All of lore.kernel.org
 help / color / mirror / Atom feed
From: Petr Lautrbach <lautrbach@redhat.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: ANN: SELinux userspace 3.11-rc3 release
Date: Tue, 30 Jun 2026 12:19:11 +0200	[thread overview]
Message-ID: <8733y4tjog.fsf@redhat.com> (raw)
In-Reply-To: <CAEjxPJ4xzk7Ua9qCAz0mDTYxuLRELTGWBn3G4Vfn9GGzp2xN_Q@mail.gmail.com>

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Wed, Jun 24, 2026 at 3:34 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>>
>> Hello!
>>
>> The 3.11-rc3 release for the SELinux userspace is now available at:
>>
>> https://github.com/SELinuxProject/selinux/releases/tag/3.11-rc3
>> https://github.com/SELinuxProject/selinux/wiki/Releases
>>
>> I signed all tarballs using my gpg key, see .asc files.
>> You can download the public key from
>> https://github.com/bachradsusi.gpg
>>
>> Thanks to all the contributors, reviewers, testers and reporters!
>>
>> If you miss something important not mentioned bellow, please let me
>> know.
>>
>> Unless something unexpected happen, 3.11 will be released
>> next week. Also only important patches will be merged before the
>> release.
>
> Some items that might be worth mentioning in the 3.11 final release
> notes (overall, since 3.10); feel free to edit / coalesce / reorder /
> drop / add as you see fit:
>

Thanks!



> User-visible:
> - Added new libsepol interfaces and a new secilccheck program for
> checking CIL neverallows against a binary policy for use by the
> Android CTS.
> - Fixed restorecon error handling for read-only filesystems.
> -  Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues
> in file relabeling if /proc is available (so that it can use
> /proc/self/fd-based pathnames). If /proc is not available,
> selinux_restorecon(3) falls back to just passing the full pathname
> each time for compatibility within chroot or other environments. For
> callers that pass the SELINUX_RESTORECON_REALPATH flag, like
> restorecon(8), selinux_restorecon(3) will still follow any
> intermediate symlinks in the initial pathname as part of realpath(3)
> canonicalization. Otherwise, selinux_restorecon(3) will not follow any
> symlinks. This may yield different user-visible behavior for
> setfiles(8) and restorecond(8) but only if a path containing an
> intermediate symlink is specified on the command-line (setfiles) or
> configuration (restorecond) since they did not follow any symlinks
> found during the tree walk regardless.
> - Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to
> selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse
> to relabel files with multiple hard links to prevent mislabeling them.
> Updated restorecond(8) to always pass this flag when relabeling files
> to prevent mislabeling hard links to files owned by others, e.g. when
> relabeling user home directories or /tmp. Note to self: we should add
> a command-line option to setfiles/restorecon for this as well.
> - Rewrote restorecond and sandbox/seunshare to eliminate TOCTOU issues
> on their other path-based operations via /proc/self/fd and the use of
> a safe_open() helper. This may yield different behavior if a path
> containing an intermediate symlink is passed to them via configuration
> (restorecond) or command-line (seunshare).
> - Dropped sandbox/seunshare -k/--kill support (unused by sandbox,
> fundamentally racy, redundant with killall -Z).
> - Fixed sandbox/seunshare getopt flags to match the actual options.
> - Fixed sandbox/seunshare remounting of /tmp and /var/tmp within the sandbox.
> - Updated restorecond to use Type=simple in the service unit file, add
> a -F option to run in the foreground, and to not unlink the pidfile if
> not used.
> - Added a cache size cap, max client cap, receive timeout, and maxbit
> cap to mcstrans to reduce the risk of DoS from misbehaving clients.
> - Fixed mcstrans UAF on SIGHUP reload of its configuration files.
> - Fixed mcstrans translation for uncached entries.
> - Fixed sandbox interactive prompt for saving files.
> - Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on
> large semanage import operations (#291).
> - Fixed libsepol generation of constraint expressions with a list of
> names when writing policy.conf from CIL.
> - Fixed libsepol to generate constrain/validatetrans instead of
> mlsconstrain/mlsvalidatetrans when converting a module to CIL unless
> the constraint contains an expression based on level.
> - Fixed libsepol selection of tunableif or booleanif and to skip empty
> conditional blocks when converting a module to CIL.
> - Fixed libsepol/secilc reporting of CIL source file info.
> - Fixed libsepol to require at least one perm in a CIL classperm and
> to correctly count the number of elements in the avtab.
> - Fixed libsepol to link xperm rule permissions correctly.
> - Fixed libsepol off-by-one error in cats_ebitmap_len().
> - Fixed dispol and dismod to show all options in the -h text.
> - Fixed checkpolicy handling of out-of-range and complement at range
> boundaries for xperm rules (#530, #531).
> - Dropped legacy fscon statement support from checkpolicy - never used
> in SELinux policies for mainline kernels (#518).
> - Fixed libselinux constructor to not clobber errno (#445)
> - Fixed libselinux selabel_partial_match(3) to correctly find partial matches.
> - Fixed libselinux selinux_init_policy_load() to still try to mount
> selinuxfs on /sys/fs/selinux even if the mount of sysfs on /sys fails
> - this can occur legitimately within a user namespace.
> - Multiple documentation improvements.
>
> Other security/hardening (not user-visible):
> - Many hardening fixes spanning the entire tree (including but not
> limited to #522, #523, #525 thru #529, #532 thru #534)
>
> Build fixes:
> - Fixed libsemanage pywrap target deps for parallel builds.
> - Updated pywrap build targets for modern python builds using the
> Python3 build module.
> - Disabled build isolation for sepolicy python module.
> - Fixed build errors with glibc 2.43.
> - Fixed libselinux build for non-pthread builds.
> - Build shared libraries with -fPIC for LTO
> - Fixed uclibc build failure (#435).
> - Multiple fixes for musl/llvm-based builds, including adding a new
> EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass
> --undefined-version through to lld (#511 thru #515)
>
> Coding style/format:
> - Reformatted entire tree based on .clang-format and added new
> check-format/format make targets to check and/or reformat code to
> match. This is now a requirement for new patches.
>
>
>
>>
>> User-visible changes since 3.11-rc3
>> -----------------------------------
>> - Bug fixes
>>
>> Development-relevant changes
>> ----------------------------
>>
>> - Improved CI
>> - Added EXTRA_LD_FLAGS for use by musl+llvm builds to pass --undefined-version.
>>
>> Shortlog of the changes since 3.11-rc2 release
>> ----------------------------------------------
>> Chris PeBenito (2):
>>       CI: Fix variable use in build-userspace action.
>>       CI: Add explicit output variable for build-userspace action.
>>
>> Christian Göttsche (3):
>>       secilc/docs: fix wrong CIL statements
>>       secilc/docs: mention nlmsg extended permissions
>>       Makefile: avoid 0 as NULL pointer constant
>>
>> James Carter (2):
>>       libsepol: Check for proper length of addr and mask buffers
>>       secilc: Use fstat instead of stat to avoid TOCTOU issues
>>
>> Kalevi Kolttonen (16):
>>       libselinux: use null character with strings
>>       policycoreutils: use stderr for error messages
>>       policycoreutils: use null character in a string
>>       policycoreutils: use null character in strings
>>       policycoreutils: check strdup() failure
>>       policycoreutils: use null character in a string
>>       policycoreutils: use bool instead of int
>>       policycoreutils: use null character in a string
>>       policycoreutils: use bool instead of int
>>       mcstrans: use null character in strings
>>       mcstrans: use null character in strings
>>       sandbox: use bool instead of int
>>       audit2allow: make error message more helpful
>>       policycoreutils: use bool instead of int
>>       mcstrans: use sig_atomic_t and bool instead of int
>>       libsepol: Add missing comment to context.h
>>
>> Petr Lautrbach (1):
>>       Update VERSIONs to 3.11-rc3 for release.
>>
>> Stephen Smalley (2):
>>       python/semanage: do not leak an audit fd per logger instance
>>       libselinux: Add EXTRA_LD_FLAGS for musl+llvm builds
>>
>> netliomax25-code (11):
>>       libsepol: fix out-of-bounds typealias_lists access in module_to_cil
>>       libsepol: cast to unsigned char in ctype calls
>>       libsepol: null-terminate temporary buffer in mls_to_string
>>       libsepol: bound category values in mls_semantic_level_expand
>>       libsemanage: guard end of path in semanage_fc_find_meta
>>       libsepol: bound type values in type_set_expand negset loop
>>       libsepol: test type_set_expand bounds negset type values
>>       libsepol/cil: fix double free of borrowed type datum on error path
>>       mcstrans: fix out-of-bounds read in parse_raw sensitivity parsing
>>       checkpolicy: fix xperm complement at range boundaries
>>       checkpolicy: reject out-of-range extended permission values
>>
>>


      reply	other threads:[~2026-06-30 10:19 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-24 19:34 ANN: SELinux userspace 3.11-rc3 release Petr Lautrbach
2026-06-25 18:04 ` Stephen Smalley
2026-06-30 10:19   ` Petr Lautrbach [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8733y4tjog.fsf@redhat.com \
    --to=lautrbach@redhat.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.