Picture of Paul Moore

Paul Moore

© 2025 Licensed under CC BY-NC-SA 4.0

Linux 6.17 Released

29 Sep 2025 tags: audit lsm selinux

Linux v6.17 was released on Sunday, September 28th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window. However, there were additional changes that went into Linux v6.17 that are described below.

LSM

  • Added two new LSM hooks, security_inode_file_getattr() and security_inode_file_setattr(), to gate the FS_IOC_FSGETXATTR and FS_IOC_FSSETXATTR ioctls and their corresponding file_getattr(2) and file_setattr() syscalls. At present, only SELinux provides access controls for these new LSM hooks using the existing setattr and getattr file object permissions.

Audit

  • Fixed a potential out-of-bounds read in the audit pathname comparison code.

Linux 6.17 Merge Window

30 Jul 2025 tags: audit lsm selinux

Linux v6.16 was released on Sunday, July 27th, with the Linux v6.17 merge window opening immediately afterwards. Below are the highlights of the LSM, SELinux, and audit pull requests which have been merged into Linus’ tree.

LSM

  • Nicolas Bouchinet and Xiu Jianfeng have volunteered to maintain the Lockdown LSM. Unfortunately, the Lockdown LSM had been unmaintained since its original inclusion in Linux v5.4, almost six years ago, and I had growing concerns about its current effectiveness given the lack of care and support. With Lockdown now being actively maintained, I’m hopeful that this situation will improve.

SELinux

  • Add support for a new neveraudit per-domain flag which prevents all auditing of the associated domain. While there is some overlap with the existing dontaudit flag, the neveraudit flag applies to all auditing and when combined with the permissive domain flag, as one might do for an unconfined domain such as “unconfined_t”, we can perform some significant performance optimizations for certain operations. The optimizations included in Linux v6.17 will be limited to a subset of inode operations, and unlike the path walk optimizations in Linux v6.16, these optimizations will require policy support, therefore the improvements may not be visible on standard Linux distributions for some time.

  • Added a five second delay when using the “/sys/fs/selinux/user” API. This interface was removed from the SELinux userspace tools and libraries in 2020 and marked as deprecated in Linux v6.13. While it is unlikely that any modern Linux distribution shipping a modern Linux kernel and userspace would still be using this API, the five second delay in conjunction with the existing deprecation warning, should help us identify any users which we have not yet been able to reach.

  • Minor changes to the SELinux hash table allocator to quiet allocation failures brought about when loading absurdly large SELinux policies into the kernel. Prior to this change the SELinux kernel code handled these allocation failures gracefully, returning an error, but a warning was displayed on the system’s console in some configurations which was causing problems with some automated test systems, e.g. syzbot. This change simply quiets these allocation failure warnings.

  • Remove some unnecessary cleanup code in the selinuxfs pseudo filesystem implementation.

  • Update the in-kernel SELinux documentation with pointers to additional information in the SELinux project’s GitHub organization.

Audit

  • Fix a regression where some failed kernel module load operations were not properly logged by the kernel’s audit subsystem.

Linux 6.16 Released

29 Jul 2025 tags: audit lsm selinux

Linux v6.16 was released on Sunday, July 27th. I already wrote up a post highlighting the LSM, SELinux, and audit changes that were submitted during the merge window. However, there were additional changes that went into Linux v6.16 that are described below.

SELinux

  • Resolve a problem in the SELinux security server code where multiple security IDs were being generated for the same security label during early boot before the SELinux policy is loaded. This should resolve an issue seen by some users of dracut-ng.

  • Quiet a UBSAN warning in the SELinux labeled IPsec allocation code. The allocation itself was correct, but a length variable used to track the size of the allocation had an off-by-one bug which caused UBSAN to believe the buffer was too short.

  • The SELinux DCCP access controls were removed as the Linux kernel no longer supports DCCP.