SELinux changes in the 2.6.13 kernel

Patches from Lorenzo Hernandez Garcia-Hierro add two new memory execution permissions for processes:

  • execheap – this permission is required for a process to make heap memory executable, even if it already has the execmem permission. The X server’s module loader seems to need this currently.
  • execstack – similarly, this permission is now required if a process wants to make its main stack executable. This is for applications such as JVMs, although, mplayer needs this permission for some reason.

A patch for the MLS code allows easier transition to an MLS system by handling the lack of an on-disk MLS field in the security context of a file if running in MLS mode. Instead of the previous behavior of just internally setting the security context to ‘unlabeled’, SELinux will internally infer an MLS field based on the default for the filesystem mount. This is intended to allow systems to enable MLS without requiring a full filesystem relabel (which can take a very long time).

Otherwise, things have been fairly quiet for SELinux in this kernel release: a few bug fixes and assorted changes related to ongoing CAPP audit development (which SELinux is dependent on).