A 2.9-rc1 release candidate for the SELinux userspace is now
available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
If there are specific changes that you think should be called out
in
release notes for packagers and users in the final release
announcement, let us know.
Thanks to all the contributors to this release candidate!
User-visible changes:
* Spelling errors were fixed in libselinux man pages
* audit2allow supports xperms now. There are new '-x'/'--xperms'
options which
turn on generating of extended permisssion AV rules.
* semanage login is fixed in order not to log two audit events
which one of them
was correct.
* libsemanage resets umask before creating directories so that
file permissions
should not change after a change is committed.
* Correct user name is used in ROLE_REMOVE audit events
* The noise produced by checkpolicy command line tool is reduced
now.
* A new option '-S' or '--sort' is added to checkpolicy to sort
the ocontexts
before writing out the binary policy.
* sepolicy and semanage accept aliases now.
* Deprecated at_console statement was removed from dbus
configuration.
* semanage export output includes ibpkey and ibendport now.
* audit2why can be run as non-root user now.
Packaging-relevant changes:
* Usage of DESTDIR in restorecond is consistent with other
directories now
Issues fixed:
* https://github.com/SELinuxProject/selinux/issues/81
* https://github.com/SELinuxProject/selinux/issues/97
* https://github.com/SELinuxProject/selinux/issues/108
* https://github.com/SELinuxProject/selinux/issues/109
* https://github.com/SELinuxProject/selinux/issues/119
* https://github.com/SELinuxProject/selinux/issues/121
* https://github.com/SELinuxProject/selinux/issues/123
A shortlog of changes since the 2.8 release is below.
Hollis Blanchard (1):
Fix build break around __atomic_*() with GCC<4.7
James Carter (7):
libsepol: Create policydb_sort_ocontexts()
checkpolicy: Add option to sort ocontexts when creating a
binary policy
libsepol: Rename kernel_to_common.c stack functions
libsepol: Eliminate initial sid string definitions in
module_to_cil.c
libsepol: Check that initial sid indexes are within the
valid range
libsepol: Add two new Xen initial SIDs
libsepol: mark permissive types when loading a binary policy
Jan Zarsky (3):
python/sepolgen: print all AV rules correctly
python/sepolgen: fix access vector initialization
python: add xperms support to audit2allow
Laurent Bigonville (7):
policycoreutils: Fix typo in newrole.1 manpage
secilc: Make the clean target call the clean target of docs/
libselinux: Fix spelling errors in manpages
libselinux: Fix line wrapping in selabel_file.5
libselinux: fix the whatis line for the
selinux_boolean_sub.3 manpage
restorecond: Fix consistancy of DESTDIR usage
libsemanage: Always set errno to 0 before calling getpwent()
Mr Stid (1):
Fix snprintf truncated error
Nick Kralevich via Selinux (3):
checkpolicy: remove extraneous policy build noise
whitespace and spelling cleanup
secilc: better error handling
Nicolas Iooss (70):
libsepol: cil: silence clang analyzer false positive
libsepol: do not leak memory if list_prepend fails
libsepol: remove some dead assignments
libsepol: do not call malloc with 0 byte
libsepol: remove unused variable
checkpolicy: destroy the class datum if it fails to
initialize
libsepol: destroy the copied va_list
python/sepolgen: fix typo in PathChoooser name
policycoreutils/secon: fix typo in comment
policycoreutils/secon: free scon_trans before returning
policycoreutils/hll/pp: remove unused variable
libsepol/tests: read_binary_policy() does not use f.handle
libsepol/tests: fix use of unitialized variable
libsepol/cil: use a colon instead of a semicolon to report
rc
scripts: add a helper script to run clang's static analyzer
restorecond: close the PID file if writing to it failed
Travis-CI: use new location of refpolicy repository
mcstrans: fix memory leaks reported by clang's static
analyzer
python/semanage: fix Python syntax of catching several
exceptions
libselinux: fix flake8 warnings in SWIG-generated code
python/sepolgen: do not import twice the modules
python/sepolgen: return NotImplemented instead of raising it
python/sepolicy: drop unused CheckPolicyType
python/sepolicy: use lowercase variable name
python/sepolgen: fix refpolicy parsing of "permissive"
python/sepolgen: silence linter warning about has_key
python/sepolgen: remove buggy code
python/sepolgen: use self when accessing members in
FilesystemUse
python/sepolicy: fix "procotol" misspelling
python/sepolicy: use variables which exist in the gui.py
python/sepolicy: do not import sepolicy.generate.DAEMON
twice
python/sepolicy: do not import types
python/sepolicy: add missing % in network tab help text
Travis-CI: run flake8 on Python code
libsemanage: reindent pywrap-test.py with spaces
libsemanage: make pywrap-test.py compatible with Python 3
libselinux: add a const to suppress a build warning with
Python 3.7
Travis-CI: upgrade to Ubuntu 16.04 LTS Xenial Xerus
python: remove semicolon from end of lines
libsemanage: use previous seuser when getting the previous
name
semanage: "semanage user" does not use -s, fix documentation
semanage: add a missing space in ibendport help
libselinux: selinux_restorecon: fix printf format string
specifier for uint64_t
gui: remove html_util.py
python/chcat: improve the code readability
python/chcat: fix removing categories on users with Fedora
default setup
python/semanage: do not show "None" levels when using a
non-MLS policy
mcstrans: convert test scripts to Python 3
mcstrans: fix Python linter warnings on test scripts
python/sepolgen: always indent with 4 spaces
semanage_migrate_store: fix many Python linter warnings
semanage_migrate_store: remove unused loading of libsepol.so
semanage_migrate_store: switch to space indentation
python/sepolgen: upgrade ply to release 3.11
python/sepolgen: close /etc/selinux/sepolgen.conf after
parsing it
python/audit2allow/sepolgen-ifgen: add missing \n to error
message
python/audit2allow/sepolgen-ifgen: show errors on stderr
python/audit2allow: allow using audit2why as non-root user
python/semanage: explain why sepolicy is imported in a
function
Travis-CI: download refpolicy and install headers
python/audit2allow: make the tests useful again
python/audit2allow: use local sepolgen-ifgen-attr-helper for
tests
python/sepolgen: refpolicy installs its Makefile in
include/Makefile
python: run all the tests with "make test"
scripts/run-flake8: run on Python scripts not ending with
.py
python/sepolicy: initialize mislabeled_files in __init__()
libselinux: do not dereference symlink with statfs in
selinux_restorecon
Travis-CI: upgrade PyPy to 6.0
Travis-CI: add Ruby 2.6 to the test matrix
scripts: introduce env_use_destdir.sh helper
Ondrej Mosnacek (3):
restorecond: Do not ignore the -f option
libsepol: fix endianity in ibpkey range checks
libsepol: add missing ibendport port validity check
Petr Lautrbach (9):
python/sepolicy: search() also for dontaudit rules
mcstrans: Fix check in raw_color()
python/semanage: move valid_types initialisations to class
constructors
python/semanage: import sepolicy only when it's needed
python/sepolicy: Add sepolicy.load_store_policy(store)
python/semanage: Load a store policy and set the store
SELinux policy root
python/sepolicy: Make policy files sorting more robust
libselinux/audit2why.so: Filter out non-python related
symbols
Update VERSIONs to 2.9-rc1 for release.
Stephen Smalley (5):
README: Update the SELinux mailing list location
libselinux: fix overly strict validation of
file_contexts.bin
libsepol: ibpkeys.c: fix printf format string specifiers for
subnet_prefix
libsemanage: set selinux policy root around calls to
selinux_boolean_sub
setsebool: support use of -P on SELinux-disabled hosts
Tom Gundersen (1):
dbus: remove deprecated at_console statement
Vit Mojzis (13):
python/semanage: Stop logging loginRecords changes
python/semanage: Fix logger class definition
python/semanage: Replace bare except with specific one
libsemanage: reset umask before creating directories
libsemanage: Include user name in ROLE_REMOVE audit events
python/sepolicy: Update to work with setools-4.2.0
python/sepolicy: Fix "info" to search aliases as well
python/sepolicy: Stop rejecting aliases in sepolicy commands
python/semanage: Stop rejecting aliases in semanage commands
python: replace aliases with corresponding type names
python/semanage: Include MCS/MLS range when exporting local
customizations
python/semanage: Start exporting "ibendport" and "ibpkey"
entries
python/chcat: use check_call instead of getstatusoutput
William Roberts (3):
Makefile: fix _FORTIFY_SOURCE redefined build error
build: set _FORTIFY_SOURCE=2 in libselinux
Makefile: add -Wstrict-overflow=5 to CFLAGS
Yuli Khodorkovskiy (2):
libsemanage: improve semanage_migrate_store import failure
mcstrans: remove unused getpeercon_raw() call
Yuri Chornoivan (1):
Fix minor typos
liwugang (1):
checkpolicy: check the result value of hashtable_search
