* ANN: SELinux userspace release 3.2
@ 2021-03-04 16:36 Petr Lautrbach
0 siblings, 0 replies; only message in thread
From: Petr Lautrbach @ 2021-03-04 16:36 UTC (permalink / raw)
To: selinux
Hello!
The 3.2 release for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
Thanks to all the contributors to this release!
User-visible changes
--------------------
* libsepol implemented a new, more space-efficient form of storing filename
transitions in the binary policy and reduced the size of the binary policy
* libselinux: Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
Note: if you need to `umount /sys/fs/selinux` you need to use lazy umount -
`umount -l /sys/fs/selinux` as the kernel status page /sys/fs/selinux/status
stays mapped by processes like systemd, dbus, sshd.
* Tools using sepolgen, e.g. audit2allow, print extended permissions in
hexadecimal
* sepolgen sorts extended rules like normal ones
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit format.
* matchpathcon converted to selabel_lookup() - no more matchpathcon is
deprecated warning
* libsepol and libsemanage dropped old and deprecated symbols and functions
libsepol version was bumped to libsepol.so.2
libsemanage version was bumped to libsemanage.so.2
* Release version for the whole project is same as for subcomponents, e.g.
instead of 20210118 it's 3.2-rc1
* Improved usability of `getseuser`
* Fixed several issues in cil code found by OSS-FUZZ
* `setfiles` doesn't abort on labeling errors
* libsemanage tries to sync data to prevent empty files in SELinux module store
* Improved secilc documentation - fenced code blocks, syntax highlighting, custom
color theme, ...
* Better error reporting in getconlist
* libsepol implemented a new, more space-efficient form of storing filename
transitions in the binary policy and reduced the size of the binary policy
* libselinux: Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
Note: if you need to `umount /sys/fs/selinux` you need to use lazy umount -
`umount -l /sys/fs/selinux` as the kernel status page /sys/fs/selinux/status
stays mapped by processes like systemd, dbus, sshd.
* Tools using sepolgen, e.g. audit2allow, print extended permissions in
hexadecimal
* sepolgen sorts extended rules like normal ones
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit format.
* matchpathcon converted to selabel_lookup() - no more matchpathcon is
deprecated warning
* libsepol and libsemanage dropped old and deprecated symbols and functions
libsepol version was bumped to libsepol.so.2
libsemanage version was bumped to libsemanage.so.2
* Release version for the whole project is same as for subcomponents, e.g.
instead of 20210304 it's 3.2
* Improved man pages
* Bug fixes
Development-relevant changes
----------------------------
* License the CI scripts with a permissive, OSI approved license, such as MIT
* Several CI improvements
* Added configuration to build and run tests in GitHub Actions
* CI contains configuration for a Vagrant virtual machine - instructions on how
to use it are documented at the beginning of Vagrantfile.
* `scripts/release` was improved to be more robust and release a source repository
Packaging-relevant changes
--------------------------
* Both libsepol and libsemanage bumped their soname versions. Especially
libsemanage is linked to shadow-utils and direct update might cause problems to
buildroots. Also SETools needs to be rebuilt against libsepol.so.2
* Source repository snapshot selinux-3.2-rc2.tar.gz is available on the release page
* sestatus is installed as /usr/bin/sestatus by default. Original /usr/sbin/sestatus is
a relative symlink to the /usr/bin/sestatus.
Issues fixed
------------
* https://github.com/SELinuxProject/selinux/issues/245
* https://github.com/SELinuxProject/selinux/issues/270
Shortlog of changes since the 3.1 release
-----------------------------------------
Antoine Tenart (1):
policycoreutils: setfiles: do not restrict checks against a binary policy
Bernhard M. Wiedemann (1):
python/sepolicy: allow to override manpage date
Björn Bidar (2):
libselinux: Add build option to disable X11 backend
libselinux: LABEL_BACKEND_ANDROID add option to enable
Chris PeBenito (5):
libselinux: Remove trailing slash on selabel_file lookups.
libselinux: Add new log callback levels for enforcing and policy load notices.
libselinux: Fix selabel_lookup() for the root dir.
libselinux: Add additional log callback details in man page for auditing.
libselinux: Change userspace AVC setenforce and policy load messages to audit format.
Christian Göttsche (10):
sepolgen: print extended permissions in hexadecimal
sepolgen: sort extended rules like normal ones
libselinux: use full argument specifiers for security_check_context in man page
libselinux: safely access shared memory in selinux_status_updated()
libselinux: initialize last_policyload in selinux_status_open()
libselinux: accept const fromcon in get_context API
libselinux: update getseuser
libselinux/getconlist: report failures
policycoreutils/fixfiles.8: add missing file systems and merge check and verify
libsepol/cil: handle SID without assigned context when writing policy.conf
Dominick Grift (5):
secilc/docs: document expandtypeattribute
newrole: support cross-compilation with PAM and audit
cil_access_vector_rules: allowx, auditallowx and dontauditx fixes
cil_network_labeling_statements: fixes nodecon examples
secilc: fixes cil_role_statements.md example
Evgeny Vereshchagin (1):
libsepol/cil: always destroy the lexer state
Hu Keping (3):
Introduce VERSION file for selinux
Use X.Y instead of date for release tag
Simplify the tarball generating scripts
Jakub Hrozek (1):
libsemanage: Free contents of modkey in semanage_direct_remove
James Carter (17):
libsepol/cil: Validate constraint expressions before adding to binary policy
libsepol/cil: Validate conditional expressions before adding to binary policy
libsepol/cil: Fix neverallow checking involving classmaps
libsepol/cil: Give error for more than one true or false block
libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_*
libsepol/cil: Get rid of unnecessary check in cil_gen_node()
libsepol/cil: Remove unused field from struct cil_args_resolve
libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases()
libsepol/cil: Use the macro NODE() whenever possible
libsepol/cil: Use the macro FLAVOR() whenever possible
libsepol/cil: Update symtab nprim field when adding or removing datums
libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values()
libsepol/cil: Fix heap-use-after-free when using optional blockinherit
libsepol/cil: Fix integer overflow in the handling of hll line marks
libsepol/cil: Destroy disabled optional blocks after pass is complete
libsepol: Create function ebitmap_highest_set_bit()
libsepol: Validate policydb values when reading binary policy
Laurent Bigonville (1):
restorecond: Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
Mike Palmiotto (1):
libselinux: use kernel status page by default
Nicolas Iooss (31):
libselinux: convert matchpathcon to selabel_lookup()
libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
libsepol: drop confusing BUG_ON macro
libsepol: silence potential NULL pointer dereference warning
libsepol: free memory when realloc() fails
Add configuration to build and run tests in GitHub Actions
scripts/ci: add configuration for a Vagrant virtual machine
GitHub Actions: upgrade to Python 3.9
GitHub Actions: drop Ruby 2.4 from matrix
libsepol/cil: remove useless print statement
libsepol/cil: fix NULL pointer dereference when using an unused alias
libsepol/cil: do not add a stack variable to a list
libsepol/cil: propagate failure of cil_fill_list()
libsepol/cil: constify some strings
libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit
libsepol/cil: destroy perm_datums when __cil_resolve_perms fails
libsepol/cil: fix NULL pointer dereference when parsing an improper integer
libsepol: destroy filename_trans list properly
GitHub Actions: run SELinux testsuite in Fedora virtual machine
libsepol/cil: fix memory leak when a constraint expression is too deep
libsepol/cil: unlink blockinherit->block link when destroying a block
scripts/release: make the script more robust, and release a source repository snapshot
libsepol: remove unused files
libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check
libsepol: include header files in source files when matching declarations
libsepol/cil: fix NULL pointer dereference with empty macro argument
libsepol/cil: be more robust when encountering <src_info>
libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast
libselinux: rename gettid() to something which never conflicts with the libc
libsepol: invalidate the pointer to the policydb if policydb_init fails
restorecond: invalidate local_lock_fd properly when closing it
Ondrej Mosnacek (9):
libsepol,checkpolicy: optimize storage of filename transitions
libsepol: implement POLICYDB_VERSION_COMP_FTRANS
ci: use parallel build
ci: bump Fedora image version to 33
selinux(8): mark up SELINUX values
selinux(8): explain that runtime disable is deprecated
selinux_config(5): add a note that runtime disable is deprecated
ci: add new dependencies needed by selinux-testsuite
travis: run only selinux-testsuite
Petr Lautrbach (20):
Update VERSIONs and Python bindings version to 3.1 for release
libsepol: Get rid of the old and duplicated symbols
libsepol: Drop deprecated functions
libsepol: Bump libsepol.so version
libsemanage: Remove legacy and duplicate symbols
libsemanage: Drop deprecated functions
libsemanage: Bump libsemanage.so version
Revert "libsemanage/genhomedircon: check usepasswd"
libselinux: Always close status page fd
Update VERSIONs and Python bindings version to 3.2-rc1 for release
setfiles: Do not abort on labeling error
setfiles: drop ABORT_ON_ERRORS and related code
libsemanage: sync filesystem with sandbox
policycoreutils/setfiles: Drop unused nerr variable
Update VERSIONs to 3.2-rc2 for release.
libselinux: fix segfault in add_xattr_entry()
policycoreutils: Resolve path in restorecon_xattr
Update VERSIONs to 3.2-rc3 for release.
sepolicy: Do not try to load policy on import
Update VERSIONs to 3.2 for release.
Stephen Smalley (1):
libselinux: fix build order
Vit Mojzis (6):
libsemanage/genhomedircon: check usepasswd
python/semanage: empty stdout before exiting on BrokenPipeError
python/semanage: Sort imports in alphabetical order
python/sepolgen: allow any policy statement in if(n)def
selinux(8,5): Describe fcontext regular expressions
gui: fix "file type" selection in fcontextPage
W. Michael Petullo (1):
python/audit2allow: add #include <limits.h> to sepolgen-ifgen-attr-helper.c
William Roberts (2):
scripts/ci: license as MIT
ci: fix stall on git log -1
bauen1 (6):
Update the cil docs to match the current behaviour.
fixfiles: correctly restore context of mountpoints
secilc/docs: use fenced code blocks for cil examples
secilc/docs: add syntax highlighting for secil
secilc/docs: add custom color theme
policycoreutils: sestatus belongs to bin not sbin
lutianxiong (1):
libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-03-04 16:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-04 16:36 ANN: SELinux userspace release 3.2 Petr Lautrbach
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).