On Tue, Nov 3, 2015 at 2:25 PM, Paul Moore <pmoore(a)redhat.com> wrote:
On Thursday, October 29, 2015 07:36:13 PM Josh Boyer wrote:
> Hi All,
>
> We will be removing the kdbus driver from Rawhide kernels before the
> 4.3 final release upstream. Realistically, this means kdbus will be
> gone from Fedora by Monday November 2nd at the latest. If you have a
> setup using kdbus, please adjust it accordingly.
>
> The upstream developers asked me to remove the module from Fedora
> while they rethink some of the approach they are taking with kdbus.
This is just a heads-up ...
In the future we need to be careful when re-enabling kdbus in Fedora kernels
so that we ensure the necessary SELinux access controls are in place at the
same time. Without the proper LSM/SELinux access controls, kdbus provides a
communication channel which could violate SELinux security policies and
prevent a nasty regression with respect to access control.
That's fine, but I think we already knew that? I mean, the suggestion
was to disable SELinux entirely (or at least put it in permissive
mode) when we added it to begin with. It is also one of the reasons
we limited it to rawhide only. I wouldn't want to ship it in a
release without SELinux support working.
I've been trying to work with the upstream kdbus developers on
better
notification/review of their next attempt, but the results thus far have been
less than inspiring. There is a non-trivial chance that we may end up with
kdbus in an upstream kernel release before we have the LSM/SELinux hooks ready
for inclusion.
Hopefully that isn't the case. With the developers taking time to
rethink things, maybe keeping up the communication will help things
land at the same time.
josh