Linux 5.5 Released

Linux v5.5 was released on Sunday, January 26, 2020, the SELinux and audit highlights are below:

SELinux

• Add new SELinux access controls for the perf_event_open(2) syscall to control access to the performance monitoring subsystem in the kernel. A new SELinux object class with six new permissions were created for this purpose:

  perf_event { open cpu kernel tracepoint read write }
  

  The “cpu”, “kernel”, and “tracepoint” permissions are used to reflect their associated accesses requested while the “open” permission is described by this mailing list post. The “read” and “write” permissions are checked when I/O happens on the file descriptor returned by perf_event_open(2). In order to make use of the new controls some additional configuration is required as described by the patch author, Joel Fernandes:

  To use this patch, we set the perf_event_paranoid sysctl to -1 and then apply selinux checking as appropriate (default deny everything, and then add policy rules to give access to domains that need it). In the future we can remove the perf_event_paranoid sysctl altogether.

• Add support for the “greatest lower bound” policy construct which is defined as the intersection of the MLS range of two SELinux labels. The greatest lower bound is described by the patch author, Joshua Brindle:

  A policy developer can now specify glblub as a default_range default and the computed transition will be the intersection of the mls range of the two contexts.

  The glb (greatest lower bound) lub (lowest upper bound) of a range is calculated as the greater of the low sensitivities and the lower of the high sensitivities and the and of each category bitmap.

  This can be used by MLS solution developers to compute a context that satisfies, for example, the range of a network interface and the range of a user logging in.

  Some examples are:

  User Permitted Range	Network Device Label	Computed Label
  s0-s1:c0.c12	s0	s0
  s0-s1:c0.c12	s0-s1:c0.c1023	s0-s1:c0.c12
  s0-s4:c0.c512	s1-s1:c0.c1023	s1-s1:c0.c512
  s0-s15:c0,c2	s4-s6:c0.c128	s4-s6:c0,c2
  s0-s4	s2-s6	s2-s4
  s0-s4	s5-s8	INVALID
  s5-s8	s0-s4	INVALID

• Allow SELinux file labeling before the policy is loaded into the kernel. This should ease some of the burden when the policy is initially loaded as there is no longer a need to relabel files, as well as help enable new system concepts which dynamically create the root filesystem durint boot in the initramfs.

• Remove the size limit on SELinux policies, the limitation was a lingering vestige and no longer necessary.

Audit

• Allow for the auditing of suspicious O_CREAT usage via the new AUDIT_ANOM_CREAT record.