Picture of Paul Moore

Paul Moore

© 2025 Licensed under CC BY-NC-SA 4.0

Linux 5.8 Released

04 Aug 2020 tags: audit selinux

Linux v5.8 was released on Sunday, August 2, 2020; the SELinux and audit highlights are below:

SELinux

  • Added support for a new SELinux policy version, version 33, which allows for a more space efficient way of storing the filename transitions in the binary policy. Given the default Fedora SELinux policy with the unconfined module enabled, this change drops the policy size from ~7.6MB to ~3.3MB, with policy load times dropping as well.

  • A number of improvements to various SELinux internal kernel data structures to help improve performance and simplify the code. The role transitions moved into a hash table, and we shifted from hashing the rendered SELinux label string to the content structure itself, when it is valid.

  • Support was added for the new CAP_PERFMON and CAP_BPF capabilities in the “capability2” object class.

  • Several bug fixes found by the Clang Static analyzer which resolve potential double-free conditions and undefined return values.

  • Some fixes to the error handling code in the policy parser to properly return error codes when things go wrong.

  • Internal changes to the the LSM hook responsible for ensuring that the LSM credentials are set correctly for processes when they are executed.

  • Changes to the LSM/SELinux hooks for the kernel keyring.

Audit

  • Binding and unbinding to the audit multicast socket now generates audit records. This is intended to help administrators identify which processes have, or had, access to the information in the audit record stream.

  • Some of the audit error handling was improved to remove the potential for leaking network namespace references in the kernel.

  • The netfilter configuration records were cleaned and additional information was added to the records.

  • Sadly the commit which helped enable better support for accompanying records which was merged for the Linux v5.7 release needed to be reverted due to problems with the implementation. I expect this to come back at a later date once the code is improved.

Libseccomp 2.5.0 Released

20 Jul 2020 tags: seccomp

On behalf of the libseccomp project I would like to announce libseccomp v2.5.0!

The libseccomp v2.5.0 release is backwards compatible with previous v2.x releases and is a drop-in replacement; no recompilation of applications is required. Applications will need to be restarted to take advantage of the new libseccomp release. While the v2.4.x release stream will be supported for at least one more maintenance release, all users and distributions are encouraged to upgrade to libseccomp v2.5.0.

The core libseccomp library is the work of 56 contributors, and this release is a significant upgrade over the libseccomp v2.4.x release stream. The v2.5.0 release brings new support for RISC-V and seccomp user notifications along with a number of bug fixes and performance improvements. A more detailed list of changes can be seen below:

  • Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) manpages for more information
  • Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information
  • Add support for the 64-bit RISC-V architecture
  • Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables
  • Properly document the libseccomp API return values and include them in the stable API promise
  • Improvements to the s390 and s390x multiplexed syscall handling
  • Multiple fixes and improvements to the libseccomp manpages
  • Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format
  • Update the syscall tables to Linux v5.8.0-rc5
  • Python bindings and build now default to Python 3.x
  • Improvements to the tests have boosted code coverage to over 93%
  • Enable Travis CI testing on the aarch64 and ppc64le architectures
  • Add code inspection via lgtm.com

The SELinux Notebook

15 Jul 2020 tags: selinux

Many of you reading this are likely already aware of “The SELinux Notebook” by Richard Haines. For those of you who have not seen it before, “The SELinux Notebook” is a very comprehensive guide to SELinux that stretches from the kernel all the way up through the policy. It’s really an impressive work, made even more impressive by the fact that Richard has been kind enough to make it freely available.

In the latest 5th edition, Richard opened the book even more by converting it into Markdown and posting the book, in source form, on GitHub. This is a tremendous gift to the SELinux community, and one that I hope we will not squander. My hope is that we can turn “The SELinux Notebook” into a living document that is updated along with the code and the policies so that it continues to be the excellent resource that it is today.

If you are interested in helping contribute to “The SELinux Notebook”, there are some quick notes in the CONTRIBUTING.md file to help you get started with the project.