< Changes
No edit summary |
(Announcing the Change proposal) |
||
| Line 15: | Line 15: | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Name: Zdenek Pytela | * Name: Zdenek Pytela, Ondrej Mosnacek | ||
* Email: zpytela@redhat.com | * Email: zpytela@redhat.com, omosnace@redhat.com | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
| Line 29: | Line 27: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAnnounced]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Revision as of 20:47, 15 January 2021
Make selinux-policy up-to-date with the latest kernel
Summary
Add new permissions, classes, and capabilities to the selinux policy so that system recognizes them, can boot without an error message, and use them in the actual policy for confined services.
Owner
- Name: Zdenek Pytela, Ondrej Mosnacek
- Email: zpytela@redhat.com, omosnace@redhat.com
Current status
- Targeted release: Fedora 34
- Last updated: 2021-01-15
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Several new permissions, classes, and capabilities have been added to Linux kernel recently. The current SELinux policy does not reflect all the changes which means it does not make use of all the potential the kernel provides.
The new features include:
- New classes: lockdown perf_event
- New permissions: watch watch_mount watch_reads watch_sb watch_with_perm
- New capabilities: bpf checkpoint_restore perfmon
With these new features, selinux-policy will be aligned with the current kernel.
Feedback
Benefit to Fedora
Adding support for the new features to selinux-policy brings better granularity for granting permissions and have subsequent security benefits.
Additionally, systems can be run with the mls selinux policy: this is currently not possible as using mls policy may prevent a system from starting when there are permissions unknown to the policy which is true in the new kernels.
It will also allow for complex selinux testsuites run instead of skipping parts of the tests, utilising not supported features.
List of the new features and bugzilla links:
Scope
- Proposal owners:
- Add all relevant patches to the current development fedora version
- Ensure the system boots with the targeted policy
- Ensure the system boots with the mls policy
- Ensure the permissions are recognized by the system
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
Users should not be directly affected by this change.
N/A (not a System Wide Change)
How To Test
- Boot a system and check for error messages and audit records.
- ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot
- dmesg
- journalctl
- Optionally, install and boot the selinux-policy-mls package.
N/A (not a System Wide Change)
User Experience
There's no visible change for end users.
Admins and custom policy authors may need to get familiar with the new features for services which make use of them.
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)