On Fri, Aug 04, 2017 at 02:57:20PM -0400, Stephen Smalley wrote: > The 20170804 / 2.7 release for the SELinux userspace release is now > available from: > https://github.com/SELinuxProject/selinux/wiki/Releases Thanks for bringing us this new release! > > Below are some notes on this release for packagers and users of the > SELinux userspace. git log and git shortlog output for all changes > since the 20161014 / 2.6 release are linked from the release page. > Thanks to all the contributors to this release! > > If you notice corrections or additional items that should be added to > the release notes (below and also linked from the releases page), reply > to this message with your suggested changes/additions and we'll add > them to the one linked from the releases page too. > > * This is the first release with the split up policycoreutils (see > https://www.mail-archive.com/selinux@xxxxxxxxxxxxx/msg02914.html and > the rest of that thread). Fedora already packages many of these > components separately, although not always with the same organization > and naming scheme. Note that a number of these components are not > necessary for basic use of SELinux and likely should not be installed > by default, e.g. selinux-dbus, selinux-gui, mcstrans, restorecond, > selinux-sandbox. > > * libsepol now has binary module support for ioctl xperms rules > (module version 18), making it possible to use allowxperm rules in > modularly built refpolicy-based policies. Previously, ioctl xperms > rules were only supported in monolithic policy and in CIL modules. > This change means that refpolicy and/or policies derived from it can > begin to leverage ioctl whitelisting, which has already been leveraged > for some time in Android policies, which do not rely on binary modules. > > * This release introduces support for Infiniband object labeling, > including support for kernel policy version 31 and module version 19, > policy.conf and CIL language support, and semanage support. The > corresponding kernel support was introduced in Linux v4.13. > > * This release introduces support for building policies with the > extended_socket_class, cgroup_seclabel, and nnp_nosuid_transition > policy > capabilities enabled: > > ** The extended_socket_class policy capability allows distinctions to > be made in policy among socket address families that were previously > mapped to the generic socket class (e.g. bluetooth, nfc, and many > other socket address families that previously did not have their own > distinct security class) as well as for SCTP and ICMP/ping sockets > that were previously mapped to the rawip_socket class. This policy > capability is supported by Linux v4.11 and later. Enabling this > capability > in policy requires reviewing existing rules on socket and rawip_socket > classes to determine whether they should be duplicated for the new > classes. > > ** The cgroup_seclabel policy capability allows userspace to set > labels on cgroup/cgroup2 files, enabling fine-grained labeling of > cgroup files by userspace. This policy capability is also supported > by Linux v4.11 and later. Note that enabling this capability will > break current Android userspace/policy and requires introducing > appropriate file_contexts definitions for cgroup files (or a change to > the Android init program's handling of them) in order to avoid > mislabeling them. > > ** The nnp_nosuid_transition policy capability enables SELinux domain > transitions to occur under no_new_privs (NNP) or on nosuid mounts if > the corresponding permission (nnp_transition for NNP, > nosuid_transition for nosuid; both in the newly defined process2 > security class / access vector) is allowed between the old and new > contexts. This change was motivated by the increasing use of NNP by > systemd for confining system services and the desire to be able to > leverage NNP/nosuid-provided protections in combination with SELinux > rather than having to make undesirable tradeoffs in security. With > this policy capability enabled and the corresponding permissions > allowed where required, it should be possible to use upstream systemd > unit files without modification on SELinux-enabled systems. > NB: Allowing nnp_transition between two contexts opens up the > potential for the old context to subvert the new context by > installing seccomp filters before the execve. Allowing > nosuid_transition between two contexts opens up the potential for > a context transition to occur on a file from an untrusted > filesystem (e.g. removable media or remote filesystem). Use with > care. Linux support is expected with 4.14 > > * checkpolicy now supports generating CIL or policy.conf from a > kernel binary policy. Sample usage is checkpolicy -M -C -b policy.N -o > policy.cil and checkpolicy -M -F -b policy.N -o policy.conf. There is > also now a secil2conf program that can generate policy.conf from CIL, > e.g. secil2conf -o policy.conf policy.cil. > > * Attribute generation and expansion has changed in several ways in > order to address kernel runtime performance issues that occur when > types have many attributes assigned to them while ensuring preservation > of attributes where desired. Binary module to CIL conversion now > ensures that duplicate attributes are not generated for the same type > set. secilc now supports -G and -X options to force expansion of > automatically generated attributes (-G) and/or attributes that have > fewer than a specified number of types (-X number). secilc will also > now more aggressively expand attributes based on whether they will > actually be used by the kernel, are needed for debugging denials by > audit2allow/why, or are needed for neverallow checking of binary > policies (in Android). New statements are supported in policy.conf > (expandattribute) and in CIL (expandtypeattribute) to support > specifying in source policy that specific attributes should always be > expanded or never be expanded in order to override the default > behaviors in checkpolicy and secilc. This statement (expandtypeattribute) should probably be documented in the secilc docs: https://github.com/SELinuxProject/selinux/tree/master/secilc/docs > > * checkpolicy/checkmodule now treats it as an error if a type is > declared as an attribute or vice versa in a require block. Such > mismatches between declarations and require statements are an error in > policy and should be corrected in policy; refpolicy master should > already be fixed. > > * A change to libsepol-internal data structures breaks the build of > setools4. This is fixed by setools4 commit > 743d2a0eaaae7d99302dd3099549ca7ad868eab on the master branch. The > change was to align the libsepol structures with the kernel in order to > allow direct comparison of libsepol-generated policy files against > /sys/fs/selinux/policy after normalizing them through checkpolicy. > > * audit2why now understands type bounds failures and reports them as > such, although it does not yet provide detailed reporting. Detailed > bounds violation reporting can be obtained already by enabling expand- > check=1 in semanage.conf or by running semodule_expand (without -a) at > policy validation time. > > * libsemanage now saves the linked policy and skips re-linking > whenever possible. This significantly improves the performance and > memory overhead of semanage commands that do not affect policy modules > (setting booleans and adding, deleting, or modifying local context > mappings). Previously, libsemanage only skipped re-linking when setting > booleans as a special case, but this was found to have a bug that could > yield duplicate object context entries (e.g. portcon) in policy. That > optimization was therefore reverted and replaced with this one, which > both fixes the bug and generalizes the optimization beyond just setting > booleans. The change does bring an associated storage cost, primarily > storing an extra copy of the kernel policy file (if a concern, this > could be made optional but it seems well worth it). The first semanage > or setsebool -P command run with the new libsemanage will not > demonstrate any improvement due to needing to generate the linked > policy for the first time, but subsequent commands will leverage the > saved linked policy. > > * libsemanage no longer depends on ustr. > > * libselinux/utils Makefile now uses SBINDIR instead of USRBINDIR. > > * mcstrans/utils Makefile now uses SBINDIR instead of BINDIR. > > * Some packages (libselinux, checkpolicy, selinux-python, > semodule-utils and mcstrans) require LIBSEPOLA to be set to the > absolute path to libsepol.a when building with DESTDIR set. > > * policycoreutils make install no longer creates a symlink from > /usr/sbin/load_policy to /sbin/load_policy. > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
