Hello! The 3.8-rc1 release for the SELinux userspace is now available at: https://github.com/SELinuxProject/selinux/wiki/Releases I signed all tarballs using my gpg key, see .asc files. You can download the public key from https://github.com/bachradsusi.gpg Thanks to all the contributors, reviewers, testers and reporters! If you miss something important not mentioned bellow, please let me know. User-visible changes -------------------- * libsemanage: Preserve file context and ownership in policy store * libselinux: deprecate security_disable(3) * libsepol: Support nlmsg extended permissions * libsepol: Add policy capability netlink_xperm * libsemanage: Optionally allow duplicate declarations * policycoreutils: introduce unsetfiles * libselinux/utils: introduce selabel_compare * improved selabel_lookup performance * libselinux: support parallel usage of selabel_lookup(3) * libsepol: add support for xperms in conditional policies * Improved man pages * Code improvements and bug fixes Shortlog of the changes since 3.7 release ----------------------------------------- Christian Göttsche (70): libselinux: deprecate security_disable(3) libselinux: avoid errno modification by fclose(3) selinux: free memory in error branch libsemanage: check for rewind(3) failure selinux: set missing errno in failure branch checkpolicy/fuzz: fix setjmp condition policycoreutils: introduce unsetfiles libselinux/utils: introduce selabel_compare libselinux: use more appropriate types in sidtab libselinux: add unique id to sidtab entries libselinux: sidtab updates libselinux: rework selabel_file(5) database libselinux: remove unused hashtab code libselinux: add selabel_file(5) fuzzer libselinux: support parallel selabel_lookup(3) checkpolicy: avoid memory leaks on redeclarations checkpolicy: avoid leak of identifier on required attribute libsepol: misc assertion cleanup libsepol: add support for xperms in conditional policies checkpolicy: add support for xperms in conditional policies libsepol/cil: add support for xperms in conditional policies libsepol: indent printed allow rule on assertion failure libsepol/tests: add cond xperm neverallow tests libsemanage: white space cleanup libsemanage: fix typo libsemanage: drop unused macro libsemanage: drop dead assignments libsemanage: drop dead variable libsemanage: drop unnecessary declarations libsemanage: drop unnecessary return statements libsemanage: drop duplicate include libsemanage: drop const from function declaration libsemanage: check memory allocations libsemanage: use unlink on non directory libsemanage: free resources on failed connect attempt libsemanage: declare file local function tables static libsemanage: avoid const dropping casts libsemanage: cast to unsigned char for character checking functions libsemanage: drop casts to same type libsemanage: fix asprintf error branch libsemanage: avoid leak on realloc failure libsemanage: use strtok_r for thread safety libsemanage: free ibdev names in semanage_ibendport_validate_local() libsemanage: simplify malloc plus strcpy via strndup libsemanage: check for path formatting failures libsemanage: introduce write_full wrapper libsemanage: more strict value parsing libsemanage: constify function pointer structures libsemanage: simplify loop exit libsemanage: constify read only parameters and variables libsemanage: avoid misc function pointer casts libsemanage: adjust sizes to avoid implicit truncations libsemanage: use asprintf(3) to simplify code libsemanage: use size_t for hash input sizes libsemanage: drop macros used once libsemanage: drop dead code libsemanage: preserve errno during internal logging libsemanage: avoid strerror(3) libsemanage: avoid writing directly to stderr libsemanage: skip sort of empty arrays libsemanage/tests: misc cleanup libsemanage: set O_CLOEXEC flag for file descriptors libsemanage: handle cil_set_handle_unknown() failure libsemanage: handle shell allocation failure libsemanage: drop duplicate newlines and error descriptions in error messages libsemanage: check closing written files libsemanage: simplify file deletion libsemanage: optimize policy by default libsemanage/man: add documentation for command overrides libsemanage: respect shell paths with /usr prefix Dmitry Sharshakov (2): sepolgen: initialize gen_cil policygen: respect CIL option when generating comments Fabian Vogt (2): restorecond: Set GLib IO channels to binary mode restorecond: Set GLib IO channels to nonblocking James Carter (7): checkpolicy: Check the right bits of an ibpkeycon rule subnet prefix libselinux: Fix integer comparison issues when compiling for 32-bit libsepol/cil: Allow dotted names in aliasactual rules checkpolicy: Fix MLS users in optional blocks libsepol/cil: Optionally allow duplicate role declarations libsemanage: Optionally allow duplicate declarations libsepol: Remove special handling of roles in module_to_cil.c Petr Lautrbach (6): libselinux: set free'd data to NULL libselinux: fix swig bindings for 4.3.0 libsemanage: fix swig bindings for 4.3.0 libsemanage: open lock_file with O_RDWR fixfiles: use `grep -F` when search in mounts Update VERSIONs to 3.8-rc1 for release. Stephen Smalley (1): libselinux: formally deprecate security_compute_user() Thiébaud Weksteen (5): libsepol: Rename ioctl xperms structures and functions libsepol: Support nlmsg extended permissions libsepol: Add policy capability netlink_xperm libselinux: rename hashtab functions libsepol: Support nlmsg xperms in assertions Vit Mojzis (11): libselinux/restorecon: Include <selinux/label.h> libsemanage: Preserve file context and ownership in policy store libsepol/sepol_compute_sid: Do not destroy uninitialized context libsepol/cil: Check that sym_index is within bounds libsepol/cil: Initialize avtab_datum on declaration libsepol/mls: Do not destroy context on memory error libsepol/cil/cil_post: Initialize tmp on declaration libsepol: Initialize "strs" on declaration libselinux/setexecfilecon: Remove useless rc check libselinux/matchpathcon: RESOURCE_LEAK: Variable "con" libsemanage/direct_api: INTEGER_OVERFLOW read_len = read()
