Hello! The 3.3 release for the SELinux userspace is now available at: https://github.com/SELinuxProject/selinux/wiki/Releases I signed all tarballs using my gpg key, see .asc files. You can download the public key from https://people.redhat.com/plautrba/plautrba@xxxxxxxxxxxxxx Thanks to all the contributors, reviewers, testers and reporters! User-visible changes -------------------- * A new selinux_restorecon_parallel(3) function that allows to run relabeling over multiple threads * setfiles/restorecon/fixfiles support parallel relabeling via [ -T <N> ] threads option * A new semodule options [ -m | --checksum ] to get SHA256 hashes of modules * mcstrans ported to PCRE2 * libsepol/cil supports IPv4/IPv6 address embedding * Add a new semodule option [ --rebuild-if-modules-changed ] to optionally rebuild policy when modules are changed externally * A lot of static code analyse issues, fuzzer issues and compiler warnings fixed * Translations split into sub-packages and updated from https://translate.fedoraproject.org/projects/selinux/ * New policy utilities in libsepol - sepol_check_access, sepol_compute_av, sepol_compute_member, sepol_compute_relabel, sepol_validate_transition * A new setfiles option [-C] for distinguishing file tree walk errors * Improved code quality and bug fixes Development-relevant changes ---------------------------- * ci: run the tests under ASan/UBsan on GHActions (Long) shortlog of changes since the 3.3 release ------------------------------------------------ Christian Göttsche (115): libsepol: do not pass NULL to memcpy libsemanage: do not sort empty records libsemanage/tests: free memory libselinux: use valid address to silence glibc 2.34 warnings libsepol: avoid passing NULL pointer to memcpy checkpolicy: use correct unsigned format specifiers libsepol: use string literals as format strings policycoreutils: use string literal as format strings Enable extra global compiler warnings checkpolicy: ignore possible string truncation policycoreutils: mark local functions static sandbox: mark local functions static python: mark local functions static mcstrans: avoid missing prototypes libsemanage: mark local functions static libsemanage: include paired header for prototypes libsemanage: add extern prototype for legacy function mcstrans: port to new PCRE2 from end-of-life PCRE libselinux: use PCRE2 by default Replace PCRE with PCRE2 build dependencies libsepol/cil: support IPv4/IPv6 address embedding checkpolicy: warn on bogus IP address or netmask in nodecon statement cifuzz: enable report-unreproducible-crashes cifuzz: use the default runtime of 600 seconds libsepol/fuzz: silence secilc-fuzzer libsepol: add libfuzz based fuzzer for reading binary policies libsepol/fuzz: limit element sizes for fuzzing libsepol: use logging framework in conditional.c libsepol: use logging framework in ebitmap.c libsepol: use mallocarray wrapper to avoid overflows libsepol: use reallocarray wrapper to avoid overflows libsepol: add checks for read sizes libsepol: enforce avtab item limit libsepol: clean memory on conditional insertion failure libsepol: reject abnormal huge sid ids libsepol: reject invalid filetrans source type libsepol: zero member before potential dereference libsepol: use size_t for indexes in strs helpers libsepol: do not underflow on short format arguments libsepol: do not crash on class gaps libsepol: do not crash on user gaps libsepol: use correct size for initial string list libsepol: do not create a string list with initial size zero libsepol: split validation of datum array gaps and entries libsepol: validate MLS levels libsepol: validate expanded user range and level libsepol: validate permission count of classes libsepol: resolve log message mismatch libsepol: validate avtab and avrule types libsepol: validate constraint expression operators and attributes libsepol: validate type of avtab type rules libsepol: validate ocontexts libsepol: validate genfs contexts libsepol: validate permissive types libsepol: validate policy properties libsepol: validate categories libsepol: validate fsuse types libsepol: validate class default targets libsepol/cil: bail out on snprintf failure libsepol: check for valid sensitivity before lookup libsepol: check for saturated class name length libsepol: return failure on saturated class name length libsepol: drop trailing newlines in log messages libsepol: handle type gaps libsepol: invert only valid range of role bitmap policycoreutils: handle argument counter of zero libsepol: do not add gaps to string list libsepol: use correct error type to please UBSAN libsepol: more strict constraint validation libsepol: validate several flags checkpolicy: allow wildcard permissions in constraints python/sepolgen: accept square brackets in FILENAME token libsepol: NULL pointer offset fix newrole: add Makefile target to test build options newrole: silence compiler warnings newrole: check for crypt(3) failure newrole: ensure password memory erasure libsepol: reject xperm av rules in conditional statements libsepol: validate boolean datum arrays libsepol/cil: silence GCC 12 array-bounds false positive libsepol: add missing oom checks libsepol: mark immutable mls and context parameter const libsepol: mark immutable common helper parameter const libsepol/cil: declare file local functions static libsepol/cil: drop unused function cil_tree_error libsepol/cil: post process pirqcon rules libsepol: add sepol_av_perm_to_string libsepol: introduce sepol_const_security_context_t typedef libsepol: export functions for policy analysis libsepol: add policy utilities libselinux/utils: check for valid contexts to improve error causes policycoreutils: drop usage of egrep in fixfiles libsepol/cil: declare file local function pointer static libsepol: check correct pointer for oom libsepol: drop unnecessary const discarding casts libselinux: limit has buffer size libsemanage: avoid double fclose Correct misc typos libsepol/tests: adjust IPv6 netmasks libsepol/cil: comment out unused function __cil_verify_rule libsemanage: ignore missing prototypes in swig generated code Enable missing prototypes libselinux: correct parameter type in selabel_open(3) libselinux: free memory on selabel_open(3) failure libselinux: correctly hash specfiles larger than 4G checkpolicy: mention class name on invalid permission libselinux: emulate O_PATH support in fgetfilecon/fsetfilecon libselinux: restorecon: misc tweaks libselinux: restorecon: forward error if not ENOENT libselinux: restorecon: pin file to avoid TOCTOU issues libselinux: free memory in error branch libselinux: preserve errno in selinux_log() libselinux/utils: print errno on failure libselinux: update man page of setfilecon(3) family about context parameter ci: declare git repository a safe directory Cutright Jacob (1): Modified Russian and English man pages to fix typo; REQUIREUSERS -> REQUIRESEUSERS Evgeny Vereshchagin (1): ci: run the tests under ASan/UBsan on GHActions James Carter (43): libsepol: Add support for file types in writing out policy.conf libsepol/cil: Refactor filecon file type handling libsepol/cil: Allow optional file type in genfscon rules secilc/docs: Document the optional file type for genfscon rules libsepol: Write out genfscon file type when writing out CIL policy libsepol/cil: Do not copy blockabstracts when inheriting a block libsepol/cil: Mark as abstract all sub-blocks of an abstract block libsepol/cil: Do not resolve names to declarations in abstract blocks libsepol/cil: Ensure that the class in a classcommon is a kernel class libsepol: Return an error if check_assertion() returns an error. libsepol: Change label in check_assertion_avtab_match() libsepol: Remove uneeded error messages in assertion checking libsepol: Check for error from check_assertion_extended_permissions() libsepol: Use consistent return checking style libsepol: Move check of target types to before check for self libsepol: Create function check_assertion_self_match() and use it libsepol: Use (rc < 0) instead of (rc) when calling ebitmap functions libsepol: Remove unnessesary check for matching class libsepol: Move assigning outer loop index out of inner loop libsepol: Make use of previously created ebitmap when checking self libsepol: Refactor match_any_class_permissions() to be clearer libsepol: Make return value clearer when reporting neverallowx errors libsepol: The src and tgt must be the same if neverallow uses self libsepol: Set args avtab pointer when reporting assertion violations libsepol: Fix two problems with neverallowxperm reporting libsepol/cil: Add cil_get_log_level() function libsepol/cil: Provide more control over reporting bounds failures libsepol/cil: Limit the neverallow violations reported libsepol/cil: Limit the amount of reporting for context rule conflicts libsepol: Do a more thorough validation of constraints libsepol/cil: Don't add constraint if there are no permissions libsepol: Don't write out constraint if it has no permissions libsepol/cil: Write a message when a log message is truncated libsepol: Use calloc when initializing bool_val_to_struct array libsepol: Validate conditional expressions Add a file describing the security vulnerability handling process libsepol: Replace calls to mallocarray() with calls to calloc() setfiles.8: -q is deprecated and has no effect libsepol/tests Include policydb.h header for policydb_t declaration libsepol/tests: Include paired headers for prototypes libsepol/tests: Declare file local functions as static libsemanage/tests: Declare file local functions as static libsemanage/tests: Remove unused functions Laszlo Ersek (5): setfiles: fix up inconsistent indentation setfiles: remove useless assignment and comment (after RHBZ#1926386) setfiles: remove useless "iamrestorecon" checks in option parsing selinux_restorecon: introduce SELINUX_RESTORECON_COUNT_ERRORS setfiles: introduce the -C option for distinguishing file tree walk errors Markus Linnala (1): Use IANA-managed domain example.com in examples Ondrej Mosnacek (16): label_file: fix a data race selinux_restorecon: simplify fl_head allocation by using calloc() selinux_restorecon: protect file_spec list with a mutex libselinux: make selinux_log() thread-safe libselinux: make is_context_customizable() thread-safe selinux_restorecon: add a global mutex to synchronize progress output selinux_restorecon: introduce selinux_restorecon_parallel(3) setfiles/restorecon: support parallel relabeling libsemanage: add missing include to boolean_record.c semodule,libsemanage: move module hashing into libsemanage libsemanage: move compressed file handling into a separate object libsemanage: clean up semanage_direct_commit() a bit libsemanage: optionally rebuild policy when modules are changed externally semodule: add command-line option to detect module changes libsepol/cil: add support for self keyword in type transitions libsepol,checkpolicy: add support for self keyword in type transitions Petr Lautrbach (18): semodule: add -m | --checksum option semodule: Fix lang_ext column index semodule: Don't forget to munmap() data libselinux: Fix selinux_restorecon_parallel symbol version semanage-fcontext.8: Drop extra )s after FILE_SPEC policycoreutils/fixfiles: Use parallel relabeling libselinux: Close leaked FILEs libsemanage: Fall back to semanage_copy_dir when rename() fails Split po/ translation files into the relevant sub-directories Update translations from translate.fedoraproject.org libsemanage: Fix USE_AFTER_FREE (CWE-672) in semanage_direct_get_module_info() semodule_package: Close leaking fd mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects Update VERSIONs to 3.4-rc1 for release. Update VERSIONs to 3.4-rc2 for release. Update missing sandbox translations Update VERSIONs to 3.4-rc3 for release. Update VERSIONs to 3.4 for release. Richard Haines (2): libsepol: Add 'ioctl_skip_cloexec' policy capability libsepol: Shorten the policy capability enum names Thiébaud Weksteen (2): libsepol: Populate and use policy name libsepol: fix reallocarray imports Topi Miettinen (1): secilc: kernel policy language is infix Vit Mojzis (4): policycoreutils: Improve error message when selabel_open fails libselinux: Strip spaces before values in config libsemanage: allow spaces in user/group names gettext: set _ on module level instead of builtins namespace
