Seguridad
Alinear la política SELinux con el kernel actual
En la versión Fedora 34, la política de SELinux ha sido actualizada para que coincida con el kernel actual de manera que SELinux pueda utilizar las funciones proporcionadas por el kernel.
Las mejoras de la política de SELinux incluye nuevos:
-
clases:
lockdown,perf_event -
permisos:
watch,watch_mount,watch_reads,watch_sb,watch_with_perm -
capabilities:
bpf,checkpoint_restore,perfmon
This update brings better granularity for granting permissions, which has subsequent security benefits.
Support for disabling SELinux through /etc/selinux/config has been removed
With this release, support for disabling SELinux through the SELINUX=disabled option in the /etc/selinux/config file has been removed from the kernel. Furthermore, the Anaconda installation program and the corresponding man pages have been updated to reflect this change. This change also enables read-only-after-initialization protection for the Linux Security Module (LSM) hooks.
If your scenario requires to disable SELinux, add the selinux=0 parameter to your kernel command line.
See the Changing SELinux states and modes section in Fedora Quick Docs and the https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable for more information.
Want to help? Learn how to contribute to Fedora Docs ›