Hello, A 3.2-rc1 release candidate for the SELinux userspace is now available at: https://github.com/SELinuxProject/selinux/wiki/Releases Please give it a test and let us know if there are any issues. If there are specific changes that you think should be called out in release notes for packagers and users in the final release announcement, let us know. Thanks to all the contributors to this release candidate! User-visible changes -------------------- * libsepol implemented a new, more space-efficient form of storing filename transitions in the binary policy and reduced the size of the binary policy * libselinux: Use mmap()'ed kernel status page instead of netlink by default. See "KERNEL STATUS PAGE" section in avc_init(3) for more details. Note: if you need to `umount /sys/fs/selinux` you need to use lazy umount - `umount -l /sys/fs/selinux` as the kernel status page /sys/fs/selinux/status stays mapped by processes like systemd, dbus, sshd. * Tools using sepolgen, e.g. audit2allow, print extended permissions in hexadecimal * sepolgen sorts extended rules like normal ones * New log callback levels for enforcing and policy load notices - SELINUX_POLICYLOAD, SELINUX_SETENFORCE * Changed userspace AVC setenforce and policy load messages to audit format. * matchpathcon converted to selabel_lookup() - no more matchpathcon is deprecated warning * libsepol and libsemanage dropped old and deprecated symbols and functions libsepol version was bumped to libsepol.so.2 libsemanage version was bumped to libsemanage.so.2 * Release version for the whole project is same as for subcomponents, e.g. instead of 20210118 it's 3.2-rc1 * Improved man pages * Bug fixes Development-relevant changes ---------------------------- * License the CI scripts with a permissive, OSI approved license, such as MIT * Several CI improvements * Added configuration to build and run tests in GitHub Actions * CI contains configuration for a Vagrant virtual machine - instructions on how to use it are documented at the beginning of Vagrantfile. Packaging-relevant changes -------------------------- * Both libsepol and libsemanage bumped their soname versions. Especially libsemanage is linked to shadow-utils and direct update might cause problems to buildroots. Also SETools needs to be rebuilt against libsepol.so.2 Issues fixed ------------ * https://github.com/SELinuxProject/selinux/issues/245 * https://github.com/SELinuxProject/selinux/issues/270 Shortlog of changes since the 3.1 release ----------------------------------------------- Bernhard M. Wiedemann (1): python/sepolicy: allow to override manpage date Björn Bidar (2): libselinux: Add build option to disable X11 backend libselinux: LABEL_BACKEND_ANDROID add option to enable Chris PeBenito (5): libselinux: Remove trailing slash on selabel_file lookups. libselinux: Add new log callback levels for enforcing and policy load notices. libselinux: Fix selabel_lookup() for the root dir. libselinux: Add additional log callback details in man page for auditing. libselinux: Change userspace AVC setenforce and policy load messages to audit format. Christian Göttsche (5): sepolgen: print extended permissions in hexadecimal sepolgen: sort extended rules like normal ones libselinux: use full argument specifiers for security_check_context in man page libselinux: safely access shared memory in selinux_status_updated() libselinux: initialize last_policyload in selinux_status_open() Dominick Grift (4): secilc/docs: document expandtypeattribute newrole: support cross-compilation with PAM and audit cil_access_vector_rules: allowx, auditallowx and dontauditx fixes cil_network_labeling_statements: fixes nodecon examples Evgeny Vereshchagin (1): libsepol/cil: always destroy the lexer state Hu Keping (3): Introduce VERSION file for selinux Use X.Y instead of date for release tag Simplify the tarball generating scripts Jakub Hrozek (1): libsemanage: Free contents of modkey in semanage_direct_remove James Carter (10): libsepol/cil: Validate constraint expressions before adding to binary policy libsepol/cil: Validate conditional expressions before adding to binary policy libsepol/cil: Fix neverallow checking involving classmaps libsepol/cil: Give error for more than one true or false block libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_* libsepol/cil: Get rid of unnecessary check in cil_gen_node() libsepol/cil: Remove unused field from struct cil_args_resolve libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases() libsepol/cil: Use the macro NODE() whenever possible libsepol/cil: Use the macro FLAVOR() whenever possible Laurent Bigonville (1): restorecond: Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file Mike Palmiotto (1): libselinux: use kernel status page by default Nicolas Iooss (18): libselinux: convert matchpathcon to selabel_lookup() libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 libsepol: drop confusing BUG_ON macro libsepol: silence potential NULL pointer dereference warning libsepol: free memory when realloc() fails Add configuration to build and run tests in GitHub Actions scripts/ci: add configuration for a Vagrant virtual machine GitHub Actions: upgrade to Python 3.9 GitHub Actions: drop Ruby 2.4 from matrix libsepol/cil: remove useless print statement libsepol/cil: fix NULL pointer dereference when using an unused alias libsepol/cil: do not add a stack variable to a list libsepol/cil: propagate failure of cil_fill_list() libsepol/cil: constify some strings libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit libsepol/cil: destroy perm_datums when __cil_resolve_perms fails libsepol/cil: fix NULL pointer dereference when parsing an improper integer libsepol: destroy filename_trans list properly Ondrej Mosnacek (9): libsepol,checkpolicy: optimize storage of filename transitions libsepol: implement POLICYDB_VERSION_COMP_FTRANS ci: use parallel build ci: bump Fedora image version to 33 selinux(8): mark up SELINUX values selinux(8): explain that runtime disable is deprecated selinux_config(5): add a note that runtime disable is deprecated ci: add new dependencies needed by selinux-testsuite travis: run only selinux-testsuite Petr Lautrbach (9): libsepol: Get rid of the old and duplicated symbols libsepol: Drop deprecated functions libsepol: Bump libsepol.so version libsemanage: Remove legacy and duplicate symbols libsemanage: Drop deprecated functions libsemanage: Bump libsemanage.so version Revert "libsemanage/genhomedircon: check usepasswd" libselinux: Always close status page fd Update VERSIONs and Python bindings version to 3.2-rc1 for release Stephen Smalley (1): libselinux: fix build order Vit Mojzis (3): libsemanage/genhomedircon: check usepasswd python/semanage: empty stdout before exiting on BrokenPipeError python/semanage: Sort imports in alphabetical order W. Michael Petullo (1): python/audit2allow: add #include <limits.h> to sepolgen-ifgen-attr-helper.c William Roberts (2): scripts/ci: license as MIT ci: fix stall on git log -1 bauen1 (2): Update the cil docs to match the current behaviour. fixfiles: correctly restore context of mountpoints
