Security

Align the SELinux policy with the current kernel

In Fedora 34 release, the SELinux policy has been updated to match the state in the current kernel so that SELinux can utilize the kernel provided features.

The enhancements to the SELinux policy include new:

  • classes: lockdown, perf_event

  • permissions: watch, watch_mount, watch_reads, watch_sb, watch_with_perm

  • capabilities: bpf, checkpoint_restore, perfmon

This update brings better granularity for granting permissions, which has subsequent security benefits.

Support for disabling SELinux through /etc/selinux/config has been removed

With this release, support for disabling SELinux through the SELINUX=disabled option in the /etc/selinux/config file has been removed from the kernel. Furthermore, the Anaconda installation program and the corresponding man pages have been updated to reflect this change. This change also enables read-only-after-initialization protection for the Linux Security Module (LSM) hooks.

If your scenario requires to disable SELinux, add the selinux=0 parameter to your kernel command line.

See the Changing SELinux states and modes section in Fedora Quick Docs and the https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable for more information.