Linux 5.19 Released
01 Aug 2022 tags: audit selinuxLinux v5.19 was released on Sunday, July 31st; the SELinux and audit highlights are below:
SELinux
-
The “/sys/fs/selinux/checkreqprot” and “/sys/fs/selinux/disable” runtime configuration files have been deprecated for some time with no active users that we could find. In an effort to move the deprecation process further along we added a five second pause when either checkreqprot is enabled or SELinux is disabled at runtime. In both cases a warning message is printed to the system console that provides a link to a GitHub wiki page describing why the legacy functionality is being disabled and how users can transition to using the new approach.
- Added the anonymous inode class name to the SELinux AVC audit records whenever anonymous inodes are involved, which should make writing and debugging SELinux policy easier. An example was provided by Christian Göttsche, the patch author:
type=AVC msg=audit(02/16/22 22:02:50.585:216) : avc: granted { create } for pid=2136 comm=mariadbd anonclass=[io_uring] scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_iouring_t:s0 tclass=anon_inode -
Fixed a memory leak which could occur when mounting filesystems with SELinux mount options.
-
More internal SELinux data types were marked as constant values to help prevent unexpected changes.
- A number of minor changes including documentation fixes, coding style corrections, removal of unnecessary code, and pre-processor tweaks.
Audit
-
Fixed a memory leak caused when logging information related to loading a kernel module.
-
A small number of changes related to audit’s use of fsnotify made necessary by changes in the fsnotify subsystem.