On Tuesday, November 03, 2015 02:34:34 PM Josh Boyer wrote: > On Tue, Nov 3, 2015 at 2:25 PM, Paul Moore <pmoore@xxxxxxxxxx> wrote: > > On Thursday, October 29, 2015 07:36:13 PM Josh Boyer wrote: > >> Hi All, > >> > >> We will be removing the kdbus driver from Rawhide kernels before the > >> 4.3 final release upstream. Realistically, this means kdbus will be > >> gone from Fedora by Monday November 2nd at the latest. If you have a > >> setup using kdbus, please adjust it accordingly. > >> > >> The upstream developers asked me to remove the module from Fedora > >> while they rethink some of the approach they are taking with kdbus. > > > > This is just a heads-up ... > > > > In the future we need to be careful when re-enabling kdbus in Fedora > > kernels so that we ensure the necessary SELinux access controls are in > > place at the same time. Without the proper LSM/SELinux access controls, > > kdbus provides a communication channel which could violate SELinux > > security policies and prevent a nasty regression with respect to access > > control. > > That's fine, but I think we already knew that? I mean, the suggestion > was to disable SELinux entirely (or at least put it in permissive > mode) when we added it to begin with. It is also one of the reasons > we limited it to rawhide only. I wouldn't want to ship it in a > release without SELinux support working. Consider it just a reminder then ... inclusion w/o SELinux support in Rawhide is fine, I just didn't want to see it slip into proper release without proper SELinux support. > > I've been trying to work with the upstream kdbus developers on better > > notification/review of their next attempt, but the results thus far have > > been less than inspiring. There is a non-trivial chance that we may end > > up with kdbus in an upstream kernel release before we have the > > LSM/SELinux hooks ready for inclusion. > > Hopefully that isn't the case. With the developers taking time to > rethink things, maybe keeping up the communication will help things > land at the same time. Yes, that is my hope too, but recent conversations have not made me overly optimistic about this. -- paul moore security @ redhat _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
