kdbus module being removed from Rawhide
Josh Boyer
jwboyer at fedoraproject.org
Tue Nov 3 19:34:34 UTC 2015
On Tue, Nov 3, 2015 at 2:25 PM, Paul Moore <pmoore at redhat.com> wrote:
> On Thursday, October 29, 2015 07:36:13 PM Josh Boyer wrote:
>> Hi All,
>>
>> We will be removing the kdbus driver from Rawhide kernels before the
>> 4.3 final release upstream. Realistically, this means kdbus will be
>> gone from Fedora by Monday November 2nd at the latest. If you have a
>> setup using kdbus, please adjust it accordingly.
>>
>> The upstream developers asked me to remove the module from Fedora
>> while they rethink some of the approach they are taking with kdbus.
>
> This is just a heads-up ...
>
> In the future we need to be careful when re-enabling kdbus in Fedora kernels
> so that we ensure the necessary SELinux access controls are in place at the
> same time. Without the proper LSM/SELinux access controls, kdbus provides a
> communication channel which could violate SELinux security policies and
> prevent a nasty regression with respect to access control.
That's fine, but I think we already knew that? I mean, the suggestion
was to disable SELinux entirely (or at least put it in permissive
mode) when we added it to begin with. It is also one of the reasons
we limited it to rawhide only. I wouldn't want to ship it in a
release without SELinux support working.
> I've been trying to work with the upstream kdbus developers on better
> notification/review of their next attempt, but the results thus far have been
> less than inspiring. There is a non-trivial chance that we may end up with
> kdbus in an upstream kernel release before we have the LSM/SELinux hooks ready
> for inclusion.
Hopefully that isn't the case. With the developers taking time to
rethink things, maybe keeping up the communication will help things
land at the same time.
josh
More information about the devel
mailing list