From f73defeb4bfff33adf1e8307183be4ddde4afcf3 Mon Sep 17 00:00:00 2001 From: Jaroslav Klech Date: Apr 01 2021 15:03:36 +0000 Subject: [PATCH 1/2] Describes iss#650 --- diff --git a/modules/release-notes/pages/sysadmin/Security.adoc b/modules/release-notes/pages/sysadmin/Security.adoc index dcabdc5..711a40e 100644 --- a/modules/release-notes/pages/sysadmin/Security.adoc +++ b/modules/release-notes/pages/sysadmin/Security.adoc @@ -3,3 +3,15 @@ include::{partialsdir}/entities.adoc[] [[sect-security]] = Security + +== Align the SELinux policy with the latest kernel + +In Fedora 34 release, the SELinux policy has been updated to reflect the changes in the latest kernel. + +The enhancements to the SELinux policy include new: + +* classes: `lockdown`, `perf_event` +* permissions: `watch`, `watch_mount`, `watch_reads`, `watch_sb`, `watch_with_perm` +* capabilities: `bpf`, `checkpoint_restore`, `perfmon` + +This update brings better granularity for granting permissions and also enhances security. From 2d3059ccc654a650adbdcf554f1f9bad0c892d2a Mon Sep 17 00:00:00 2001 From: Jaroslav Klech Date: Apr 06 2021 08:17:32 +0000 Subject: [PATCH 2/2] Applies SME review --- diff --git a/modules/release-notes/pages/sysadmin/Security.adoc b/modules/release-notes/pages/sysadmin/Security.adoc index 711a40e..4a3f25b 100644 --- a/modules/release-notes/pages/sysadmin/Security.adoc +++ b/modules/release-notes/pages/sysadmin/Security.adoc @@ -4,9 +4,9 @@ include::{partialsdir}/entities.adoc[] [[sect-security]] = Security -== Align the SELinux policy with the latest kernel +== Align the SELinux policy with the current kernel -In Fedora 34 release, the SELinux policy has been updated to reflect the changes in the latest kernel. +In Fedora 34 release, the SELinux policy has been updated to match the state in the current kernel so that SELinux can utilize the kernel provided features. The enhancements to the SELinux policy include new: @@ -14,4 +14,4 @@ The enhancements to the SELinux policy include new: * permissions: `watch`, `watch_mount`, `watch_reads`, `watch_sb`, `watch_with_perm` * capabilities: `bpf`, `checkpoint_restore`, `perfmon` -This update brings better granularity for granting permissions and also enhances security. +This update brings better granularity for granting permissions, which has subsequent security benefits.