ANN: SELinux userspace 3.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!

The 3.7 release for the SELinux userspace is now available at:

https://github.com/SELinuxProject/selinux/wiki/Releases

I signed all tarballs using my gpg key, see .asc files.
You can download the public key from
https://github.com/bachradsusi.gpg

Thanks to all the contributors, reviewers, testers and reporters!

User-visible changes
--------------------
* `audit2allow -C` for CIL output mode

* sepolgen: adjust parse for refpolicy

* semanage: Allow modifying records on "add"

* semanage: Do not sort local fcontext definitions

* Improved man pages

* checkpolicy: support CIDR notation for nodecon statements

* sandbox: Add support for Wayland

* Code improvements and bug fixes


Shortlog of the changes since 3.7 release
-----------------------------------------
Christian Göttsche (84):
      libselinux/man: mention errno for regex compilation failure
      libselinux/man: sync selinux_check_securetty_context(3)
      libselinux/utils: free allocated resources
      libselinux/utils: improve compute_av output
      libselinux: align SELABEL_OPT_DIGEST usage with man page
      libselinux: fail selabel_open(3) on invalid option
      libselinux: use logging wrapper in getseuser(3) and get_default_context(3) family
      libselinux: support huge passwd/group entries
      libsemanage: support huge passwd entries
      libselinux: enable usage with pedantic UB sanitizers
      setfiles: avoid unsigned integer underflow
      libsepol: reorder calloc(3) arguments
      libselinux: reorder calloc(3) arguments
      sandbox: do not override warning CFLAGS
      mcstrans: check memory allocations
      libselinux: use reentrant strtok_r(3)
      checkpolicy: add libfuzz based fuzzer
      checkpolicy: cleanup resources on parse error
      checkpolicy: cleanup identifiers on error
      checkpolicy: free ebitmap on error
      checkpolicy: check allocation and free memory on error at type definition
      checkpolicy: clean expression on error
      checkpolicy: call YYABORT on parse errors
      checkpolicy: bail out on invalid role
      libsepol: use typedef
      checkpolicy: provide more descriptive error messages
      checkpolicy: free temporary bounds type
      checkpolicy: avoid assigning garbage values
      checkpolicy: misc policy_define.c cleanup
      libsepol: ensure transitivity in compare functions
      libsepol/cil: ensure transitivity in compare functions
      mcstrans: ensure transitivity in compare functions
      sepolgen: adjust parse for refpolicy
      checkpolicy/fuzz: drop redundant notdefined check
      checkpolicy: clone level only once
      checkpolicy: return YYerror on invalid character
      libsepol: reject MLS support in pre-MLS policies
      checkpolicy/fuzz: scan Xen policies
      libselinux/utils/selabel_digest: drop unsupported option -d
      libselinux/utils/selabel_digest: cleanup
      libselinux/utils/selabel_digest: avoid buffer overflow
      libselinux: free data on selabel open failure
      libselinux/utils/selabel_digest: pass BASEONLY only for file backend
      libselinux: avoid logs in get_ordered_context_list() without policy
      checkpolicy: use YYerror only when available
      checkpolicy: handle unprintable token
      checkpolicy: free identifiers on invalid typebounds
      checkpolicy: update error diagnostic
      checkpolicy: include <ctype.h> for isprint(3)
      checkpolicy/fuzz: override YY_FATAL_ERROR
      libsepol: validate access vector permissions
      checkpolicy: drop never read member
      checkpolicy: drop union stack_item_u
      checkpolicy: free complete role_allow_rule on error
      libsepol: constify function pointer arrays
      libsepol: improve policy lookup failure message
      checkpolicy/tests: add test for splitting xperm rule
      checkpolicy: declare file local variable static
      checkpolicy: drop global policyvers variable
      github: bump Python and Ruby versions
      libsepol: validate class permissions
      libselinux/man: correct file extension of man pages
      libselinux/man: sync const qualifiers
      libselinux/man: use void in synopses
      libselinux/man: add format attribute for set_matchpathcon_printf(3)
      libselinux: constify selinux_set_mapping(3) parameter
      libsepol: reject self flag in type rules in old policies
      libsepol: only exempt gaps checking for kernel policies
      libsepol: validate type-attribute-map for old policies
      libsepol: include prefix for module policy versions
      checkpolicy: perform contiguous check in host byte order
      checkpolicy: support CIDR notation for nodecon statements
      libselinux: free empty scandir(3) result
      libselinux: avoid pointer dereference before check
      mcstrans: free constraint in error branch
      libsepol: hashtab: save one comparison on hit
      libsepol: move unchanged data out of loop
      libsepol: rework permission enabled check
      checkpolicy: reject duplicate nodecon statements
      libsepol: validate attribute-type maps
      tree-wide: fix misc typos
      libsepol: contify function pointer arrays
      libselinux: constify avc_open(3) parameter
      libsepol: check scope permissions refer to valid class

Fabrice Fontaine (1):
      libsepol/src/Makefile: fix reallocarray detection

James Carter (8):
      libselinux: Fix ordering of arguments to calloc
      libsepol: Use a dynamic buffer in sepol_av_to_string()
      checkpolicy, libsepol: Fix potential double free of mls_level_t
      checkpolicy/fuzz: Update check_level() to use notdefined field
      libsepol: Fix buffer overflow when using sepol_av_to_string()
      libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
      libsepol/cil: Check common perms when verifiying "all"
      libsepol: Do not reject all type rules in conditionals when validating

Petr Lautrbach (9):
      Update VERSIONs to 3.7-rc1 for release.
      sandbox: do not fail without xmodmap
      sandbox: do not run window manager if it's not a session
      seunshare: Add [ -P pipewiresocket ] [ -W waylandsocket ] options
      sandbox: Add support for Wayland
      Update VERSIONs to 3.7-rc2 for release.
      fixfiles: drop unnecessary \ line endings
      Update VERSIONs to 3.7-rc3 for release.
      Release 3.7

Topi Miettinen (1):
      audit2allow: CIL output mode

Vit Mojzis (3):
      python/semanage: Do not sort local fcontext definitions
      python/semanage: Allow modifying records on "add"
      libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)






[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux