Linux 5.12 Released
28 Apr 2021 tags: audit selinuxLinux v5.12 was released on Sunday, April 25th. While it was another relatively quiet release for audit, SELinux had a number of changes; the highlights are below:
SELinux
- Support was added for controlling anonymous inodes with SELinux. In order to make use of these new controls the various kernel subsystems need to opt-in to SELinux policy enforcement by using a different anonymous inode kernel API; the first user of this new API is userfaultfd. The authors of the work, Daniel Colascione and Lokesh Gidra, provide a simple explantion of how to use the new userfaultfd controls under SELinux:
A SELinux policy author detects and controls these anonymous inodes by adding a name-based type_transition rule that assigns a new security type to anonymous-inode files created in some domain. The name used for the name-based transition is the name associated with the anonymous inode for file listings — e.g., “[userfaultfd]” or “[perf_event]”.
Example:
type uffd_t; type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]"; allow sysadm_t uffd_t:anon_inode { create }; -
Filesystems can now be configured to use both xattr and genfs file labeling support in the SELinux policy and the kernel will fallback to genfs if the filesystem does not support xattr labeling. While this may not be very useful for traditional filesystem such as ext4, it is helpful for filesystems such as virtiofs where the filesystem capabilities can vary depending on the backing filesystem.
- IMA can now measure the loaded SELinux policy. Lakshmi Ramasubramanian explains why this is important and how to make use of this new capability in the commit description:
SELinux stores the active policy in memory, so the changes to this data at runtime would have an impact on the security guarantees provided by SELinux. Measuring in-memory SELinux policy through IMA subsystem provides a secure way for the attestation service to remotely validate the policy contents at runtime.
Measure the hash of the loaded policy by calling the IMA hook ima_measure_critical_data(). Since the size of the loaded policy can be large (several MB), measure the hash of the policy instead of the entire policy to avoid bloating the IMA log entry.
To enable SELinux data measurement, the following steps are required:
1, Add “ima_policy=critical_data” to the kernel command line arguments to enable measuring SELinux data at boot time. For example,
BOOT_IMAGE=/boot/vmlinuz-5.10.0-rc1+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data2, Add the following rule to /etc/ima/ima-policy measure func=CRITICAL_DATA label=selinux
Sample measurement of the hash of SELinux policy:
To verify the measured data with the current SELinux policy run the following commands and verify the output hash values match.
sha256sum /sys/fs/selinux/policy | cut -d' ' -f 1 grep "selinux-policy-hash" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6Note that the actual verification of SELinux policy would require loading the expected policy into an identical kernel on a pristine/known-safe system and run the sha256sum /sys/kernel/selinux/policy there to get the expected hash.
-
SELinux now properly classifies MPTCP sockets the same as TCP sockets.
-
A problem with overlayfs was fixed that impacted systems where SELinux was enabled but a policy had not yet been loaded.
-
A potential use-after-free problem during SELinux policy reloading was fixed. While normally such bugs can be serious, loading a new SELinux policy is already a privileged operation so the risk should be low.
-
Potential problems relating to SELinux label conversion during policy reloading have been fixed.
-
Potential problems involving SELinux policy booleans incorrectly enabling or disabling SELinux policy have been fixed.
-
Some incorrect and inconsistent kernel messages generated when loading a SELinux policy were fixed.
- A small number of unused variables were removed from the SELinux code, some private variable were correctly marked as static, and number of other variables were marked as “__ro_after_init” or “__read_mostly” as appropriate.
Audit
- A few trivial changes to cleanup the code and correct some typos; there should be no noticeable changes.