SELinux kernel changes in 2.6.12-rc3

A few more SELinux kernel patches have been merged since 2.6.12-rc2 and are now available in -rc3:

  • Explicit support has been added for the KOBJECT_UEVENT Netlink family. This allows SELinux permissions to be applied specifically to these types of sockets, rather than the default, which was to treat them as generic Netlink sockets. KOBJECT_UEVENT messages are sent by the kernel to userspace to provide notification of changes to kobjects. You’ll most likely need to update to the latest policy packages if you install this kernel, as haldaemon makes use of these types of Netlink sockets, for which older policy will not have any permissions. This is what you’ll see without an updated policy:
    avc:  denied  { create } for  scontext=system_u:system_r:hald_t
                                  tcontext=system_u:system_r:hald_t
                                  tclass=netlink_kobject_uevent_socket
    
  • A bug was fixed in the detection of NETLINK_IP6_FW messages (as used in the upstream kernel by ip6_queue), where such messages would instead be detected as generic Netlink messages.
  • Stephen Smalley fixed an audit related deadlock in SELinux, which was discovered by IBM testing. His patch moves more SELinux logging to the audit subsystem, cleaning up the SELinux code and allowing the logged information to be more complete and reliable. I would thus now suggest always running SELinux with audit enabled (which is the default now in Fedora rawhide). With audit enabled and auditd running, AVC messages will now go to wherever auditd is configured to send them, as specified by /etc/auditd.conf. This is /var/log/audit/audit.log on my system, which takes a bit of getting used to after years of having AVC messages splattered across the console.