* ANN: SELinux userspace 3.0-rc1 release candidate
@ 2019-10-31 9:43 Petr Lautrbach
2019-11-01 10:54 ` Nicolas Iooss
0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2019-10-31 9:43 UTC (permalink / raw)
To: SElinux list
Hello,
A 3.0-rc1 release candidate for the SELinux userspace is now
available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
If there are specific changes that you think should be called out
in release notes for packagers and users in the final release
announcement, let us know.
Thanks to all the contributors to this release candidate!
User-visible changes:
* Optional support for kernel policy optimization (enable with
optimize-policy=true in /etc/selinux/semanage.conf for modular policy or -O
option to checkpolicy/secilc for monolithic policy); this is optional because it
provides relatively small savings with non-trivial policy compile-time overhead
for some policies e.g. Android.
* New digest scheme for setfiles/restorecon -D; instead of a single hash of the
entire file contexts configuration stored in a security.restorecon_last xattr on
only the top-level directory, use a hash of all partial matches from file
contexts stored in a security.sehash xattr on each directory,
* Support for default_range glblub in source policy (.te/policy.conf and CIL)
and kernel policy version 32,
* New libselinux APIs for querying validatetrans rules,
* Unknown permissions are now handled as errors in CIL,
* security_av_string() no longer returns immediately upon encountering an
unknown permission and will log all known permissions,
* checkmodule -c support for specifying module policy version,
* mcstransd reverted to original color range matching based on dominance,
* Support for 'dccp' and 'sctp' protocols in semanage port command,
* 'checkpolicy -o -' writes policy to standard output,
* 'semodule -v' sets also cil's log level
Issues fixed:
* https://github.com/SELinuxProject/selinux/issues/61
* https://github.com/SELinuxProject/selinux/issues/137
* https://github.com/SELinuxProject/selinux/issues/138
* https://github.com/SELinuxProject/selinux/issues/167
* https://github.com/SELinuxProject/selinux/issues/169
* https://github.com/SELinuxProject/selinux/issues/176
A shortlog of changes since the 2.9 release:
Aleksei Nikiforov (1):
Update man pages translation by Olesya Gerasimenko
Gary Tierney (2):
checkmodule: add support for specifying module policy version
dismod: print policy version of loaded modules
James Carter (4):
checkpolicy: add flag to enable policy optimization
libsepol: Make an unknown permission an error in CIL
libsepol: Remove cil_mem_error_handler() function pointer
libsepol: Further improve binary policy optimization
Jan Zarsky (11):
libsemanage: add helper functions to tests
libsemanage: test semanage_handle_* functions
libsemanage: test semanage_bool_* functions
libsemanage: test semanage_fcontext functions
libsemanage: test semanage_iface_* functions
libsemanage: test semanage_ibendport_* functions
libsemanage: test semanage_node_* functions
libsemanage: test semanage_port_* functions
libsemanage: test semanage_user_* functions
libsemanage: test semanage_context_* functions
libsemanage: test semanage_msg_default_handler
Jason Zaman (1):
policycoreutils: semodule: Enable CIL logging
Jokke Hämäläinen (2):
libsepol: Check strdup() failures
libsepol: Replace constant with sizeof()
Joshua Brindle (2):
Add security_validatetrans support
Add default_range glblub support
Laurent Bigonville (4):
restorecond: Do not link against libpcre
Add documentation key in systemd .service files
mcstrans: Move setrans.conf manpage to section 5
mcstrans: Add reference to setools.conf man page in the daemon one
Masatake YAMATO (3):
checkpolicy: remove a redundant if-condition
checkpolicy: update the description for -o option in the man page
checkpolicy: allow to write policy to stdout
Mike Palmiotto (2):
libsepol/cil: fix mlsconstrain segfault
libselinux: fix string conversion of unknown perms
Nicolas Iooss (23):
restorecond: use /run instead of /var/run
libsepol: include module.c internal header in module_to_cil.c
libsepol: initialize a local variable once
libselinux: ensure that digest_len is not zero
libsemanage: include internal header to use the hidden function prototypes
libsepol: do not dereference a failed allocated pointer
semodule-utils: fix comparison with argc
libsepol: do not dereference scope if it can be NULL
libsepol: reset *p to NULL if sepol_module_package_create fails
libsepol/cil: do not dereference perm_value_to_cil when it has not been allocated
python/chcat: remove unnecessary assignment
python/sepolicy: remove unnecessary pass statement
libsepol/tests: do not dereference a NULL pointer
Add configuration file for lgtm.com
Fix many misspellings
libselinux: ensure strlen() is not called on NULL
libselinux: do not add rc to pos twice
CircleCI: run scan-build and publish its results automatically
libsepol, libsemanage: add a macro to silence static analyzer warnings in tests
libsemanage/tests: return when str is NULL
libsemanage/tests: check that string pointers are not NULL before comparing them
libselinux: mark all exported function "extern"
libsemanage: mark all exported function "extern"
Ondrej Mosnacek (6):
libsepol: add ebitmap_for_each_set_bit macro
run_init: fix build when crypt() is not in unistd.h
libsepol: add a function to optimize kernel policy
libsemanage: optionally optimize policy on rebuild
secilc: add flag to enable policy optimization
sepolicy: generate man pages in parallel
Petr Lautrbach (12):
gui: Install polgengui.py to /usr/bin/selinux-polgengui
gui: Install .desktop files to /usr/share/applications by default
semanage/semanage-boolean.8: Fix a minor typo
Add CONTRIBUTING.md
libselinux: Use Python distutils to install SELinux python bindings
policycoreutils/fixfiles: Fix [-B] [-F] onboot
policycoreutils/fixfiles: Force full relabel when SELinux is disabled
gui: Fix remove module in system-config-selinux
python/semanage: Do not use default s0 range in "semanage login -a"
Switch last 2 files using /usr/bin/env to /usr/bin/python3
libsepol: Use LIBSEPOL_3.0 and fix sepol_policydb_optimize symbol mapping
Update VERSIONs to 3.0-rc1 for release.
Richard Haines (6):
libsepol/cil: Allow validatetrans rules to be resolved
libselinux: Fix security_get_boolean_names build error
libselinux: Save digest of all partial matches for directory
setfiles: Update utilities for the new digest scheme
selinux: Remove legacy local boolean and user code
selinux: Update manpages after removing legacy boolean and user code
Stephen Smalley (1):
python/sepolicy: call segenxml.py with python3
Unto Sten (9):
Global replace exit(0) with more readable exit(EXIT_SUCCESS)
Unify code style to preserve my sanity
another style fix
Check strdup() failure
Trivial style improvements
Trivial style fixes
Remove unneeded int
Remove redundant if-clause
More accurate error messages
Vit Mojzis (8):
Revert "mcstransd select correct colour range."
Fix mcstrans secolor examples
policycoreutils/fixfiles: Fix "verify" option
python/semanage: Improve handling of "permissive" statements
python/semanage: fix moduleRecords.customized()
libsemanage: Add support for DCCP and SCTP protocols
python/semanage: Add support for DCCP and SCTP protocols
python/semanage: Document DCCP and SCTP support
xunchang (2):
Restorecon: factor out a lookup helper for context matches
libselinux: Ignore the stem when looking up all matches in file context
Petr
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ANN: SELinux userspace 3.0-rc1 release candidate
2019-10-31 9:43 ANN: SELinux userspace 3.0-rc1 release candidate Petr Lautrbach
@ 2019-11-01 10:54 ` Nicolas Iooss
2019-11-01 13:43 ` [Non-DoD Source] " jwcart2
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Iooss @ 2019-11-01 10:54 UTC (permalink / raw)
To: Petr Lautrbach, SElinux list
On Thu, Oct 31, 2019 at 10:43 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> Hello,
>
> A 3.0-rc1 release candidate for the SELinux userspace is now
> available at:
>
> https://github.com/SELinuxProject/selinux/wiki/Releases
>
> Please give it a test and let us know if there are any issues.
>
> If there are specific changes that you think should be called out
> in release notes for packagers and users in the final release
> announcement, let us know.
Hello, I started testing this RC on a test virtual machine (which uses
Arch Linux and refpolicy) and something changed in a quite unexpected
way: "semodule --verbose" is now a lot more noisy than 2.9. Here is an
example of what I get when rebuilding the policy:
# semodule --verbose -B
Committing changes:
Disabling optional 'ada_optional_6' at
/var/lib/selinux/refpolicy/tmp/modules/400/ada/cil:63
Failed to resolve typeattributeset statement at
/var/lib/selinux/refpolicy/tmp/modules/400/ada/cil:66
Disabling optional 'anaconda_optional_9' at
/var/lib/selinux/refpolicy/tmp/modules/400/anaconda/cil:183
Failed to resolve typeattributeset statement at
/var/lib/selinux/refpolicy/tmp/modules/400/anaconda/cil:189
Disabling optional 'apache_optional_92' at
/var/lib/selinux/refpolicy/tmp/modules/400/apache/cil:3449
Failed to resolve typeattributeset statement at
/var/lib/selinux/refpolicy/tmp/modules/400/apache/cil:3499
...
Such an output could be useful when debugging issues about optional
modules, but they may make other issues harder to find among all the
messages. Would it be possible to hide these specific messages by
default in verbose mode?
Thanks,
Nicolas
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Non-DoD Source] Re: ANN: SELinux userspace 3.0-rc1 release candidate
2019-11-01 10:54 ` Nicolas Iooss
@ 2019-11-01 13:43 ` jwcart2
0 siblings, 0 replies; 3+ messages in thread
From: jwcart2 @ 2019-11-01 13:43 UTC (permalink / raw)
To: Nicolas Iooss, Petr Lautrbach, SElinux list
On 11/1/19 6:54 AM, Nicolas Iooss wrote:
> On Thu, Oct 31, 2019 at 10:43 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> Hello,
>>
>> A 3.0-rc1 release candidate for the SELinux userspace is now
>> available at:
>>
>> https://github.com/SELinuxProject/selinux/wiki/Releases
>>
>> Please give it a test and let us know if there are any issues.
>>
>> If there are specific changes that you think should be called out
>> in release notes for packagers and users in the final release
>> announcement, let us know.
>
> Hello, I started testing this RC on a test virtual machine (which uses
> Arch Linux and refpolicy) and something changed in a quite unexpected
> way: "semodule --verbose" is now a lot more noisy than 2.9. Here is an
> example of what I get when rebuilding the policy:
>
> # semodule --verbose -B
> Committing changes:
> Disabling optional 'ada_optional_6' at
> /var/lib/selinux/refpolicy/tmp/modules/400/ada/cil:63
> Failed to resolve typeattributeset statement at
> /var/lib/selinux/refpolicy/tmp/modules/400/ada/cil:66
> Disabling optional 'anaconda_optional_9' at
> /var/lib/selinux/refpolicy/tmp/modules/400/anaconda/cil:183
> Failed to resolve typeattributeset statement at
> /var/lib/selinux/refpolicy/tmp/modules/400/anaconda/cil:189
> Disabling optional 'apache_optional_92' at
> /var/lib/selinux/refpolicy/tmp/modules/400/apache/cil:3449
> Failed to resolve typeattributeset statement at
> /var/lib/selinux/refpolicy/tmp/modules/400/apache/cil:3499
> ...
>
> Such an output could be useful when debugging issues about optional
> modules, but they may make other issues harder to find among all the
> messages. Would it be possible to hide these specific messages by
> default in verbose mode?
>
I can turn these into CIL_INFO messages rather than CIL_WARN messages. That will
hide them.
Jim
> Thanks,
> Nicolas
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-01 13:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-31 9:43 ANN: SELinux userspace 3.0-rc1 release candidate Petr Lautrbach
2019-11-01 10:54 ` Nicolas Iooss
2019-11-01 13:43 ` [Non-DoD Source] " jwcart2
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).