15 Mar 2016 tags: audit selinux Linux 4.5 was released this past weekend, here are the SELinux and audit release notes.
SELinux
-
New LSM hooks and SELinux code to invalidate and revalidate inode security labels. This is important functionality for GFS2 and potentially other distributed filesystems.
-
New functionality to make the validatetrans policy decisions available to userspace via the selinuxfs mount, “/sys/fs/selinux” on most systems. Writing “$oldcontext $newcontext $tclass $taskcontext” to “/sys/fs/selinux/validatetrans” will return 0 if the transition is allowed and -EPERM otherwise.
Audit
-
A number of small improvements were made to help make the kernel/auditd connection more robust and fix some corner cases relating to audit queue backlog handling.
-
Auditing of seccomp events now honors the “audit_enabled” flag; when “audit_enabled=0” then seccomp events will not be audited.
-
Make selection of CONFIG_AUDITSYSCALL automatic on systems that have auditing enabled and support syscall auditing.
03 Mar 2016 tags: audit selinux Update: new process defined here
Just as the software changes over time to better serve our needs, so should our processes. Starting with the upcoming merge window, I’m changing the process used to manage the SELinux and audit repositories. The new approach is described below:
-
When it is time to send a pull request upstream (approximately one or two RC releases before the merge window for SELinux, during the merge window for audit), copy the next branch of the repository to a new branch, stable-X.YY, such that X.YY matches the version of the upcoming release. Send the pull request using the new stable-X.YY branch.
- Rebase the next branch:
- In the case of SELinux, rebase the next branch against the linux-security/next branch. It tends to be common practice for the linux-security/next branch to be rebased on a semi-regular basis against Linus’ X.YY-rc1 or X.YY-rc2 release, as a result the SELinux next branch may need to be rebased outside the regular merge window cycle.
- In the case of audit, rebase the next branch against Linus’ latest stable release, the kernel release that started the merge window.
- Accept patches into the stable-X.YY and next branches as appropriate during the development cycle. Send stable-X.YY patches upstream as soon as they have been reviewed and verified against the appropriate test suites. Continue until it is time to send the next pull request upstream.
For reference, the old process was defined here.
29 Feb 2016 tags: seccomp We’ve just released a new version of libseccomp, libseccomp version 2.3.0. The libseccomp library provides an easy to use, platform independent interface to the Linux enhanced syscall filtering mechanism.
This new version of libseccomp builds upon the previous release and should be a drop-in replacement for the 2.x releases. All users are encouraged to upgrade to the new version at their earliest convenience.
Changes in the 2.3.0 release include:
- Added support for the s390 and s390x architectures
- Added support for the ppc, ppc64, and ppc64le architectures
- Update the internal syscall tables to match the Linux 4.5-rc releases
- Filter generation for both multiplexed and direct socket syscalls on x86
- Support for the musl libc implementation
- Additions to the API to enable runtime version checking of the library
- Enable the use of seccomp() instead of prctl() on supported systems
- Added additional tests to the regression test suite
Finally, thank you to everyone who has submitted suggestions, provided testing help, and contributed patches to the project.
