From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@vger.kernel.org
Subject: ANN: SELinux userspace 3.4-rc1 release candidate
Date: Thu, 07 Apr 2022 16:34:03 +0200 [thread overview]
Message-ID: <87bkxdnesk.fsf@redhat.com> (raw)
Hello,
A 3.4-rc1 release candidate for the SELinux userspace is now
available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
I signed all tarballs using my gpg key, see .asc files.
You can download the public key from
https://people.redhat.com/plautrba/plautrba@redhat.com.asc
Please give it a test and let us know if there are any issues.
If there are specific changes that you think should be called out
in release notes for packagers and users in the final release
announcement, let us know.
Thanks to all the contributors to this release candidate!
User-visible changes
--------------------
* A new selinux_restorecon_parallel(3) function that allows to run relabeling over multiple threads
* setfiles/restorecon/fixfiles support parallel relabeling via [ -T <N> ] threads option
* A new semodule options [ -m | --checksum ] to get SHA256 hashes of modules
* mcstrans ported to PCRE2
* libsepol/cil supports IPv4/IPv6 address embedding
* Add a new semodule option [ --rebuild-if-modules-changed ] to optionally rebuild policy when modules
are changed externally
* A lot of static code analyse issues, fuzzer issues and compiler warnings fixed
* Translations split into sub-packages and updated from
https://translate.fedoraproject.org/projects/selinux/
* Bug fixes
Development-relevant changes
----------------------------
* ci: run the tests under ASan/UBsan on GHActions
Shortlog of changes since the 3.3 release
-----------------------------------------
Christian Göttsche (86):
libsepol: do not pass NULL to memcpy
libsemanage: do not sort empty records
libsemanage/tests: free memory
libselinux: use valid address to silence glibc 2.34 warnings
libsepol: avoid passing NULL pointer to memcpy
checkpolicy: use correct unsigned format specifiers
libsepol: use string literals as format strings
policycoreutils: use string literal as format strings
Enable extra global compiler warnings
checkpolicy: ignore possible string truncation
policycoreutils: mark local functions static
sandbox: mark local functions static
python: mark local functions static
mcstrans: avoid missing prototypes
libsemanage: mark local functions static
libsemanage: include paired header for prototypes
libsemanage: add extern prototype for legacy function
mcstrans: port to new PCRE2 from end-of-life PCRE
libselinux: use PCRE2 by default
Replace PCRE with PCRE2 build dependencies
libsepol/cil: support IPv4/IPv6 address embedding
checkpolicy: warn on bogus IP address or netmask in nodecon statement
cifuzz: enable report-unreproducible-crashes
cifuzz: use the default runtime of 600 seconds
libsepol/fuzz: silence secilc-fuzzer
libsepol: add libfuzz based fuzzer for reading binary policies
libsepol/fuzz: limit element sizes for fuzzing
libsepol: use logging framework in conditional.c
libsepol: use logging framework in ebitmap.c
libsepol: use mallocarray wrapper to avoid overflows
libsepol: use reallocarray wrapper to avoid overflows
libsepol: add checks for read sizes
libsepol: enforce avtab item limit
libsepol: clean memory on conditional insertion failure
libsepol: reject abnormal huge sid ids
libsepol: reject invalid filetrans source type
libsepol: zero member before potential dereference
libsepol: use size_t for indexes in strs helpers
libsepol: do not underflow on short format arguments
libsepol: do not crash on class gaps
libsepol: do not crash on user gaps
libsepol: use correct size for initial string list
libsepol: do not create a string list with initial size zero
libsepol: split validation of datum array gaps and entries
libsepol: validate MLS levels
libsepol: validate expanded user range and level
libsepol: validate permission count of classes
libsepol: resolve log message mismatch
libsepol: validate avtab and avrule types
libsepol: validate constraint expression operators and attributes
libsepol: validate type of avtab type rules
libsepol: validate ocontexts
libsepol: validate genfs contexts
libsepol: validate permissive types
libsepol: validate policy properties
libsepol: validate categories
libsepol: validate fsuse types
libsepol: validate class default targets
libsepol/cil: bail out on snprintf failure
libsepol: check for valid sensitivity before lookup
libsepol: check for saturated class name length
libsepol: return failure on saturated class name length
libsepol: drop trailing newlines in log messages
libsepol: handle type gaps
libsepol: invert only valid range of role bitmap
policycoreutils: handle argument counter of zero
libsepol: do not add gaps to string list
libsepol: use correct error type to please UBSAN
libsepol: more strict constraint validation
libsepol: validate several flags
checkpolicy: allow wildcard permissions in constraints
python/sepolgen: accept square brackets in FILENAME token
libsepol: NULL pointer offset fix
newrole: add Makefile target to test build options
newrole: silence compiler warnings
newrole: check for crypt(3) failure
newrole: ensure password memory erasure
libsepol: reject xperm av rules in conditional statements
libsepol: validate boolean datum arrays
libsepol/cil: silence GCC 12 array-bounds false positive
libsepol: add missing oom checks
libsepol: mark immutable mls and context parameter const
libsepol: mark immutable common helper parameter const
libsepol/cil: declare file local functions static
libsepol/cil: drop unused function cil_tree_error
libsepol/cil: post process pirqcon rules
Cutright Jacob (1):
Modified Russian and English man pages to fix typo; REQUIREUSERS -> REQUIRESEUSERS
Evgeny Vereshchagin (1):
ci: run the tests under ASan/UBsan on GHActions
James Carter (36):
libsepol: Add support for file types in writing out policy.conf
libsepol/cil: Refactor filecon file type handling
libsepol/cil: Allow optional file type in genfscon rules
secilc/docs: Document the optional file type for genfscon rules
libsepol: Write out genfscon file type when writing out CIL policy
libsepol/cil: Do not copy blockabstracts when inheriting a block
libsepol/cil: Mark as abstract all sub-blocks of an abstract block
libsepol/cil: Do not resolve names to declarations in abstract blocks
libsepol/cil: Ensure that the class in a classcommon is a kernel class
libsepol: Return an error if check_assertion() returns an error.
libsepol: Change label in check_assertion_avtab_match()
libsepol: Remove uneeded error messages in assertion checking
libsepol: Check for error from check_assertion_extended_permissions()
libsepol: Use consistent return checking style
libsepol: Move check of target types to before check for self
libsepol: Create function check_assertion_self_match() and use it
libsepol: Use (rc < 0) instead of (rc) when calling ebitmap functions
libsepol: Remove unnessesary check for matching class
libsepol: Move assigning outer loop index out of inner loop
libsepol: Make use of previously created ebitmap when checking self
libsepol: Refactor match_any_class_permissions() to be clearer
libsepol: Make return value clearer when reporting neverallowx errors
libsepol: The src and tgt must be the same if neverallow uses self
libsepol: Set args avtab pointer when reporting assertion violations
libsepol: Fix two problems with neverallowxperm reporting
libsepol/cil: Add cil_get_log_level() function
libsepol/cil: Provide more control over reporting bounds failures
libsepol/cil: Limit the neverallow violations reported
libsepol/cil: Limit the amount of reporting for context rule conflicts
libsepol: Do a more thorough validation of constraints
libsepol/cil: Don't add constraint if there are no permissions
libsepol: Don't write out constraint if it has no permissions
libsepol/cil: Write a message when a log message is truncated
libsepol: Use calloc when initializing bool_val_to_struct array
libsepol: Validate conditional expressions
Add a file describing the security vulnerability handling process
Markus Linnala (1):
Use IANA-managed domain example.com in examples
Ondrej Mosnacek (14):
label_file: fix a data race
selinux_restorecon: simplify fl_head allocation by using calloc()
selinux_restorecon: protect file_spec list with a mutex
libselinux: make selinux_log() thread-safe
libselinux: make is_context_customizable() thread-safe
selinux_restorecon: add a global mutex to synchronize progress output
selinux_restorecon: introduce selinux_restorecon_parallel(3)
setfiles/restorecon: support parallel relabeling
libsemanage: add missing include to boolean_record.c
semodule,libsemanage: move module hashing into libsemanage
libsemanage: move compressed file handling into a separate object
libsemanage: clean up semanage_direct_commit() a bit
libsemanage: optionally rebuild policy when modules are changed externally
semodule: add command-line option to detect module changes
Petr Lautrbach (14):
semodule: add -m | --checksum option
semodule: Fix lang_ext column index
semodule: Don't forget to munmap() data
libselinux: Fix selinux_restorecon_parallel symbol version
semanage-fcontext.8: Drop extra )s after FILE_SPEC
policycoreutils/fixfiles: Use parallel relabeling
libselinux: Close leaked FILEs
libsemanage: Fall back to semanage_copy_dir when rename() fails
Split po/ translation files into the relevant sub-directories
Update translations from translate.fedoraproject.org
libsemanage: Fix USE_AFTER_FREE (CWE-672) in semanage_direct_get_module_info()
semodule_package: Close leaking fd
mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects
Update VERSIONs to 3.4-rc1 for release.
Richard Haines (2):
libsepol: Add 'ioctl_skip_cloexec' policy capability
libsepol: Shorten the policy capability enum names
Thiébaud Weksteen (2):
libsepol: Populate and use policy name
libsepol: fix reallocarray imports
Topi Miettinen (1):
secilc: kernel policy language is infix
Vit Mojzis (3):
policycoreutils: Improve error message when selabel_open fails
libselinux: Strip spaces before values in config
libsemanage: allow spaces in user/group names
next reply other threads:[~2022-04-07 14:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-07 14:34 Petr Lautrbach [this message]
2022-04-13 8:48 ` [HEADS UP MISSING PATCH] Update python library and binding versions to 3.4-rc1 Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bkxdnesk.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.