Linux 5.1 Released

11 May 2019 tags: audit selinux

Linux v5.1 was released on Sunday, May 5th, 2019. Below are the SELinux and audit highlights for the release:

SELinux

• If SELinux is asked to perform an access control check on a file with an invalid SELinux label, the invalid label is now recorded in the SELinux AVC audit record using the “trawcon” field. An example is shown below:

  type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149
  comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608
  scontext=system_u:system_r:sshd_t:s0
  tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
  permissive=1 trawcon=system_u:object_r:banana_t:s0
  

• Support was added for proper labeling of kernfs based filesystems. This is of particular interest to those running containers as the cgroup2 filesystem is based on kernfs.

• A number of changes throughout the SELinux code to support the newly added LSM stacking code. While this is a rather significant change to the LSM layer, it should have little effect on existing systems as long as the administrator does not enable the LSM stacking functionality.

• The constant sized flex_array structures were converted to use vmalloc allocated memory. Since these were constant sized arrays the flex_array mechanism only added unnecessary complexity.

• The SELinux VFS code was updated to use the new internal kernel mounting API. This should have no visible impact to users, administrators, or policy developers.

• Fix a problem with labeled NFS where mounting a NFS filesystem twice would result in disabling support for the SELinux labels.

• Fix a problem where SELinux file access control denials might not have been logged when in permissive mode.

• A few smaller bug fixes not worth mentioning here, but which are still visible in the git log for those who are interested.

Audit

• The CONFIG_CHANGE records are now associated with other relevant records into a single audit event. Prior to this change the CONFIG_CHANGE records were always standalone records in their own audit event.

• An “op” field was added to the “lock” and “set” CONFIG_CHANGE records. This should help provide some needed context for the audit event.

• The filesystem type filter was expanded and now applies to all of the inode auditing code.

• File capabilities are no longer recorded when unmounting a filesystem. This prevents a potential hang when unmounting a filesystem and due to the nature of the unmount operation, this should have little practical impact on the data recorded in the audit log.

• Added support for file capabilities version 3.

UPDATE: Moved the MDP improvements to Linux v5.2, they were mistakenly included in the Linux v5.1 notes.