On Tuesday, November 03, 2015 02:34:34 PM Josh Boyer wrote:
On Tue, Nov 3, 2015 at 2:25 PM, Paul Moore <pmoore(a)redhat.com>
wrote:
> On Thursday, October 29, 2015 07:36:13 PM Josh Boyer wrote:
>> Hi All,
>>
>> We will be removing the kdbus driver from Rawhide kernels before the
>> 4.3 final release upstream. Realistically, this means kdbus will be
>> gone from Fedora by Monday November 2nd at the latest. If you have a
>> setup using kdbus, please adjust it accordingly.
>>
>> The upstream developers asked me to remove the module from Fedora
>> while they rethink some of the approach they are taking with kdbus.
>
> This is just a heads-up ...
>
> In the future we need to be careful when re-enabling kdbus in Fedora
> kernels so that we ensure the necessary SELinux access controls are in
> place at the same time. Without the proper LSM/SELinux access controls,
> kdbus provides a communication channel which could violate SELinux
> security policies and prevent a nasty regression with respect to access
> control.
That's fine, but I think we already knew that? I mean, the suggestion
was to disable SELinux entirely (or at least put it in permissive
mode) when we added it to begin with. It is also one of the reasons
we limited it to rawhide only. I wouldn't want to ship it in a
release without SELinux support working.
Consider it just a reminder then ... inclusion w/o SELinux support in Rawhide
is fine, I just didn't want to see it slip into proper release without proper
SELinux support.
> I've been trying to work with the upstream kdbus developers
on better
> notification/review of their next attempt, but the results thus far have
> been less than inspiring. There is a non-trivial chance that we may end
> up with kdbus in an upstream kernel release before we have the
> LSM/SELinux hooks ready for inclusion.
Hopefully that isn't the case. With the developers taking time to
rethink things, maybe keeping up the communication will help things
land at the same time.
Yes, that is my hope too, but recent conversations have not made me overly
optimistic about this.
--
paul moore
security @ redhat