ANN: SELinux userspace 3.1-rc1 release candidate

[Petr Lautrbach <plautrba@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 9749 bytes --]

Hello,

A 3.1-rc1 release candidate for the SELinux userspace is now 
available at:

https://github.com/SELinuxProject/selinux/wiki/Releases

Please give it a test and let us know if there are any issues.

If there are specific changes that you think should be called out 
in release notes for packagers and users in the final release
announcement, let us know. 

Thanks to all the contributors to this release candidate!


User-visible changes:

* selinux/flask.h and selinux/av_permissions.h were removed

  The flask.h and av_permissions.h header files were deprecated and
  all selinux userspace references to them were removed in
  commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
  back in 2014 and included in the 20150202 / 2.4 release.
  All userspace object managers should have been updated
  to use the dynamic class/perm mapping support since that time.
  Remove these headers finally to ensure that no users remain and
  that no future uses are ever introduced.

  Use string_to_security_class(3) and string_to_av_perm(3) to map the class and
  permission names to their policy values, or selinux_set_mapping(3) to create a
  mapping from class and permission index values used by the application to the
  policy values.

* Support for new polcap genfs_seclabel_symlinks

* New `setfiles -E` option - treat conflicting specifications as errors, such
as where two hardlinks for the same inode have different contexts.

* `restorecond_user.service` - new systemd user service which runs `restorecond -u`

* `setsebool -V` reports errors from commit phase

* Improved man pages

* `semanage` uses ipaddress Python module instead of IPy

* matchpathcon related interfaces are deprecated

* selinuxfs is mounted with noexec and nosuid

* Improved README which was renamed to README.md and converted to markdown.

* `setup.py` builds can be customized using PYTHON_SETUP_ARGS, e.g. to for
  Debian Python layout use: `make PYTHON_SETUP_ARGS=--install-layout=deb ...`


Issues fixed:

* https://github.com/SELinuxProject/selinux/issues/239
* https://github.com/SELinuxProject/selinux/issues/237
* https://github.com/SELinuxProject/selinux/issues/225
* https://github.com/SELinuxProject/selinux/issues/217
* https://github.com/SELinuxProject/selinux/issues/204
* https://github.com/SELinuxProject/selinux/issues/187
* https://github.com/SELinuxProject/selinux/issues/179
* https://github.com/SELinuxProject/selinux/issues/164
* https://github.com/SELinuxProject/selinux/issues/70
* https://github.com/SELinuxProject/selinux/issues/28

A shortlog of changes since the 3.0 release:

Adam Duskett (1):
      Fix building against musl and uClibc libc libraries.

Chris PeBenito (2):
      libselinux: Add selinux_restorecon option to treat conflicting specifications as an error.
      setfiles: Add -E option to treat conflicting specifications as errors.

Christian Göttsche (10):
      libsepol: add support for new polcap genfs_seclabel_symlinks
      libselinux: drop error return from is_selinux_enabled documentation
      libsepol: set correct second argument of (t1 == t2) constraint
      checkpolicy: add missing forward declaration
      tree-wide: replace last occurrences of security_context_t
      tree-wide: use python module importlib instead of the deprecated imp
      libsemanage: clarify handle-unknown configuration setting in man page
      semodule: mention ignoredirs setting in genhomedircon man page
      libselinux: mark security_context_t typedef as deprecated
      tree-wide: introduce PYTHON_SETUP_ARGS to customize setup.py calls on Debian

Daniel Burgener (2):
      checkpolicy: Treat invalid characters as an error
      checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors.

Dominick Grift (1):
      mcstrans: start early and stop late

James Carter (6):
      libsepol/cil: Fix bug in cil_copy_avrule() in extended permission handling
      libsepol/cil: Rewrite verification of map classes and classpermissionsets
      libsepol: Create the macro ebitmap_is_empty() and use it where needed
      libsepol/cil: Check if name is a macro parameter first
      libsepol/cil: Do not check flavor when checking for duplicate parameters
      Revert "libsepol/cil: raise default attrs_expand_size to 2"

Joshua Schmidlkofer (1):
      python/semanage: check variable type of port before trying to split

Mikhail Novosyolov (1):
      libselinux: Fix Ru translation of failsafe context

Nick Kralevich (1):
      label_file.c: Fix MAC build

Nicolas Iooss (16):
      libsepol: make ebitmap_cardinality() of linear complexity
      libselinux: add missing glue code to grab errno in Python bindings
      libselinux: copy the reason why selinux_status_open() returns 1
      libselinux: make context_*_set() return -1 when an error occurs
      libselinux/utils: remove unneeded variable in Makefile
      libselinux,libsemanage: remove double blank lines
      python/semanage: check rc after getting it
      restorecond: migrate to GDbus API provided by glib-gio
      restorecond: add systemd user service
      restorecond/user: handle SIGTERM properly
      libsepol/tests: drop ncurses dependency
      README: add much useful information
      scripts/env_use_destdir: fix Fedora support
      scripts/env_use_destdir: propagate PREFIX, LIBDIR, BINDIR, etc.
      Travis-CI: upgrade to Ubuntu 18.04 and latest releases of Python and Ruby
      python/sepolicy: silence new flake8 warnings

Ondrej Mosnacek (16):
      libsepol: fix CIL_KEY_* build errors with -fno-common
      libsepol: remove leftovers of cil_mem_error_handler
      checkpolicy: remove unused te_assertions
      Makefile: always build with -fno-common
      libsemanage: preserve parent Makefile's flags in debug mode
      Travis-CI: test that DEBUG build works
      libsepol/cil: remove unnecessary hash tables
      libsepol: cache ebitmap cardinality value
      libsepol, newrole: remove unused hashtab functions
      libsepol: grow hashtab dynamically
      Revert "libsepol: cache ebitmap cardinality value"
      libsepol/cil: raise default attrs_expand_size to 2
      secilc: add basic test for policy optimization
      libsepol: skip unnecessary check in build_type_map()
      libsepol: optimize inner loop in build_type_map()
      libsepol: speed up policy optimization

Petr Lautrbach (9):
      libselinux: Eliminate use of security_compute_user()
      Convert README to README.md
      python/semanage: Use ipaddress module instead of IPy
      restorecond: Rename restorecond-user.service to restorecond_user.service
      restorecond: Use pkg-config to get locations for systemd units
      semanage/test-semanage.py: Return non-zero value when some of unittest tests fail
      run-flake8: Filter out ./.git/ directory
      secilc: Fix policy optimization test
      Update VERSIONs to 3.1-rc1 for release.

Richard Filo (1):
      libselinux: Add missing errno setup

Stephen Smalley (8):
      libselinux: remove flask.h and av_permissions.h
      libselinux: update man pages for userspace policy enforcers
      libselinux: export flush_class_cache(), call it on policyload
      libsepol,checkpolicy: support omitting unused initial sid contexts
      libselinux: deprecate security_compute_user(), update man pages
      libsepol,checkpolicy: remove use of hardcoded security class values
      libsemanage: fsync final files before rename
      libsepol: drop broken warning on duplicate filename transitions

Topi Miettinen (4):
      setsebool: report errors from commit phase
      libselinux: mount selinuxfs noexec and nosuid
      sepolicy-gui: fix columns in transitions view
      sepolicy: fix some typos and port definitions

William Roberts (34):
      dso: drop hidden_proto and hidden_def
      Makefile: add -fno-semantic-interposition
      Makefile: add linker script to minimize exports
      libselinux: drop symbols from map
      libsepol/dso: drop hidden_proto and hidden_def
      libsepol/Makefile: add -fno-semantic-interposition
      libsepol: remove wild cards in mapfile
      cil: drop remaining dso.h include
      libsemanage: drop hidden
      libsemanage/Makefile: add -fno-semantic-interposition
      libsemanage: update linker script
      libsemanage: cleanup linker map file
      cil: rm dead dso.h file
      cil: re-enable DISABLE_SYMVER define
      libsemanage: fix linker script symbol versions
      libsemanage: rm semanage_module_upgrade_info from map
      security_load_booleans: update return comment
      security_load_booleans: annotate deprecated
      selinux_booleans_path: annotate deprecated
      selinux_users_path: annotate deprecated
      rpm_execcon: annotate deprecated
      sidget: annotate deprecated
      sidput: annotate deprecated
      checkPasswdAccess: annotate deprecated
      matchpathcon_init: annotate deprecated
      matchpathcon_fini: annotate deprecated
      matchpathcon: annotate deprecated
      avc_init: annotate deprecated
      avc: create internal avc_init interface
      matchpathcon: create internal matchpathcon_fini interface
      selinux_check_passwd_access: annotate deprecated
      matchpathcon: allow use of deprecated routines
      utils: matchpathcon add deprecated warning
      Makefile: swig build allow deprecated functions

bauen1 (1):
      mcstransd: fix memory leak in new_context_str



-- 
()  ascii ribbon campaign - against html e-mail 
/\  www.asciiribbon.org   - against proprietary attachments

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]