Picture of Paul Moore

Paul Moore

© 2025 Licensed under CC BY-NC-SA 4.0

Experimental Rawhide Kernels

20 Nov 2015 tags: audit selinux

For the past few weeks I’ve been building experimental Fedora Rawhide kernels with all of the SELinux and audit kernel patches targeted for linux-next included. It has worked out reasonably well, and with the exception of getting a working Linux 4.4-rc1 build this week, it has proven to be relatively easy to manage. If you would like to help with testing and don’t mind the instability that comes with development kernels, the Fedora COPR repository link is below.

I’ve been doing at least one build each week, sometimes more, and I expect to continue with that frequency. I also perform a quick sanity check on each successful build, including running the SELinux and audit testsuites; however, there may be times when the kernel is simply broken, so exercise caution and please don’t run these kernels on anything critical.

pcmoore/kernel-secnext COPR repository

Linux 4.3 Released

02 Nov 2015 tags: audit selinux

The Linux Kernel 4.3 release was yesterday and with this new release comes new functionality and fixes for both SELinux and audit.

SELinux

  • Finer grained access controls for ioctl() commands. Policy authors now have the ability to specify individual ioctl commands in SELinux policy, whereas before the granularity was limited to the ioctl syscall itself.

  • Fixes to the kernel’s mdp tool to work with current versions of the checkpolicy policy compiler. For those of you who aren’t aware, the mdp tool, which lives in the kernel under scripts/selinux/mdp, can be used to create a bare bones dummy policy for SELinux.

  • Internal improvements to object class initialization and handling.

Audit

  • Allow the creation of audit rules based on executable pathnames. Previous to this patch administrators were forced to create audit rules using PIDs, which was limiting for a number of obvious reasons. This new functionality allows administrators to specify the pathname of an executable and the process will be audited when it executes. Unfortunately, the audit userspace tools do not yet have the necessary support to use this new functionality, but it should be coming in the next release.

  • Fixes to internal audit reference counters.

Linux 4.2 Released

31 Aug 2015 tags: audit selinux

The Linux Kernel 4.2 release was yesterday and I wanted to summarize the SELinux and audit changes for those who might not follow Linux Kernel development.

SELinux

  • Changes to support LSM stacking. This is a first effort and not the general purpose module stacking that some have requested, but it is still important as it lays the groundwork for future efforts.

  • Fixed a SELinux regression involving access control checking on PROT_EXEC protected shared anonymous mappings and reconciled differences in the mmap(2) and mprotect(2) access checks.

  • Removed some unused SELinux permissions. Some of the permissions were carryovers from before SELinux was merged into the mainline kernel, while others were from code that has been removed.

  • When displaying an error message about an unrecognized Netlink message, the socket class is displayed using its name and not it’s corresponding object class number.

  • Updated the Netlink socket classes. Removed dead classes and added new ones to match the current kernel.

  • Enable genfscon based labeling for debugfs, pstore, and sysfs filesystems.

  • Fixed a problem when using setxattr to set SELinux security labels over NFSv4.2.

  • Fixed a problem with NetLabel generated SELinux labels on 32-bit systems.

Audit

  • Renamed duplicate field labels in the LSM_AUDIT_DATA_TASK record.

  • Fixed a problem involving incorrectly checking the return value of strnlen_user().

  • Removed dead code in audit_filter_rules().