Cathy Hu <cahu@xxxxxxx> writes: > Hi, > > thanks for the new userspace release. I was just packaging it for > opensuse when I saw that the signing key changed. > > Could someone confirm if that is correct? I am just a bit unsure since > the new key has no signatures from people that I frequently see on this > mailinglist. > > New key (almost no signatures): > https://keyserver.ubuntu.com/pks/lookup?search=1BE2C0FF08949623102FD2564695881C254508D1&fingerprint=on&op=index > > Old key (lots of signatures): > https://keyserver.ubuntu.com/pks/lookup?search=E853C1848B0185CF42864DF363A8AD4B982C4373&fingerprint=on&op=index > Thanks for checking signatures! This is correct. It's signed by me - Petr Lautrbach <lautrbach@xxxxxxxxxx> known as bachradsusi on github and the public key could be found at https://github.com/bachradsusi.gpg This key is signed by E853C1848B0185CF42864DF363A8AD4B982C4373 Petr Lautrbach <plautrba@xxxxxxxxxx> which is signed by other guys. The key used for signing release tar balls is the same key as I used for signing the release commit: # git show --show-signature -s 3.6 tag 3.6 Tagger: Petr Lautrbach <lautrbach@xxxxxxxxxx> Date: Wed Dec 13 15:47:30 2023 +0100 Release 3.6 -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmV5xAIACgkQRpWIHCVF CNG+Cw/+Ie5771Z4TzUYNHrjz7cKHI3PMzD4QmfyXNfFAvRK8u4QeGDwiPA/7pQe FS9RMMgbm7AQUndg6v4wTF3qgoAFnBXX3cwiYZLVESQ08sLGwFDILei+P9r+9rmQ d7H3sHodZ+M5883qb1NASe9S5uMCq07eeMkgZJ/m6qnyhK5hYvXLRejgXppn+6Sv mP6B1Weqh7WyHHOA6stFr2TvH1Nc5/2hwe9hbzxk/m0C6wf9JMk40tdN/AqLKg/9 RA5IDFt2AHGHciAlXWJaIkc6jKKGgDjOd2Cb3MyIHDQ8LDyhSENRYfKp5n2N6v3Z i5lZSqF9Mgvj6lOVlxK5p+hxSG6OheqRLB5852peAUtZH1oyF9zaMcAOfXaIR/1i 3bKO9RDn+dlrXA//xRGMIcgxBk7h/AjFVEUJPW52z83lMUqM+kDVj6WbwnLZswTy 3WCy26KKDIl2HbhyCzjtmuVMUF/kVn32WR/zzP2UzD4wj0bCRpF02YbHdX5e9SMi 8n0VDR3RM82KrTZkNWZKwkEKXNETSfCX5g/L6BZl21jREKF2GKc9T2zwjXwwGaHr VarC0FHwW/ZXH/7pCTDbDc30BK6HsPKtoqmpUQWskWfG2hq97P8RcM/i6t0vyYX6 KdD2Xk4iNXLXQNmU6EGKvEev8FOrvdu58hsBnm9ePTyckfoiNTE= =H3ax -----END PGP SIGNATURE----- commit 97fa708d867ecb26e8d1c766760947f8e3b9e59a (HEAD -> main, tag: semodule-utils-3.6, tag: selinux-sandbox-3.6, tag: selinux-python-3.6, tag: selinux-gui-3.6, tag: selinux-dbus-3.6, tag: secilc-3.6, tag: restorecond-3.6, tag: policycoreutils-3.6, tag: mcstrans-3.6, tag: libsepol-3.6, tag: libsemanage-3.6, tag: libselinux-3.6, tag: checkpolicy-3.6, tag: 3.6, origin/main, origin/HEAD) gpg: Signature made Wed Dec 13 14:46:22 2023 UTC gpg: using RSA key 1BE2C0FF08949623102FD2564695881C254508D1 gpg: Good signature from "Petr Lautrbach <lautrbach@xxxxxxxxxx>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B868 2847 764D F60D F52D 992C BC39 05F2 3517 9CF1 Subkey fingerprint: 1BE2 C0FF 0894 9623 102F D256 4695 881C 2545 08D1 Author: Petr Lautrbach <lautrbach@xxxxxxxxxx> Date: Wed Dec 13 15:46:22 2023 +0100 Update VERSIONs to 3.6 for release. Signed-off-by: Petr Lautrbach <lautrbach@xxxxxxxxxx> # gpg2 --fingerprint --verify checkpolicy-3.6.tar.gz.asc checkpolicy-3.6.tar.gz gpg: Signature made Wed Dec 13 14:47:30 2023 UTC gpg: using RSA key 1BE2C0FF08949623102FD2564695881C254508D1 gpg: Good signature from "Petr Lautrbach <lautrbach@xxxxxxxxxx>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B868 2847 764D F60D F52D 992C BC39 05F2 3517 9CF1 Subkey fingerprint: 1BE2 C0FF 0894 9623 102F D256 4695 881C 2545 08D1 > > > On Wed, 2023-12-13 at 17:09 +0100, Petr Lautrbach wrote: >> Petr Lautrbach <lautrbach@xxxxxxxxxx> writes: >> >> Ups. >> >> It 3.6 release, not 3.6-rc2 >> >> >> >> > Hello! >> > >> > The 3.6 release for the SELinux userspace is now available at: >> > >> > https://github.com/SELinuxProject/selinux/wiki/Releases >> > >> > Thanks to all the contributors, reviewers, testers and reporters! >> > >> > User-visible changes >> > -------------------- >> > >> > * dispol: add option to display users, drop duplicate option to >> > display booleans, >> > show number of entries before listing them >> > >> > * libsepol: struct cond_expr_t `bool` renamed to `boolean` >> > The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro >> > >> > * cil: Allow IP address and mask values to be directly written >> > >> > * cil: Allow paths in filecon rules to be passed as arguments >> > >> > * Add not self support for neverallow rules >> > >> > * dispol: Add the ability to show booleans, classes, roles, types >> > and type attributes of policies >> > >> > * Improve man pages >> > >> > * libselinux: performance optimization for duplicate detection >> > >> > * dismod: add options: --actions ACTIONS, --help >> > >> > * dispol: add options: --actions ACTIONS, --help >> > >> > * checkpolicy: Add the command line argument -N, --disable- >> > neverallow >> > >> > * Introduce getpolicyload - a helper binary to print the number of >> > policy reloads on the running system >> > >> > * man pages: Remove the Russian translations >> > >> > * Add notself and other support to CIL >> > >> > * Add support for deny rules >> > >> > * Translations updated from >> > https://translate.fedoraproject.org/projects/selinux/ >> > >> > * Bug fixes >> > >> > Development-relevant changes >> > ---------------------------- >> > >> > * ci: bump Fedora to version 39 >> > >> > * Drop LGTM.com and Travis CI configuration >> > >> > Shortlog of the changes since 3.5 release >> > ----------------------------------------- >> > Bruno Victal (1): >> > secilc: Use versioned DocBook public identifier. >> > >> > Cameron Williams (1): >> > Add CPPFLAGS to Makefiles >> > >> > Cathy Hu (1): >> > sepolicy/manpage.py: make output deterministic >> > >> > Christian Göttsche (115): >> > libsepol: Add not self support for neverallow rules >> > checkpolicy: add not-self neverallow support >> > libsepol/tests: add tests for not self neverallow rules >> > libsepol/tests: add tests for minus self neverallow rules >> > libsepol: rename struct member >> > checkpolicy: update cond_expr_t struct member name >> > libsepol/tests: rename bool indentifiers >> > checkpolicy: rename bool identifiers >> > libsepol: rename bool identifiers >> > libsemanage/tests: rename bool identifiers >> > libsemanage: fix memory leak in semanage_user_roles >> > checkpolicy/dispol: add output functions >> > libselinux: set CFLAGS for pip installation >> > checkpolicy: drop unused token CLONE >> > checkpolicy: reject condition with bool and tunable in >> > expression >> > checkpolicy: only set declared permission bits for wildcards >> > libsepol: dump non-mls validatetrans rules as such >> > libsepol: validate some object contexts >> > libsepol: validate old style range trans classes >> > libsepol: validate: check low category is not bigger than >> > high >> > libsepol: validate: reject XEN policy with xperm rules >> > libsepol: expand: skip invalid cat >> > libsepol: drop message for uncommon error cases >> > libsepol: drop duplicate newline in sepol_log_err() calls >> > libsepol: replace sepol_log_err() by ERR() >> > libsepol: replace log_err() by ERR() >> > checkpolicy: add option to skip checking neverallow rules >> > checkpolicy/dismod: misc improvements >> > libsepol: free initial sid names >> > libsepol: check for overflow in put_entry() >> > libsepol/fuzz: more strict fuzzing of binary policies >> > setsebool: improve bash-completion script >> > setsebool: drop unnecessary linking against libsepol >> > semodule_expand: update >> > semodule_link: update >> > semodule_package: update >> > semodule_unpackage: update >> > libselinux/utils: introduce getpolicyload >> > libsepol: validate: use fixed sized integers >> > hashtab: update >> > libsepol: expand: use identical type to avoid implicit >> > conversion >> > libsepol: expand: check for memory allocation failure >> > libsepol: ebitmap: avoid branches for iteration >> > libsemanage/tests: use strict prototypes >> > libsepol: update CIL generation for trivial not-self rules >> > libselinux/utils: update selabel_partial_match >> > libselinux: misc label cleanup >> > libselinux: drop obsolete optimization flag >> > libselinux: drop unnecessary warning overrides >> > setfiles: do not issue AUDIT_FS_RELABEL on dry run >> > libselinux: constify selabel_cmp(3) parameters >> > libselinux: simplify zeroing allocation >> > libselinux/utils: use type safe union assignment >> > libselinux: avoid regex serialization truncations >> > libselinux: parameter simplifications >> > libselinux/utils: use correct type for backend argument >> > libselinux: update string_to_mode() >> > libselinux: fix logic for building android backend >> > libselinux: avoid unused function >> > libselinux: check for stream rewind failures >> > libselinux: simplify internal selabel_validate prototype >> > libselinux/utils: drop include of internal header file >> > libselinux: free elements on read_spec_entries() failure >> > libselinux: set errno on label lookup failure >> > libsepol: reject avtab entries with invalid specifier >> > libsepol: avtab: check read counts for saturation >> > checkpolicy: add round-trip tests >> > libselinux/utils: update getdefaultcon >> > libselinux: cast to unsigned char for character handling >> > function >> > libselinux: introduce reallocarray(3) >> > libsepol: validate default type of transition is not an >> > attribute >> > libsepol: validate constraint depth >> > libsepol: more strict validation >> > libsepol: reject unsupported policy capabilities >> > libsepol: use str_read() where appropriate >> > libsepol: adjust type for saturation check >> > libsepol: enhance saturation check >> > libsepol: validate the identifier for initials SID is valid >> > Drop LGTM.com configuration >> > Drop Travis CI configuration >> > scripts: ignore unavailable interpreters >> > ci: bump Fedora to version 39 >> > libselinux: update Python binding >> > Update Python installation on Debian >> > scripts: update run-scan-build >> > semodule_link: avoid NULL dereference on OOM >> > libsepol: set number of target names >> > libselinux: fix memory leak in customizable_init() >> > libsepol: avoid leak in OOM branch >> > libsepol: avoid memory corruption on realloc failure >> > libsepol: update policy capabilities array >> > github: bump action dependencies >> > libsepol: validate common classes have at least one >> > permissions >> > libsepol: include length squared in hashtab_hash_eval() >> > libsepol: use DJB2a string hash function >> > libsepol/cil: use DJB2a string hash function >> > libselinux: use DJB2a string hash function >> > newrole: use DJB2a string hash function >> > libsepol: avoid fixed sized format buffer for xperms >> > libsepol: avoid fixed sized format buffer for xperms >> > libsepol: validate conditional type rules have a simple >> > default type >> > libsepol: use correct type to avoid truncations >> > checkpolicy/dismod: avoid duplicate initialization and fix >> > module linking >> > libsepol: reject invalid class datums >> > libsepol/fuzz: handle empty and non kernel policies >> > libsepol: reject linking modules with no avrules >> > libsepol: simplify string formatting >> > checkpolicy/dispol: misc updates >> > libsepol: constify tokenized input >> > libsepol: avoid integer overflow in add_i_to_a() >> > libsepol: extended permission formatting cleanup >> > libsepol: validate empty common classes in scope indices >> > libselinux: update const qualifier of parameters in man pages >> > libselinux: always set errno on context translation failure >> > libselinux: state setexecfilecon(3) sets errno on failure >> > >> > Dominick Grift (1): >> > secilc/docs: fixes filecon example >> > >> > Huaxin Lu (4): >> > libselinux: add check for calloc in check_booleans >> > restorecond: add check for strdup in strings_list_add >> > secilc: add check for malloc in secilc >> > libsepol: add check for category value before printing >> > >> > Huizhao Wang (1): >> > restorecond: compatible with the use of EUID >> > >> > James Carter (53): >> > Revert "libsepol/cil: add support for prefix/suffix filename >> > transtions to CIL" >> > Revert "checkpolicy,libsepol: add prefix/suffix support to >> > module policy" >> > Revert "checkpolicy,libsepol: add prefix/suffix support to >> > kernel policy" >> > Revert "libsepol: implement new module binary format of >> > avrule" >> > Revert "libsepol: implement new kernel binary format for >> > avtab" >> > Revert "checkpolicy,libsepol: move filename transition rules >> > to avrule" >> > Revert "checkpolicy,libsepol: move filename transitions to >> > avtab" >> > Revert "checkpolicy,libsepol: move transition to separate >> > structure in avtab" >> > libsepol/cil: Fix class permission verification in CIL >> > python: Use isinstance() instead of type() >> > checkpolicy: Remove the Russian translations >> > gui: Remove the Russian translations >> > libselinux: Remove the Russian translations >> > libselinux: Remove the Russian translations >> > libsemanage: Remove the Russian translations >> > libsepol: Remove the Russian translations >> > mcstrans: Remove the Russian translations >> > policycoreutils: Remove the Russian translations >> > python: Remove the Russian translations >> > python: Remove the Russian translations >> > restorecond: Remove the Russian translations >> > sandbox: Remove the Russian translations >> > semodule-utils: Remove the Russian translations >> > Do not automatically install Russian translations >> > libsepol: Changes to ebitmap.h to fix compiler warnings >> > libsepol/cil: Do not call ebitmap_init twice for an ebitmap >> > libsepol/cil: Add notself and other support to CIL >> > libsepol: Use ERR() instead of log_err() >> > secilc/docs: Add notself and other keywords to CIL >> > documentation >> > secilc/test: Add notself and other tests >> > libsepol/cil: Parse and add deny rule to AST, but do not >> > process >> > libsepol/cil: Add cil_list_is_empty macro >> > libsepol/cil: Add cil_tree_node_remove function >> > libsepol/cil: Process deny rules >> > libsepol/cil: Add cil_write_post_ast function >> > libsepol: Export the cil_write_post_ast function >> > secilc/secil2tree: Add option to write CIL AST after post >> > processing >> > secilc/test: Add deny rule tests >> > secilc/docs: Add deny rule to CIL documentation >> > checkpolicy: Remove support for role dominance rules >> > libsepol: Fix the version number for the latest exported >> > function >> > libsepol/tests: Update the order of neverallow test results >> > libsepol/cil: Use struct cil_db * instead of void * >> > libsepol/cil: Refactor and improve handling of order rules >> > libsepol/cil: Allow IP address and mask values to be directly >> > written >> > secilc/docs: Update syntax for IP addresses and nodecon >> > libsepol/cil: Refactor Named Type Transition Filename >> > Creation >> > libsepol/cil: Allow paths in filecon rules to be passed as >> > arguments >> > secilc/docs: Fix and update the documentation for macro >> > parameters >> > libsepol/cil: Add pointers to datums to improve writing out >> > AST >> > libsepol/cil: Give warning for name that has different flavor >> > libsepol/cil: Do not allow classpermissionset to use >> > anonymous classpermission >> > libsepol/cil: Clear AST node after destroying bad filecon >> > rule >> > >> > Jeffery To (1): >> > python/sepolicy: Fix get_os_version except clause >> > >> > Juraj Marcin (8): >> > checkpolicy,libsepol: move transition to separate structure >> > in avtab >> > checkpolicy,libsepol: move filename transitions to avtab >> > checkpolicy,libsepol: move filename transition rules to >> > avrule >> > libsepol: implement new kernel binary format for avtab >> > libsepol: implement new module binary format of avrule >> > checkpolicy,libsepol: add prefix/suffix support to kernel >> > policy >> > checkpolicy,libsepol: add prefix/suffix support to module >> > policy >> > libsepol/cil: add support for prefix/suffix filename >> > transtions to CIL >> > >> > Masatake YAMATO (10): >> > dismod: add --help option >> > dismod: delete an unnecessary empty line >> > dismod: handle EOF in user interaction >> > dismod: add --actions option for non-interactive use >> > dispol: add --help option >> > dispol: delete an unnecessary empty line >> > dispol: handle EOF in user interaction >> > dispol: add --actions option for non-interactive use >> > dismod: print the policy version only in interactive mode >> > dismod, dispol: reduce the messages in batch mode >> > >> > Ondrej Mosnacek (4): >> > libsemanage: include more parameters in the module checksum >> > scripts/ci: install rdma-core-devel for selinux-testsuite >> > libsepol: stop translating deprecated intial SIDs to strings >> > libsepol: add support for the new "init" initial SID >> > >> > Petr Lautrbach (9): >> > python: improve format strings for proper localization >> > python: Drop hard formating from localized strings >> > semanage: Drop unnecessary import from seobject >> > python: update python.pot >> > Update translations >> > Update VERSIONs to 3.6-rc1 for release. >> > Update VERSIONs to 3.6-rc2 for release. >> > sepolicy: port to dnf4 python API >> > Update VERSIONs to 3.6 for release. >> > >> > Sergei Trofimovich (1): >> > libsemanage: fix src/genhomedircon.c build on `gcc-14` (`- >> > Werror=alloc-size`) >> > >> > Stephen Smalley (2): >> > libselinux,policycoreutils,python,semodule-utils: de-brand >> > SELinux >> > checkpolicy,libselinux,libsepol,policycoreutils,semodule- >> > utils: update my email >> > >> > Topi Miettinen (1): >> > sepolicy: clarify manual page of sepolicy interface >> > >> > Vit Mojzis (12): >> > python/chcat: Improve man pages >> > python/audit2allow: Add missing options to man page >> > python/semanage: Improve man pages >> > python/audit2allow: Remove unused "debug" option >> > policycoreutils: Add examples to man pages >> > python/sepolicy: Improve man pages >> > sandbox: Add examples to man pages >> > checkpolicy: Add examples to man pages >> > libselinux: Add examples to man pages >> > python/sepolicy: Fix template for confined user policy >> > modules >> > python/sepolicy: Add/remove user even when SELinux is >> > disabled >> > python: Harden more tools against "rogue" modules >> > >> > wanghuizhao (3): >> > libselinux: migrating hashtab from policycoreutils >> > libselinux: adapting hashtab to libselinux >> > libselinux: performance optimization for duplicate detection >> >> > > -- > Cathy Hu <cahu@xxxxxxx> > SELinux Security Engineer > GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A > > SUSE Software Solutions Germany GmbH > Frankenstrasse 146 > 90461 Nürnberg > > Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich > (HRB 36809, AG Nürnberg)
