Picture of Paul Moore

Paul Moore

© 2025 Licensed under CC BY-NC-SA 4.0

Linux 4.9 Released

15 Dec 2016 tags: audit selinux

Linux 4.9 was released the past weekend, on December 11th. Here is a quick summary of the SELinux and audit changes.

SELinux

  • Provide proper SELinux support for overlayfs, a filesystem very important for container workloads.

  • Remove the SECURITY_SELINUX_POLICYDB_VERSION_MAX Kconfig option, its last meaningful use was in the Fedora Core 3 and 4 timeframe.

  • Additional security policy sanity and bounds checking.

Audit

  • Add AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND to the audit kernel feature bitmap to indicate the expanded exclude filters merged in Linux 4.8.

  • Fix a number of problems in the code to ensure that the PIDs recorded in various audit records always match userspace’s view of the process/PID.

  • Prefix the “ioctlcmd” field data with a “0x” to indicate the value is represented in hexadecimal.

NetLabel Tools 0.30.0 Released

08 Dec 2016 tags: netlabel

It has been a while since the last release, but today brings a new release of the NetLabel Tools package, version 0.30.0. NetLabel is a Linux Kernel subsystem that implements network packet labeling protocols such as CIPSO for IPv4 and CALIPSO / RFC 5570 for IPv6; the NetLabel Tools package provides the userspace tools necessary to configure the kernel subsystem.

The primary change in this version of NetLabel Tools is CALIPSO support, which was added to the Linux Kernel in version 4.8; special thanks goes to Huw Davies for his help in this area.

Linux 4.8 Released

18 Oct 2016 tags: audit selinux

This post is also a bit late, Linux 4.8 was released on October 2nd, but better late than never. Here is a quick rundown of the SELinux and audit highlights.

SELinux

  • Support for RFC 5570, Common Architecture Label IPv6 Security Option (CALIPSO). The CALIPSO implementation included in Linux 4.8 has been tested for interoperability with Solaris TX.

  • Bounds checking is now only applied to source types which should make it much easier to write SELinux policies for sandboxing tools that make use of PR_SET_NO_NEW_PRIVS. Additional details can be found in the commit description.

  • A number of bug fixes related to NetLabel, especially the handling of category bitmaps.

  • Fixes to ensure that AF_IUCV sockets are properly labeled.

Audit

  • Expand the exclude filter to include PID, UID, GID, AUID, LOGINUID_SET, and the various SUBJ fields.

  • Internal fixes to both executable name filter and the execve() argument auditing code to ensure safety and proper operation.

  • Add syscall argument masking for s390 applications running on s390x kernels.