Fedora Core 3 Test Update: kernel-2.6.12-1.1369_FC3

Stephen Smalley sds at tycho.nsa.gov
Tue Jul 5 13:03:32 UTC 2005 

On Fri, 2005-07-01 at 16:07 -0400, David Jones wrote:
> ---------------------------------------------------------------------
> Fedora Test Update Notification
> FEDORA-2005-512
> 2005-07-01
> ---------------------------------------------------------------------
> 
> Product     : Fedora Core 3
> Name        : kernel
> Version     : 2.6.12
> Release     : 1.1369_FC3
> Summary     : The Linux kernel (the core of the Linux operating system)
> Description :
> The kernel package contains the Linux kernel (vmlinuz), the core of any
> Linux operating system.  The kernel handles the basic functions
> of the operating system:  memory allocation, process allocation, device
> input and output, etc.
> 
> This rebase to 2.6.12.2 touches a *lot* of code, so needs quite a bit
> of testing before I'm comfortable to push this out as an official FC3
> update. However at the same time, FC3 has been deprived of updates for
> a while, so this shouldn't languish in -testing longer than necessary.
> 
> Of particular interest to look out for in this test kernel are any
> SELinux/audit warnings that appear. The latest policy updates for FC3
> seem to be safe from my limited testing so far, but it could be that
> there's something missing that made it into the FC4 branch only.
> 
> Have fun..

With regard to SELinux, I'd expect the following changes in behavior in
2.6.12:
- name_connect permission checks on outbound TCP connections.  Likely
needs to be added to the FC3 policy.
- kernel binary policy format version updated to 19.  /sbin/init should
correctly fall back to the policy.18 file when it sees that policy.19
does not exist in FC3, but the policy spec file and Makefile may need
updating to likewise not just use /selinux/policyvers.
- migration of task pid/exe logging from SELinux avc to the audit
framework, motivated by the dcache deadlock on exe logging.  Means that
we may need to tell people to enable syscall auditing via auditctl -e 1
or booting their kernel with audit=1 to recapture that information for
avc denials when they report them.

There were also some changes to the netlink-related checking and audit
checking, but I doubt that will have an impact on FC3.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-test-list mailing list