Petr Lautrbach <lautrbach@xxxxxxxxxx> writes: Ups. It 3.6 release, not 3.6-rc2 > Hello! > > The 3.6 release for the SELinux userspace is now available at: > > https://github.com/SELinuxProject/selinux/wiki/Releases > > Thanks to all the contributors, reviewers, testers and reporters! > > User-visible changes > -------------------- > > * dispol: add option to display users, drop duplicate option to display booleans, > show number of entries before listing them > > * libsepol: struct cond_expr_t `bool` renamed to `boolean` > The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro > > * cil: Allow IP address and mask values to be directly written > > * cil: Allow paths in filecon rules to be passed as arguments > > * Add not self support for neverallow rules > > * dispol: Add the ability to show booleans, classes, roles, types and type attributes of policies > > * Improve man pages > > * libselinux: performance optimization for duplicate detection > > * dismod: add options: --actions ACTIONS, --help > > * dispol: add options: --actions ACTIONS, --help > > * checkpolicy: Add the command line argument -N, --disable-neverallow > > * Introduce getpolicyload - a helper binary to print the number of policy reloads on the running system > > * man pages: Remove the Russian translations > > * Add notself and other support to CIL > > * Add support for deny rules > > * Translations updated from > https://translate.fedoraproject.org/projects/selinux/ > > * Bug fixes > > Development-relevant changes > ---------------------------- > > * ci: bump Fedora to version 39 > > * Drop LGTM.com and Travis CI configuration > > Shortlog of the changes since 3.5 release > ----------------------------------------- > Bruno Victal (1): > secilc: Use versioned DocBook public identifier. > > Cameron Williams (1): > Add CPPFLAGS to Makefiles > > Cathy Hu (1): > sepolicy/manpage.py: make output deterministic > > Christian Göttsche (115): > libsepol: Add not self support for neverallow rules > checkpolicy: add not-self neverallow support > libsepol/tests: add tests for not self neverallow rules > libsepol/tests: add tests for minus self neverallow rules > libsepol: rename struct member > checkpolicy: update cond_expr_t struct member name > libsepol/tests: rename bool indentifiers > checkpolicy: rename bool identifiers > libsepol: rename bool identifiers > libsemanage/tests: rename bool identifiers > libsemanage: fix memory leak in semanage_user_roles > checkpolicy/dispol: add output functions > libselinux: set CFLAGS for pip installation > checkpolicy: drop unused token CLONE > checkpolicy: reject condition with bool and tunable in expression > checkpolicy: only set declared permission bits for wildcards > libsepol: dump non-mls validatetrans rules as such > libsepol: validate some object contexts > libsepol: validate old style range trans classes > libsepol: validate: check low category is not bigger than high > libsepol: validate: reject XEN policy with xperm rules > libsepol: expand: skip invalid cat > libsepol: drop message for uncommon error cases > libsepol: drop duplicate newline in sepol_log_err() calls > libsepol: replace sepol_log_err() by ERR() > libsepol: replace log_err() by ERR() > checkpolicy: add option to skip checking neverallow rules > checkpolicy/dismod: misc improvements > libsepol: free initial sid names > libsepol: check for overflow in put_entry() > libsepol/fuzz: more strict fuzzing of binary policies > setsebool: improve bash-completion script > setsebool: drop unnecessary linking against libsepol > semodule_expand: update > semodule_link: update > semodule_package: update > semodule_unpackage: update > libselinux/utils: introduce getpolicyload > libsepol: validate: use fixed sized integers > hashtab: update > libsepol: expand: use identical type to avoid implicit conversion > libsepol: expand: check for memory allocation failure > libsepol: ebitmap: avoid branches for iteration > libsemanage/tests: use strict prototypes > libsepol: update CIL generation for trivial not-self rules > libselinux/utils: update selabel_partial_match > libselinux: misc label cleanup > libselinux: drop obsolete optimization flag > libselinux: drop unnecessary warning overrides > setfiles: do not issue AUDIT_FS_RELABEL on dry run > libselinux: constify selabel_cmp(3) parameters > libselinux: simplify zeroing allocation > libselinux/utils: use type safe union assignment > libselinux: avoid regex serialization truncations > libselinux: parameter simplifications > libselinux/utils: use correct type for backend argument > libselinux: update string_to_mode() > libselinux: fix logic for building android backend > libselinux: avoid unused function > libselinux: check for stream rewind failures > libselinux: simplify internal selabel_validate prototype > libselinux/utils: drop include of internal header file > libselinux: free elements on read_spec_entries() failure > libselinux: set errno on label lookup failure > libsepol: reject avtab entries with invalid specifier > libsepol: avtab: check read counts for saturation > checkpolicy: add round-trip tests > libselinux/utils: update getdefaultcon > libselinux: cast to unsigned char for character handling function > libselinux: introduce reallocarray(3) > libsepol: validate default type of transition is not an attribute > libsepol: validate constraint depth > libsepol: more strict validation > libsepol: reject unsupported policy capabilities > libsepol: use str_read() where appropriate > libsepol: adjust type for saturation check > libsepol: enhance saturation check > libsepol: validate the identifier for initials SID is valid > Drop LGTM.com configuration > Drop Travis CI configuration > scripts: ignore unavailable interpreters > ci: bump Fedora to version 39 > libselinux: update Python binding > Update Python installation on Debian > scripts: update run-scan-build > semodule_link: avoid NULL dereference on OOM > libsepol: set number of target names > libselinux: fix memory leak in customizable_init() > libsepol: avoid leak in OOM branch > libsepol: avoid memory corruption on realloc failure > libsepol: update policy capabilities array > github: bump action dependencies > libsepol: validate common classes have at least one permissions > libsepol: include length squared in hashtab_hash_eval() > libsepol: use DJB2a string hash function > libsepol/cil: use DJB2a string hash function > libselinux: use DJB2a string hash function > newrole: use DJB2a string hash function > libsepol: avoid fixed sized format buffer for xperms > libsepol: avoid fixed sized format buffer for xperms > libsepol: validate conditional type rules have a simple default type > libsepol: use correct type to avoid truncations > checkpolicy/dismod: avoid duplicate initialization and fix module linking > libsepol: reject invalid class datums > libsepol/fuzz: handle empty and non kernel policies > libsepol: reject linking modules with no avrules > libsepol: simplify string formatting > checkpolicy/dispol: misc updates > libsepol: constify tokenized input > libsepol: avoid integer overflow in add_i_to_a() > libsepol: extended permission formatting cleanup > libsepol: validate empty common classes in scope indices > libselinux: update const qualifier of parameters in man pages > libselinux: always set errno on context translation failure > libselinux: state setexecfilecon(3) sets errno on failure > > Dominick Grift (1): > secilc/docs: fixes filecon example > > Huaxin Lu (4): > libselinux: add check for calloc in check_booleans > restorecond: add check for strdup in strings_list_add > secilc: add check for malloc in secilc > libsepol: add check for category value before printing > > Huizhao Wang (1): > restorecond: compatible with the use of EUID > > James Carter (53): > Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" > Revert "checkpolicy,libsepol: add prefix/suffix support to module policy" > Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy" > Revert "libsepol: implement new module binary format of avrule" > Revert "libsepol: implement new kernel binary format for avtab" > Revert "checkpolicy,libsepol: move filename transition rules to avrule" > Revert "checkpolicy,libsepol: move filename transitions to avtab" > Revert "checkpolicy,libsepol: move transition to separate structure in avtab" > libsepol/cil: Fix class permission verification in CIL > python: Use isinstance() instead of type() > checkpolicy: Remove the Russian translations > gui: Remove the Russian translations > libselinux: Remove the Russian translations > libselinux: Remove the Russian translations > libsemanage: Remove the Russian translations > libsepol: Remove the Russian translations > mcstrans: Remove the Russian translations > policycoreutils: Remove the Russian translations > python: Remove the Russian translations > python: Remove the Russian translations > restorecond: Remove the Russian translations > sandbox: Remove the Russian translations > semodule-utils: Remove the Russian translations > Do not automatically install Russian translations > libsepol: Changes to ebitmap.h to fix compiler warnings > libsepol/cil: Do not call ebitmap_init twice for an ebitmap > libsepol/cil: Add notself and other support to CIL > libsepol: Use ERR() instead of log_err() > secilc/docs: Add notself and other keywords to CIL documentation > secilc/test: Add notself and other tests > libsepol/cil: Parse and add deny rule to AST, but do not process > libsepol/cil: Add cil_list_is_empty macro > libsepol/cil: Add cil_tree_node_remove function > libsepol/cil: Process deny rules > libsepol/cil: Add cil_write_post_ast function > libsepol: Export the cil_write_post_ast function > secilc/secil2tree: Add option to write CIL AST after post processing > secilc/test: Add deny rule tests > secilc/docs: Add deny rule to CIL documentation > checkpolicy: Remove support for role dominance rules > libsepol: Fix the version number for the latest exported function > libsepol/tests: Update the order of neverallow test results > libsepol/cil: Use struct cil_db * instead of void * > libsepol/cil: Refactor and improve handling of order rules > libsepol/cil: Allow IP address and mask values to be directly written > secilc/docs: Update syntax for IP addresses and nodecon > libsepol/cil: Refactor Named Type Transition Filename Creation > libsepol/cil: Allow paths in filecon rules to be passed as arguments > secilc/docs: Fix and update the documentation for macro parameters > libsepol/cil: Add pointers to datums to improve writing out AST > libsepol/cil: Give warning for name that has different flavor > libsepol/cil: Do not allow classpermissionset to use anonymous classpermission > libsepol/cil: Clear AST node after destroying bad filecon rule > > Jeffery To (1): > python/sepolicy: Fix get_os_version except clause > > Juraj Marcin (8): > checkpolicy,libsepol: move transition to separate structure in avtab > checkpolicy,libsepol: move filename transitions to avtab > checkpolicy,libsepol: move filename transition rules to avrule > libsepol: implement new kernel binary format for avtab > libsepol: implement new module binary format of avrule > checkpolicy,libsepol: add prefix/suffix support to kernel policy > checkpolicy,libsepol: add prefix/suffix support to module policy > libsepol/cil: add support for prefix/suffix filename transtions to CIL > > Masatake YAMATO (10): > dismod: add --help option > dismod: delete an unnecessary empty line > dismod: handle EOF in user interaction > dismod: add --actions option for non-interactive use > dispol: add --help option > dispol: delete an unnecessary empty line > dispol: handle EOF in user interaction > dispol: add --actions option for non-interactive use > dismod: print the policy version only in interactive mode > dismod, dispol: reduce the messages in batch mode > > Ondrej Mosnacek (4): > libsemanage: include more parameters in the module checksum > scripts/ci: install rdma-core-devel for selinux-testsuite > libsepol: stop translating deprecated intial SIDs to strings > libsepol: add support for the new "init" initial SID > > Petr Lautrbach (9): > python: improve format strings for proper localization > python: Drop hard formating from localized strings > semanage: Drop unnecessary import from seobject > python: update python.pot > Update translations > Update VERSIONs to 3.6-rc1 for release. > Update VERSIONs to 3.6-rc2 for release. > sepolicy: port to dnf4 python API > Update VERSIONs to 3.6 for release. > > Sergei Trofimovich (1): > libsemanage: fix src/genhomedircon.c build on `gcc-14` (`-Werror=alloc-size`) > > Stephen Smalley (2): > libselinux,policycoreutils,python,semodule-utils: de-brand SELinux > checkpolicy,libselinux,libsepol,policycoreutils,semodule-utils: update my email > > Topi Miettinen (1): > sepolicy: clarify manual page of sepolicy interface > > Vit Mojzis (12): > python/chcat: Improve man pages > python/audit2allow: Add missing options to man page > python/semanage: Improve man pages > python/audit2allow: Remove unused "debug" option > policycoreutils: Add examples to man pages > python/sepolicy: Improve man pages > sandbox: Add examples to man pages > checkpolicy: Add examples to man pages > libselinux: Add examples to man pages > python/sepolicy: Fix template for confined user policy modules > python/sepolicy: Add/remove user even when SELinux is disabled > python: Harden more tools against "rogue" modules > > wanghuizhao (3): > libselinux: migrating hashtab from policycoreutils > libselinux: adapting hashtab to libselinux > libselinux: performance optimization for duplicate detection
