of unsigned.