On Tue, Nov 3, 2015 at 2:25 PM, Paul Moore <pmoore@xxxxxxxxxx> wrote: > On Thursday, October 29, 2015 07:36:13 PM Josh Boyer wrote: >> Hi All, >> >> We will be removing the kdbus driver from Rawhide kernels before the >> 4.3 final release upstream. Realistically, this means kdbus will be >> gone from Fedora by Monday November 2nd at the latest. If you have a >> setup using kdbus, please adjust it accordingly. >> >> The upstream developers asked me to remove the module from Fedora >> while they rethink some of the approach they are taking with kdbus. > > This is just a heads-up ... > > In the future we need to be careful when re-enabling kdbus in Fedora kernels > so that we ensure the necessary SELinux access controls are in place at the > same time. Without the proper LSM/SELinux access controls, kdbus provides a > communication channel which could violate SELinux security policies and > prevent a nasty regression with respect to access control. That's fine, but I think we already knew that? I mean, the suggestion was to disable SELinux entirely (or at least put it in permissive mode) when we added it to begin with. It is also one of the reasons we limited it to rawhide only. I wouldn't want to ship it in a release without SELinux support working. > I've been trying to work with the upstream kdbus developers on better > notification/review of their next attempt, but the results thus far have been > less than inspiring. There is a non-trivial chance that we may end up with > kdbus in an upstream kernel release before we have the LSM/SELinux hooks ready > for inclusion. Hopefully that isn't the case. With the developers taking time to rethink things, maybe keeping up the communication will help things land at the same time. josh -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
