Am Mo., 18. Mai 2020 um 14:52 Uhr schrieb Petr Lautrbach <plautrba@xxxxxxxxxx>: > > Hello, > > A 3.1-rc1 release candidate for the SELinux userspace is now > available at: > > https://github.com/SELinuxProject/selinux/wiki/Releases > > Please give it a test and let us know if there are any issues. > > If there are specific changes that you think should be called out > in release notes for packagers and users in the final release > announcement, let us know. > I think some further changes can be mentioned: * the dso wrappers for internal calls were removed (and as a result I think it is now strongly recommend to compile with `-fno-semantic-interposition`?) * `security_compute_user()` was deprecated (usage of /sys/fs/selinux/user { security:compute_user } might be revisited) * commit 42b13ba15a1ef5764eea8b84196fa5a1aea2e094 ("checkpolicy: Treat invalid characters as an error ") might break (but intentional) rare use cases > > Thanks to all the contributors to this release candidate! > > > User-visible changes: > > * selinux/flask.h and selinux/av_permissions.h were removed > > The flask.h and av_permissions.h header files were deprecated and > all selinux userspace references to them were removed in > commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.") > back in 2014 and included in the 20150202 / 2.4 release. > All userspace object managers should have been updated > to use the dynamic class/perm mapping support since that time. > Remove these headers finally to ensure that no users remain and > that no future uses are ever introduced. > > Use string_to_security_class(3) and string_to_av_perm(3) to map the class and > permission names to their policy values, or selinux_set_mapping(3) to create a > mapping from class and permission index values used by the application to the > policy values. > > * Support for new polcap genfs_seclabel_symlinks > > * New `setfiles -E` option - treat conflicting specifications as errors, such > as where two hardlinks for the same inode have different contexts. > > * `restorecond_user.service` - new systemd user service which runs `restorecond -u` > > * `setsebool -V` reports errors from commit phase > > * Improved man pages > > * `semanage` uses ipaddress Python module instead of IPy > > * matchpathcon related interfaces are deprecated > > * selinuxfs is mounted with noexec and nosuid > > * Improved README which was renamed to README.md and converted to markdown. > > * `setup.py` builds can be customized using PYTHON_SETUP_ARGS, e.g. to for > Debian Python layout use: `make PYTHON_SETUP_ARGS=--install-layout=deb ...` > > > Issues fixed: > > * https://github.com/SELinuxProject/selinux/issues/239 > * https://github.com/SELinuxProject/selinux/issues/237 > * https://github.com/SELinuxProject/selinux/issues/225 > * https://github.com/SELinuxProject/selinux/issues/217 > * https://github.com/SELinuxProject/selinux/issues/204 > * https://github.com/SELinuxProject/selinux/issues/187 > * https://github.com/SELinuxProject/selinux/issues/179 > * https://github.com/SELinuxProject/selinux/issues/164 > * https://github.com/SELinuxProject/selinux/issues/70 > * https://github.com/SELinuxProject/selinux/issues/28 > > A shortlog of changes since the 3.0 release: > > Adam Duskett (1): > Fix building against musl and uClibc libc libraries. > > Chris PeBenito (2): > libselinux: Add selinux_restorecon option to treat conflicting specifications as an error. > setfiles: Add -E option to treat conflicting specifications as errors. > > Christian Göttsche (10): > libsepol: add support for new polcap genfs_seclabel_symlinks > libselinux: drop error return from is_selinux_enabled documentation > libsepol: set correct second argument of (t1 == t2) constraint > checkpolicy: add missing forward declaration > tree-wide: replace last occurrences of security_context_t > tree-wide: use python module importlib instead of the deprecated imp > libsemanage: clarify handle-unknown configuration setting in man page > semodule: mention ignoredirs setting in genhomedircon man page > libselinux: mark security_context_t typedef as deprecated > tree-wide: introduce PYTHON_SETUP_ARGS to customize setup.py calls on Debian > > Daniel Burgener (2): > checkpolicy: Treat invalid characters as an error > checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors. > > Dominick Grift (1): > mcstrans: start early and stop late > > James Carter (6): > libsepol/cil: Fix bug in cil_copy_avrule() in extended permission handling > libsepol/cil: Rewrite verification of map classes and classpermissionsets > libsepol: Create the macro ebitmap_is_empty() and use it where needed > libsepol/cil: Check if name is a macro parameter first > libsepol/cil: Do not check flavor when checking for duplicate parameters > Revert "libsepol/cil: raise default attrs_expand_size to 2" > > Joshua Schmidlkofer (1): > python/semanage: check variable type of port before trying to split > > Mikhail Novosyolov (1): > libselinux: Fix Ru translation of failsafe context > > Nick Kralevich (1): > label_file.c: Fix MAC build > > Nicolas Iooss (16): > libsepol: make ebitmap_cardinality() of linear complexity > libselinux: add missing glue code to grab errno in Python bindings > libselinux: copy the reason why selinux_status_open() returns 1 > libselinux: make context_*_set() return -1 when an error occurs > libselinux/utils: remove unneeded variable in Makefile > libselinux,libsemanage: remove double blank lines > python/semanage: check rc after getting it > restorecond: migrate to GDbus API provided by glib-gio > restorecond: add systemd user service > restorecond/user: handle SIGTERM properly > libsepol/tests: drop ncurses dependency > README: add much useful information > scripts/env_use_destdir: fix Fedora support > scripts/env_use_destdir: propagate PREFIX, LIBDIR, BINDIR, etc. > Travis-CI: upgrade to Ubuntu 18.04 and latest releases of Python and Ruby > python/sepolicy: silence new flake8 warnings > > Ondrej Mosnacek (16): > libsepol: fix CIL_KEY_* build errors with -fno-common > libsepol: remove leftovers of cil_mem_error_handler > checkpolicy: remove unused te_assertions > Makefile: always build with -fno-common > libsemanage: preserve parent Makefile's flags in debug mode > Travis-CI: test that DEBUG build works > libsepol/cil: remove unnecessary hash tables > libsepol: cache ebitmap cardinality value > libsepol, newrole: remove unused hashtab functions > libsepol: grow hashtab dynamically > Revert "libsepol: cache ebitmap cardinality value" > libsepol/cil: raise default attrs_expand_size to 2 > secilc: add basic test for policy optimization > libsepol: skip unnecessary check in build_type_map() > libsepol: optimize inner loop in build_type_map() > libsepol: speed up policy optimization > > Petr Lautrbach (9): > libselinux: Eliminate use of security_compute_user() > Convert README to README.md > python/semanage: Use ipaddress module instead of IPy > restorecond: Rename restorecond-user.service to restorecond_user.service > restorecond: Use pkg-config to get locations for systemd units > semanage/test-semanage.py: Return non-zero value when some of unittest tests fail > run-flake8: Filter out ./.git/ directory > secilc: Fix policy optimization test > Update VERSIONs to 3.1-rc1 for release. > > Richard Filo (1): > libselinux: Add missing errno setup > > Stephen Smalley (8): > libselinux: remove flask.h and av_permissions.h > libselinux: update man pages for userspace policy enforcers > libselinux: export flush_class_cache(), call it on policyload > libsepol,checkpolicy: support omitting unused initial sid contexts > libselinux: deprecate security_compute_user(), update man pages > libsepol,checkpolicy: remove use of hardcoded security class values > libsemanage: fsync final files before rename > libsepol: drop broken warning on duplicate filename transitions > > Topi Miettinen (4): > setsebool: report errors from commit phase > libselinux: mount selinuxfs noexec and nosuid > sepolicy-gui: fix columns in transitions view > sepolicy: fix some typos and port definitions > > William Roberts (34): > dso: drop hidden_proto and hidden_def > Makefile: add -fno-semantic-interposition > Makefile: add linker script to minimize exports > libselinux: drop symbols from map > libsepol/dso: drop hidden_proto and hidden_def > libsepol/Makefile: add -fno-semantic-interposition > libsepol: remove wild cards in mapfile > cil: drop remaining dso.h include > libsemanage: drop hidden > libsemanage/Makefile: add -fno-semantic-interposition > libsemanage: update linker script > libsemanage: cleanup linker map file > cil: rm dead dso.h file > cil: re-enable DISABLE_SYMVER define > libsemanage: fix linker script symbol versions > libsemanage: rm semanage_module_upgrade_info from map > security_load_booleans: update return comment > security_load_booleans: annotate deprecated > selinux_booleans_path: annotate deprecated > selinux_users_path: annotate deprecated > rpm_execcon: annotate deprecated > sidget: annotate deprecated > sidput: annotate deprecated > checkPasswdAccess: annotate deprecated > matchpathcon_init: annotate deprecated > matchpathcon_fini: annotate deprecated > matchpathcon: annotate deprecated > avc_init: annotate deprecated > avc: create internal avc_init interface > matchpathcon: create internal matchpathcon_fini interface > selinux_check_passwd_access: annotate deprecated > matchpathcon: allow use of deprecated routines > utils: matchpathcon add deprecated warning > Makefile: swig build allow deprecated functions > > bauen1 (1): > mcstransd: fix memory leak in new_context_str > > > > -- > () ascii ribbon campaign - against html e-mail > /\ www.asciiribbon.org - against proprietary attachments
