[ANN] SELinux userspace release

[ANN] SELinux userspace release

[Stephen Smalley]

A new release of the SELinux userspace has been posted to:
http://userspace.selinuxproject.org/trac/wiki/Releases

For git users, a new tag has been pushed for this release, 20131013.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux userspace release

[Stephen Smalley]

On 10/30/2013 02:08 PM, Stephen Smalley wrote:
> A new release of the SELinux userspace has been posted to:
> http://userspace.selinuxproject.org/trac/wiki/Releases
> 
> For git users, a new tag has been pushed for this release, 20131013.

Sorry, that should be 20131030.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux userspace release

[Daniel J Walsh]

On 05/10/2014 08:03 AM, Sven Vermeulen wrote:
> On Tue, May 06, 2014 at 01:57:48PM -0400, Stephen Smalley wrote:
>> A new release of the SELinux userspace has been posted to:
>> http://userspace.selinuxproject.org/trac/wiki/Releases
>>
>> For git users, a new tag has been pushed for this release, 20140506
> Thanks; I've provided it for Gentoo users already.
>
> Yesterday I got notified about a vulnerability in libcap-ng & seunshare:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215
>
> I found quite a lot of chatter on RedHat's bugzilla and several potential
> solutions; can we expect that the "proper" solution will be pushed to
> policycoreutils soon as well?
>
> The seunshare.c file hasn't been touched in a while so I assume it isn't in
> yet.
>
> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
I will send the patches for seunshare, although the fix was actually in
libcap-ng, which caused seunshare to break.

Re: [ANN] SELinux userspace release

[Sven Vermeulen]

On Tue, May 06, 2014 at 01:57:48PM -0400, Stephen Smalley wrote:
> A new release of the SELinux userspace has been posted to:
> http://userspace.selinuxproject.org/trac/wiki/Releases
> 
> For git users, a new tag has been pushed for this release, 20140506

Thanks; I've provided it for Gentoo users already.

Yesterday I got notified about a vulnerability in libcap-ng & seunshare:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215

I found quite a lot of chatter on RedHat's bugzilla and several potential
solutions; can we expect that the "proper" solution will be pushed to
policycoreutils soon as well?

The seunshare.c file hasn't been touched in a while so I assume it isn't in
yet.

Wkr,
	Sven Vermeulen

[ANN] SELinux userspace release

[Stephen Smalley]

A new release of the SELinux userspace has been posted to:
http://userspace.selinuxproject.org/trac/wiki/Releases

For git users, a new tag has been pushed for this release, 20140506

sepolgen did not change in this release.

Re: [Ann] SELinux userspace release

[Sven Vermeulen]

On Fri, Apr 26, 2013 at 08:36:05AM +0200, Sven Vermeulen wrote:
> > semanage permissive builds a module to make a permissive domain. On
> > Fedora there is an out-of-tree policy build environment in
> > /usr/share/selinux. Without this environment it can't build a module.
> > Does Gentoo have it in a different place or just not at all?
> 
> In the previous release it worked so I probably need to find where the
> location is coded and have that point to
> /usr/share/selinux/$SELINUXTYPE/include/Makefile or so. That is the
> Makefile used to build (refpolicy-style) policy modules here.

I've been able to get this to work by creating a /etc/selinux/sepolgen.conf
file that contains the following:

SELINUX_DEVEL_PATH=/usr/share/selinux/strict/include


> > > https://bugs.gentoo.org/show_bug.cgi?id=467268
> > >
> > > - policycoreutils' sepolicy command requires yum python bindings
> > >
> > > Since yum is not available on Gentoo, is this really necessary?
> > >
> >
> > Unfortunate. I'd exclude it for now and hopefully we can work out
> > making it more distro independent.
> 
> Certainly. I'll see if I can draft up something when I get more familiar
> with the required functionalities.

Well, I removed the yum dependency and the __extract_rpms method (+ the
call towards it). But trying to use sepolicy still gives me stacktraces that
I am having difficulties with to debug:

~$ sepolicy communicate -s portage_t 
Traceback (most recent call last):
  File "/usr/bin/sepolicy-2.7", line 464, in <module>
    args = parser.parse_args()
  File "/usr/lib64/python2.7/argparse.py", line 1688, in parse_args
    args, argv = self.parse_known_args(args, namespace)
  File "/usr/lib64/python2.7/argparse.py", line 1720, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib64/python2.7/argparse.py", line 1908, in _parse_known_args
    positionals_end_index = consume_positionals(start_index)
  File "/usr/lib64/python2.7/argparse.py", line 1885, in consume_positionals
    take_action(action, args)
  File "/usr/lib64/python2.7/argparse.py", line 1794, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/lib64/python2.7/argparse.py", line 1090, in __call__
    namespace, arg_strings = parser.parse_known_args(arg_strings, namespace)
  File "/usr/lib64/python2.7/argparse.py", line 1720, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib64/python2.7/argparse.py", line 1926, in _parse_known_args
    start_index = consume_optional(start_index)
  File "/usr/lib64/python2.7/argparse.py", line 1866, in consume_optional
    take_action(action, args, option_string)
  File "/usr/lib64/python2.7/argparse.py", line 1794, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/bin/sepolicy-2.7", line 63, in __call__
    from sepolicy.network import domains
  File "/usr/lib64/python2.7/site-packages/sepolicy/network.py", line 44, in <module>
    portrecs, portrecsbynum = _gen_port_dict()
  File "/usr/lib64/python2.7/site-packages/sepolicy/network.py", line 31, in _gen_port_dict
    for i in info(sepolicy.PORT):
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 182, in info
    dict_list = _policy.info(setype, name)
RuntimeError: No such file or directory

Any idea what this could be about?

Wkr,
	Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Ann] SELinux userspace release

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 1430 bytes --]

On Apr 26, 2013 1:15 AM, "Joshua Brindle" <brindle@quarksecurity.com> wrote:
>
> On Thu, Apr 25, 2013 at 4:01 PM, Sven Vermeulen
> <sven.vermeulen@siphos.be> wrote:
> > https://bugs.gentoo.org/show_bug.cgi?id=467264
> >
> > - using semanage permissive fails with stacktrace referring to a
Makefile on
> >   a non-existing location (/usr/share/selinux/default/Makefile)
> >
> > I have yet to find the culprit of this (getting late so that'll be for
> > tomorrow evening).
> >
>
> semanage permissive builds a module to make a permissive domain. On
> Fedora there is an out-of-tree policy build environment in
> /usr/share/selinux. Without this environment it can't build a module.
> Does Gentoo have it in a different place or just not at all?

In the previous release it worked so I probably need to find where the
location is coded and have that point to
/usr/share/selinux/$SELINUXTYPE/include/Makefile or so. That is the
Makefile used to build (refpolicy-style) policy modules here.

> >
> > https://bugs.gentoo.org/show_bug.cgi?id=467268
> >
> > - policycoreutils' sepolicy command requires yum python bindings
> >
> > Since yum is not available on Gentoo, is this really necessary?
> >
>
> Unfortunate. I'd exclude it for now and hopefully we can work out
> making it more distro independent.

Certainly. I'll see if I can draft up something when I get more familiar
with the required functionalities.

Wkr,
  Sven Vermeulen

[-- Attachment #2: Type: text/html, Size: 2034 bytes --]

Re: [Ann] SELinux userspace release

[Joshua Brindle]

On Thu, Apr 25, 2013 at 4:01 PM, Sven Vermeulen
<sven.vermeulen@siphos.be> wrote:
> On Tue, Apr 23, 2013 at 10:34:52AM -0400, Joshua Brindle wrote:
>> A new release of the SELinux userspace has been posted to:
>> http://userspace.selinuxproject.org/trac/wiki/Releases
>>
>> Most of the changes were bug fixes related to leaking file descriptors and
>> memory errors reported by Coverity. The full Changelog is in each package.
>
> I had a few issues while getting this release in Gentoo.
>

I suppose this is what I get for testing on Fedora with everything
already installed...

>
> https://bugs.gentoo.org/show_bug.cgi?id=467258
>
> - libselinux does not provide selinux_current_policy_path() but this method is
>   used in policycoreutils in a number of locations.
>
> I had to take the definition from this method from
> http://svnweb.mageia.org/packages/cauldron/libselinux/current/SOURCES/libselinux-rhat.patch?revision=400400&view=co&pathrev=400400
> (only included the definition in Gentoo for now). Seems that this is a
> much-needed function (otherwise tools like semanage just break).
>
>
> https://bugs.gentoo.org/show_bug.cgi?id=467264
>
> - using semanage permissive fails with stacktrace referring to a Makefile on
>   a non-existing location (/usr/share/selinux/default/Makefile)
>
> I have yet to find the culprit of this (getting late so that'll be for
> tomorrow evening).
>

semanage permissive builds a module to make a permissive domain. On
Fedora there is an out-of-tree policy build environment in
/usr/share/selinux. Without this environment it can't build a module.
Does Gentoo have it in a different place or just not at all?

>
> https://bugs.gentoo.org/show_bug.cgi?id=467268
>
> - policycoreutils' sepolicy command requires yum python bindings
>
> Since yum is not available on Gentoo, is this really necessary?
>

Unfortunate. I'd exclude it for now and hopefully we can work out
making it more distro independent.

> Wkr,
>         Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Ann] SELinux userspace release

[Sven Vermeulen]

On Tue, Apr 23, 2013 at 10:34:52AM -0400, Joshua Brindle wrote:
> A new release of the SELinux userspace has been posted to:
> http://userspace.selinuxproject.org/trac/wiki/Releases
> 
> Most of the changes were bug fixes related to leaking file descriptors and
> memory errors reported by Coverity. The full Changelog is in each package.

I had a few issues while getting this release in Gentoo.


https://bugs.gentoo.org/show_bug.cgi?id=467258

- libselinux does not provide selinux_current_policy_path() but this method is
  used in policycoreutils in a number of locations.

I had to take the definition from this method from
http://svnweb.mageia.org/packages/cauldron/libselinux/current/SOURCES/libselinux-rhat.patch?revision=400400&view=co&pathrev=400400
(only included the definition in Gentoo for now). Seems that this is a
much-needed function (otherwise tools like semanage just break).


https://bugs.gentoo.org/show_bug.cgi?id=467264

- using semanage permissive fails with stacktrace referring to a Makefile on
  a non-existing location (/usr/share/selinux/default/Makefile)

I have yet to find the culprit of this (getting late so that'll be for
tomorrow evening).


https://bugs.gentoo.org/show_bug.cgi?id=467268

- policycoreutils' sepolicy command requires yum python bindings

Since yum is not available on Gentoo, is this really necessary?

Wkr,
	Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[Ann] SELinux userspace release

[Joshua Brindle]

A new release of the SELinux userspace has been posted to:
http://userspace.selinuxproject.org/trac/wiki/Releases

Most of the changes were bug fixes related to leaking file descriptors and
memory errors reported by Coverity. The full Changelog is in each package.

For git users, a new tag has been pushed for this release, 20130423.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ANN] SELinux userspace release

[Joshua Brindle]

A new release of the SELinux userspace is available at 
<http://userspace.selinuxproject.org/trac/wiki/Releases>.

Changes since the last release include:

Android/MacOS X build support
Boolean name substitution
PCRE for file_context labeling
Fix neverallow checking on attributes
Add always_check_network policy capability
Translations from the Fedora community
Various sandbox enhancements
Various bug fixes
Various man page updates

For git users this release has been tagged 20120924 in the repository on
userspace.selinuxproject.org.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ANN} SELinux Userspace Release

[Joshua Brindle]

A new release of the SELinux userspace is available at 
<http://userspace.selinuxproject.org/trac/wiki/Releases>.

Changes since the last release include:

- Various enhancements to dispol/dismod
- Many man page cleanups and updates
- Support for python3 in bindings
- Many makefile cleanups
- Support for tunables separate from booleans
- Various bug fixes
- Sandbox cgroup support
- Various Sandbox enhancements
- File context equivalence
- Various semanage enhancements and bug fixes
- Add semodule_unpackage

For git users this release has been tagged 20120216 in the repository on
userspace.selinuxproject.org.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ANN] SELinux Userspace release

[Chad Sellers]

The SELinux userspace project has updated a release. As usual you can find
it at http://userspace.selinuxproject.org/trac/wiki/Releases.

New features in this release include:

* Support for on-the-fly sandboxing of applications, including X
applications
* Support for MLS/MCS translations
* Improved robustness in multithreaded processes
* Support for building under GCC 4.6
* Simplification of login context computation logic
* newrole support for libcap-ng
* Improved robustness in label computation

For git users this release has been tagged 20101221 in the repository on
userspace.selinuxproject.org.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ANN] SELinux Userspace release

[Chad Sellers]

The SELinux userspace project has updated a release. As usual you can find
it at http://userspace.selinuxproject.org/trac/wiki/Releases.

New features in this release include:

semodule enable/disable support
audit2allow support for generating dontaudit rules
Improved support across distributions
Improved man pages and help output
Improved handling of auditing in userspace object managers when
dontaudit/auditallow rules are involved
Support for running genhomedircon without examining /etc/passwd

For git users this release has been tagged 20100525 in the repository on
userspace.selinuxproject.org.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ANN] SELinux Userspace release

[Chad Sellers]

The SELinux userspace project has updated a release. As usual you can find
it at http://userspace.selinuxproject.org/trac/wiki/Releases.

New features in this release include:

Configurable bzip behavior in libsemanage
semanage dontaudit support
Proper semodule upgrade support
setfiles support for labeling when SELinux is not enabled
Support for multiple target OSes

For git users this release has been tagged 20091123 in the repository on
userspace.selinuxproject.org.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ANN] SELinux Userspace release

[Joshua Brindle]

The SELinux userspace project has updated a release. As usual you can find it at 
http://userspace.selinuxproject.org/trac/wiki/Releases.

New features in this release include:

Label substitution
Virtual machine labeling
Per-service seuser support
Persistent dontaudit flag
Btrfs labeling support

For git users this release has been tagged 20090731 in the repository on 
userspace.selinuxproject.org.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux userspace release

[Eamon Walsh]

KaiGai Kohei wrote:
> Joshua Brindle wrote:
>   
>> KaiGai Kohei wrote:
>>     
>>> Joshua Brindle wrote:
>>>       
>>>> The SELinux userspace project has updated a release. As usual you can 
>>>> find it at http://userspace.selinuxproject.org/trac/wiki/Releases.
>>>>
>>>> This is primarily a bug fix release. The added features are policy 
>>>> module module compression support and AVC caching for compute_create 
>>>> results.
>>>>
>>>> This release does not include an updated release of the stable_1_0 
>>>> branch, which has not been updated since the last release.
>>>>
>>>> For git users this release has been tagged 20090403 in the repository 
>>>> on userspace.selinuxproject.org.
>>>>         
>>> Joshua, when the following features will be available in the libselinux?
>>>
>>>  - Expose avc_netlink_loop() for applications.
>>>    http://marc.info/?l=selinux&m=123838949914769&w=2
>>>       

Pushed to 2.0.80.

>>>  - Permissive domains in userspace.
>>>    http://marc.info/?l=selinux&m=123855044416037&w=2
>>>       

Pushed to 2.0.80.

>>>  - selabel_lookup(3) support for database objects.
>>>    http://marc.info/?l=selinux&m=123840173526150&w=2
>>>       

Under review still.

>>>       
>> These patches are being reviewed by Eamon AFAIK so once he acks them or 
>> merges them.
>>     
>
> OK, I'll wait for a while more.
>
> In addition, I've forgottn to note the patch.
> - A new API: security_deny_unknown()
>    http://marc.info/?l=selinux&m=123863254719835&w=2
>   

Pushed to 2.0.80.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux userspace release

[KaiGai Kohei]

Joshua Brindle wrote:
> KaiGai Kohei wrote:
>> Joshua Brindle wrote:
>>> The SELinux userspace project has updated a release. As usual you can 
>>> find it at http://userspace.selinuxproject.org/trac/wiki/Releases.
>>>
>>> This is primarily a bug fix release. The added features are policy 
>>> module module compression support and AVC caching for compute_create 
>>> results.
>>>
>>> This release does not include an updated release of the stable_1_0 
>>> branch, which has not been updated since the last release.
>>>
>>> For git users this release has been tagged 20090403 in the repository 
>>> on userspace.selinuxproject.org.
>>
>> Joshua, when the following features will be available in the libselinux?
>>
>>  - Expose avc_netlink_loop() for applications.
>>    http://marc.info/?l=selinux&m=123838949914769&w=2
>>
>>  - Permissive domains in userspace.
>>    http://marc.info/?l=selinux&m=123855044416037&w=2
>>
>>  - selabel_lookup(3) support for database objects.
>>    http://marc.info/?l=selinux&m=123840173526150&w=2
>>
> 
> These patches are being reviewed by Eamon AFAIK so once he acks them or 
> merges them.

OK, I'll wait for a while more.

In addition, I've forgottn to note the patch.
- A new API: security_deny_unknown()
   http://marc.info/?l=selinux&m=123863254719835&w=2

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux userspace release

[Joshua Brindle]

KaiGai Kohei wrote:
> Joshua Brindle wrote:
>> The SELinux userspace project has updated a release. As usual you can 
>> find it at http://userspace.selinuxproject.org/trac/wiki/Releases.
>>
>> This is primarily a bug fix release. The added features are policy 
>> module module compression support and AVC caching for compute_create 
>> results.
>>
>> This release does not include an updated release of the stable_1_0 
>> branch, which has not been updated since the last release.
>>
>> For git users this release has been tagged 20090403 in the repository 
>> on userspace.selinuxproject.org.
> 
> Joshua, when the following features will be available in the libselinux?
> 
>  - Expose avc_netlink_loop() for applications.
>    http://marc.info/?l=selinux&m=123838949914769&w=2
> 
>  - Permissive domains in userspace.
>    http://marc.info/?l=selinux&m=123855044416037&w=2
> 
>  - selabel_lookup(3) support for database objects.
>    http://marc.info/?l=selinux&m=123840173526150&w=2
> 

These patches are being reviewed by Eamon AFAIK so once he acks them or merges them.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux userspace release

[KaiGai Kohei]

Joshua Brindle wrote:
> The SELinux userspace project has updated a release. As usual you can 
> find it at http://userspace.selinuxproject.org/trac/wiki/Releases.
> 
> This is primarily a bug fix release. The added features are policy 
> module module compression support and AVC caching for compute_create 
> results.
> 
> This release does not include an updated release of the stable_1_0 
> branch, which has not been updated since the last release.
> 
> For git users this release has been tagged 20090403 in the repository on 
> userspace.selinuxproject.org.

Joshua, when the following features will be available in the libselinux?

  - Expose avc_netlink_loop() for applications.
    http://marc.info/?l=selinux&m=123838949914769&w=2

  - Permissive domains in userspace.
    http://marc.info/?l=selinux&m=123855044416037&w=2

  - selabel_lookup(3) support for database objects.
    http://marc.info/?l=selinux&m=123840173526150&w=2

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[ANN] SELinux userspace release

[Joshua Brindle]

The SELinux userspace project has updated a release. As usual you can find it at 
http://userspace.selinuxproject.org/trac/wiki/Releases.

This is primarily a bug fix release. The added features are policy module module 
compression support and AVC caching for compute_create results.

This release does not include an updated release of the stable_1_0 branch, which 
has not been updated since the last release.

For git users this release has been tagged 20090403 in the repository on 
userspace.selinuxproject.org.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.