I’m on my way back home from my first Flock conference and I can say that I’m very happy I was able to attend. The talks were quite good, especially the presentations and demos around the Fedora Modularity effort, but as usual the real value was getting a chance to talk with other developers and contributors face to face.
At Flock I did give a presentation discussing some of the development kernel testing I’ve been doing over the past year with the SELinux and audit trees. The talk was recorded and once I have a link, I’ll update this post; in the meantime I’ve put a link to the slides (in PDF form) below. If you have any questions I’m always happy to talk over email/Twitter.
UPDATE: The Fedora Project’s video of the presentation has been linked below.
Linux 4.7 was released almost two weeks ago, but due to some travel I haven’t had any time to write up the usual release notes. However, I did manage to find a few minutes, so without further delay I present to you the SELinux and audit highlights in the latest Linux Kernel major release.
SELinux
Add the ability to restrict kernel module loading via the new “system:module_load” permission.
Distinquish between the init and non-init user namespaces when performing capability checks. The init namespace uses the existing “cap” and “cap2” object classes while non-init user namespaces use “cap_userns” and “cap2_userns”.
Apply the “process:execstack” check to thread stack’s allocated via mmap().
Audit
Add the terminal information to the LOGIN record via the “tty” field.
I’ve never been a fan of GRUB2, I much prefer the simplicity of GRUB Legacy, and as a result I never spent much time learning how to configure it; I simply hacked away at the configuration and asked Google for help when needed. However, while debugging a kernel problem last week I finally reached my breaking point and decided it was time for me to develop a proper GRUB2 configuration that met my needs better than the Fedora Rawhide defaults. The resulting /etc/default/grub file is shown below:
Before I explain the lines above I want to make a quick comment about grubby, the tool used by Fedora (perhaps others?) to update the GRUB2 configuration when new kernels are installed. It appears, at least at the time of writing, that grubby does not honor the /etc/default/grub configuration file and may not generate a GRUB2 boot loader file that is consistent with the desired configuration. My workaround is to simply run the following command after a new kernel has been installed, it will regenerate the GRUB2 boot loader file based on the configuration in /etc/default/grub :
# grub2-mkconfig -o /boot/grub2/grub.cfg
Now let’s cover the GRUB2 configuration above, line by line. The first line disables the submenu and places all boot loader choices in the top level menu.
GRUB_DISABLE_SUBMENU=yes
The line below sets the timeout before the default boot option is chosen.
GRUB_TIMEOUT=20
The line below is a Fedora default that I’ve largely ignored as it doesn’t have any impact on what I’m trying to do with my systems.
The line below is a list of parameters to pass to the kernel at boot. Most of these are, or were, Fedora defaults at some point with the exception of “nomodeset”, which disables the kernel graphics modesetting, and “console=ttyS0”, which sets the console to the first serial port.
The line below disables the creation of a recovery kernel image and associated boot loader option. Although be warned that even though this will prevent GRUB2 from creating a new recovery kernel image, you may need to manually remove any previously created recovery kernel images in order to remove the recovery kernel from the boot loader option list.
GRUB_DISABLE_RECOVERY=true
The line below instructs GRUB2 to reference partitions by their device name/path and not their UUID, e.g. use root=/dev/sda1 instead of root=UUID=<xxx> .
GRUB_DISABLE_LINUX_UUID=true
That’s my GRUB2 configuration. There are plenty of other good references online, Google is your friend of course, but if you like a simple boot loader configuration with a serial console, I encourage you to check out the config above, it works pretty well.
UPDATE: In order to completely remove the recovery/rescue kernel you also need to instruct Dracut not to generate a rescue kernel and initrd. This can be done by creating the /etc/dracut.conf.d/02-rescue.conf file with the following contents:
dracut_rescue_image="no"
This will prevent Dracut from creating rescue images when new kernels are installed on the system.
