Security
Align the SELinux policy with the current kernel
In Fedora 34 release, the SELinux policy has been updated to match the state in the current kernel so that SELinux can utilize the kernel provided features.
The enhancements to the SELinux policy include new:
classes:
lockdown
,perf_event
permissions:
watch
,watch_mount
,watch_reads
,watch_sb
,watch_with_perm
capabilities:
bpf
,checkpoint_restore
,perfmon
This update brings better granularity for granting permissions, which has subsequent security benefits.
Support for disabling SELinux through /etc/selinux/config
has been removed
With this release, support for disabling SELinux through the SELINUX=disabled
option in the /etc/selinux/config
file has been removed from the kernel. Furthermore, the Anaconda installation program and the corresponding man pages have been updated to reflect this change. This change also enables read-only-after-initialization protection for the Linux Security Module (LSM) hooks.
If your scenario requires to disable SELinux, add the selinux=0
parameter to your kernel command line.
See the Changing SELinux states and modes section in Fedora Quick Docs and the https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable for more information.