* ANN: SELinux userspace 3.11-rc3 release
@ 2026-06-24 19:34 Petr Lautrbach
2026-06-25 18:04 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2026-06-24 19:34 UTC (permalink / raw)
To: SElinux list
Hello!
The 3.11-rc3 release for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/releases/tag/3.11-rc3
https://github.com/SELinuxProject/selinux/wiki/Releases
I signed all tarballs using my gpg key, see .asc files.
You can download the public key from
https://github.com/bachradsusi.gpg
Thanks to all the contributors, reviewers, testers and reporters!
If you miss something important not mentioned bellow, please let me
know.
Unless something unexpected happen, 3.11 will be released
next week. Also only important patches will be merged before the
release.
User-visible changes since 3.11-rc3
-----------------------------------
- Bug fixes
Development-relevant changes
----------------------------
- Improved CI
- Added EXTRA_LD_FLAGS for use by musl+llvm builds to pass --undefined-version.
Shortlog of the changes since 3.11-rc2 release
----------------------------------------------
Chris PeBenito (2):
CI: Fix variable use in build-userspace action.
CI: Add explicit output variable for build-userspace action.
Christian Göttsche (3):
secilc/docs: fix wrong CIL statements
secilc/docs: mention nlmsg extended permissions
Makefile: avoid 0 as NULL pointer constant
James Carter (2):
libsepol: Check for proper length of addr and mask buffers
secilc: Use fstat instead of stat to avoid TOCTOU issues
Kalevi Kolttonen (16):
libselinux: use null character with strings
policycoreutils: use stderr for error messages
policycoreutils: use null character in a string
policycoreutils: use null character in strings
policycoreutils: check strdup() failure
policycoreutils: use null character in a string
policycoreutils: use bool instead of int
policycoreutils: use null character in a string
policycoreutils: use bool instead of int
mcstrans: use null character in strings
mcstrans: use null character in strings
sandbox: use bool instead of int
audit2allow: make error message more helpful
policycoreutils: use bool instead of int
mcstrans: use sig_atomic_t and bool instead of int
libsepol: Add missing comment to context.h
Petr Lautrbach (1):
Update VERSIONs to 3.11-rc3 for release.
Stephen Smalley (2):
python/semanage: do not leak an audit fd per logger instance
libselinux: Add EXTRA_LD_FLAGS for musl+llvm builds
netliomax25-code (11):
libsepol: fix out-of-bounds typealias_lists access in module_to_cil
libsepol: cast to unsigned char in ctype calls
libsepol: null-terminate temporary buffer in mls_to_string
libsepol: bound category values in mls_semantic_level_expand
libsemanage: guard end of path in semanage_fc_find_meta
libsepol: bound type values in type_set_expand negset loop
libsepol: test type_set_expand bounds negset type values
libsepol/cil: fix double free of borrowed type datum on error path
mcstrans: fix out-of-bounds read in parse_raw sensitivity parsing
checkpolicy: fix xperm complement at range boundaries
checkpolicy: reject out-of-range extended permission values
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ANN: SELinux userspace 3.11-rc3 release
2026-06-24 19:34 ANN: SELinux userspace 3.11-rc3 release Petr Lautrbach
@ 2026-06-25 18:04 ` Stephen Smalley
2026-06-30 10:19 ` Petr Lautrbach
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2026-06-25 18:04 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: SElinux list
On Wed, Jun 24, 2026 at 3:34 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> Hello!
>
> The 3.11-rc3 release for the SELinux userspace is now available at:
>
> https://github.com/SELinuxProject/selinux/releases/tag/3.11-rc3
> https://github.com/SELinuxProject/selinux/wiki/Releases
>
> I signed all tarballs using my gpg key, see .asc files.
> You can download the public key from
> https://github.com/bachradsusi.gpg
>
> Thanks to all the contributors, reviewers, testers and reporters!
>
> If you miss something important not mentioned bellow, please let me
> know.
>
> Unless something unexpected happen, 3.11 will be released
> next week. Also only important patches will be merged before the
> release.
Some items that might be worth mentioning in the 3.11 final release
notes (overall, since 3.10); feel free to edit / coalesce / reorder /
drop / add as you see fit:
User-visible:
- Added new libsepol interfaces and a new secilccheck program for
checking CIL neverallows against a binary policy for use by the
Android CTS.
- Fixed restorecon error handling for read-only filesystems.
- Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues
in file relabeling if /proc is available (so that it can use
/proc/self/fd-based pathnames). If /proc is not available,
selinux_restorecon(3) falls back to just passing the full pathname
each time for compatibility within chroot or other environments. For
callers that pass the SELINUX_RESTORECON_REALPATH flag, like
restorecon(8), selinux_restorecon(3) will still follow any
intermediate symlinks in the initial pathname as part of realpath(3)
canonicalization. Otherwise, selinux_restorecon(3) will not follow any
symlinks. This may yield different user-visible behavior for
setfiles(8) and restorecond(8) but only if a path containing an
intermediate symlink is specified on the command-line (setfiles) or
configuration (restorecond) since they did not follow any symlinks
found during the tree walk regardless.
- Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to
selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse
to relabel files with multiple hard links to prevent mislabeling them.
Updated restorecond(8) to always pass this flag when relabeling files
to prevent mislabeling hard links to files owned by others, e.g. when
relabeling user home directories or /tmp. Note to self: we should add
a command-line option to setfiles/restorecon for this as well.
- Rewrote restorecond and sandbox/seunshare to eliminate TOCTOU issues
on their other path-based operations via /proc/self/fd and the use of
a safe_open() helper. This may yield different behavior if a path
containing an intermediate symlink is passed to them via configuration
(restorecond) or command-line (seunshare).
- Dropped sandbox/seunshare -k/--kill support (unused by sandbox,
fundamentally racy, redundant with killall -Z).
- Fixed sandbox/seunshare getopt flags to match the actual options.
- Fixed sandbox/seunshare remounting of /tmp and /var/tmp within the sandbox.
- Updated restorecond to use Type=simple in the service unit file, add
a -F option to run in the foreground, and to not unlink the pidfile if
not used.
- Added a cache size cap, max client cap, receive timeout, and maxbit
cap to mcstrans to reduce the risk of DoS from misbehaving clients.
- Fixed mcstrans UAF on SIGHUP reload of its configuration files.
- Fixed mcstrans translation for uncached entries.
- Fixed sandbox interactive prompt for saving files.
- Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on
large semanage import operations (#291).
- Fixed libsepol generation of constraint expressions with a list of
names when writing policy.conf from CIL.
- Fixed libsepol to generate constrain/validatetrans instead of
mlsconstrain/mlsvalidatetrans when converting a module to CIL unless
the constraint contains an expression based on level.
- Fixed libsepol selection of tunableif or booleanif and to skip empty
conditional blocks when converting a module to CIL.
- Fixed libsepol/secilc reporting of CIL source file info.
- Fixed libsepol to require at least one perm in a CIL classperm and
to correctly count the number of elements in the avtab.
- Fixed libsepol to link xperm rule permissions correctly.
- Fixed libsepol off-by-one error in cats_ebitmap_len().
- Fixed dispol and dismod to show all options in the -h text.
- Fixed checkpolicy handling of out-of-range and complement at range
boundaries for xperm rules (#530, #531).
- Dropped legacy fscon statement support from checkpolicy - never used
in SELinux policies for mainline kernels (#518).
- Fixed libselinux constructor to not clobber errno (#445)
- Fixed libselinux selabel_partial_match(3) to correctly find partial matches.
- Fixed libselinux selinux_init_policy_load() to still try to mount
selinuxfs on /sys/fs/selinux even if the mount of sysfs on /sys fails
- this can occur legitimately within a user namespace.
- Multiple documentation improvements.
Other security/hardening (not user-visible):
- Many hardening fixes spanning the entire tree (including but not
limited to #522, #523, #525 thru #529, #532 thru #534)
Build fixes:
- Fixed libsemanage pywrap target deps for parallel builds.
- Updated pywrap build targets for modern python builds using the
Python3 build module.
- Disabled build isolation for sepolicy python module.
- Fixed build errors with glibc 2.43.
- Fixed libselinux build for non-pthread builds.
- Build shared libraries with -fPIC for LTO
- Fixed uclibc build failure (#435).
- Multiple fixes for musl/llvm-based builds, including adding a new
EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass
--undefined-version through to lld (#511 thru #515)
Coding style/format:
- Reformatted entire tree based on .clang-format and added new
check-format/format make targets to check and/or reformat code to
match. This is now a requirement for new patches.
>
> User-visible changes since 3.11-rc3
> -----------------------------------
> - Bug fixes
>
> Development-relevant changes
> ----------------------------
>
> - Improved CI
> - Added EXTRA_LD_FLAGS for use by musl+llvm builds to pass --undefined-version.
>
> Shortlog of the changes since 3.11-rc2 release
> ----------------------------------------------
> Chris PeBenito (2):
> CI: Fix variable use in build-userspace action.
> CI: Add explicit output variable for build-userspace action.
>
> Christian Göttsche (3):
> secilc/docs: fix wrong CIL statements
> secilc/docs: mention nlmsg extended permissions
> Makefile: avoid 0 as NULL pointer constant
>
> James Carter (2):
> libsepol: Check for proper length of addr and mask buffers
> secilc: Use fstat instead of stat to avoid TOCTOU issues
>
> Kalevi Kolttonen (16):
> libselinux: use null character with strings
> policycoreutils: use stderr for error messages
> policycoreutils: use null character in a string
> policycoreutils: use null character in strings
> policycoreutils: check strdup() failure
> policycoreutils: use null character in a string
> policycoreutils: use bool instead of int
> policycoreutils: use null character in a string
> policycoreutils: use bool instead of int
> mcstrans: use null character in strings
> mcstrans: use null character in strings
> sandbox: use bool instead of int
> audit2allow: make error message more helpful
> policycoreutils: use bool instead of int
> mcstrans: use sig_atomic_t and bool instead of int
> libsepol: Add missing comment to context.h
>
> Petr Lautrbach (1):
> Update VERSIONs to 3.11-rc3 for release.
>
> Stephen Smalley (2):
> python/semanage: do not leak an audit fd per logger instance
> libselinux: Add EXTRA_LD_FLAGS for musl+llvm builds
>
> netliomax25-code (11):
> libsepol: fix out-of-bounds typealias_lists access in module_to_cil
> libsepol: cast to unsigned char in ctype calls
> libsepol: null-terminate temporary buffer in mls_to_string
> libsepol: bound category values in mls_semantic_level_expand
> libsemanage: guard end of path in semanage_fc_find_meta
> libsepol: bound type values in type_set_expand negset loop
> libsepol: test type_set_expand bounds negset type values
> libsepol/cil: fix double free of borrowed type datum on error path
> mcstrans: fix out-of-bounds read in parse_raw sensitivity parsing
> checkpolicy: fix xperm complement at range boundaries
> checkpolicy: reject out-of-range extended permission values
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ANN: SELinux userspace 3.11-rc3 release
2026-06-25 18:04 ` Stephen Smalley
@ 2026-06-30 10:19 ` Petr Lautrbach
0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2026-06-30 10:19 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SElinux list
Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> On Wed, Jun 24, 2026 at 3:34 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>>
>> Hello!
>>
>> The 3.11-rc3 release for the SELinux userspace is now available at:
>>
>> https://github.com/SELinuxProject/selinux/releases/tag/3.11-rc3
>> https://github.com/SELinuxProject/selinux/wiki/Releases
>>
>> I signed all tarballs using my gpg key, see .asc files.
>> You can download the public key from
>> https://github.com/bachradsusi.gpg
>>
>> Thanks to all the contributors, reviewers, testers and reporters!
>>
>> If you miss something important not mentioned bellow, please let me
>> know.
>>
>> Unless something unexpected happen, 3.11 will be released
>> next week. Also only important patches will be merged before the
>> release.
>
> Some items that might be worth mentioning in the 3.11 final release
> notes (overall, since 3.10); feel free to edit / coalesce / reorder /
> drop / add as you see fit:
>
Thanks!
> User-visible:
> - Added new libsepol interfaces and a new secilccheck program for
> checking CIL neverallows against a binary policy for use by the
> Android CTS.
> - Fixed restorecon error handling for read-only filesystems.
> - Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues
> in file relabeling if /proc is available (so that it can use
> /proc/self/fd-based pathnames). If /proc is not available,
> selinux_restorecon(3) falls back to just passing the full pathname
> each time for compatibility within chroot or other environments. For
> callers that pass the SELINUX_RESTORECON_REALPATH flag, like
> restorecon(8), selinux_restorecon(3) will still follow any
> intermediate symlinks in the initial pathname as part of realpath(3)
> canonicalization. Otherwise, selinux_restorecon(3) will not follow any
> symlinks. This may yield different user-visible behavior for
> setfiles(8) and restorecond(8) but only if a path containing an
> intermediate symlink is specified on the command-line (setfiles) or
> configuration (restorecond) since they did not follow any symlinks
> found during the tree walk regardless.
> - Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to
> selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse
> to relabel files with multiple hard links to prevent mislabeling them.
> Updated restorecond(8) to always pass this flag when relabeling files
> to prevent mislabeling hard links to files owned by others, e.g. when
> relabeling user home directories or /tmp. Note to self: we should add
> a command-line option to setfiles/restorecon for this as well.
> - Rewrote restorecond and sandbox/seunshare to eliminate TOCTOU issues
> on their other path-based operations via /proc/self/fd and the use of
> a safe_open() helper. This may yield different behavior if a path
> containing an intermediate symlink is passed to them via configuration
> (restorecond) or command-line (seunshare).
> - Dropped sandbox/seunshare -k/--kill support (unused by sandbox,
> fundamentally racy, redundant with killall -Z).
> - Fixed sandbox/seunshare getopt flags to match the actual options.
> - Fixed sandbox/seunshare remounting of /tmp and /var/tmp within the sandbox.
> - Updated restorecond to use Type=simple in the service unit file, add
> a -F option to run in the foreground, and to not unlink the pidfile if
> not used.
> - Added a cache size cap, max client cap, receive timeout, and maxbit
> cap to mcstrans to reduce the risk of DoS from misbehaving clients.
> - Fixed mcstrans UAF on SIGHUP reload of its configuration files.
> - Fixed mcstrans translation for uncached entries.
> - Fixed sandbox interactive prompt for saving files.
> - Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on
> large semanage import operations (#291).
> - Fixed libsepol generation of constraint expressions with a list of
> names when writing policy.conf from CIL.
> - Fixed libsepol to generate constrain/validatetrans instead of
> mlsconstrain/mlsvalidatetrans when converting a module to CIL unless
> the constraint contains an expression based on level.
> - Fixed libsepol selection of tunableif or booleanif and to skip empty
> conditional blocks when converting a module to CIL.
> - Fixed libsepol/secilc reporting of CIL source file info.
> - Fixed libsepol to require at least one perm in a CIL classperm and
> to correctly count the number of elements in the avtab.
> - Fixed libsepol to link xperm rule permissions correctly.
> - Fixed libsepol off-by-one error in cats_ebitmap_len().
> - Fixed dispol and dismod to show all options in the -h text.
> - Fixed checkpolicy handling of out-of-range and complement at range
> boundaries for xperm rules (#530, #531).
> - Dropped legacy fscon statement support from checkpolicy - never used
> in SELinux policies for mainline kernels (#518).
> - Fixed libselinux constructor to not clobber errno (#445)
> - Fixed libselinux selabel_partial_match(3) to correctly find partial matches.
> - Fixed libselinux selinux_init_policy_load() to still try to mount
> selinuxfs on /sys/fs/selinux even if the mount of sysfs on /sys fails
> - this can occur legitimately within a user namespace.
> - Multiple documentation improvements.
>
> Other security/hardening (not user-visible):
> - Many hardening fixes spanning the entire tree (including but not
> limited to #522, #523, #525 thru #529, #532 thru #534)
>
> Build fixes:
> - Fixed libsemanage pywrap target deps for parallel builds.
> - Updated pywrap build targets for modern python builds using the
> Python3 build module.
> - Disabled build isolation for sepolicy python module.
> - Fixed build errors with glibc 2.43.
> - Fixed libselinux build for non-pthread builds.
> - Build shared libraries with -fPIC for LTO
> - Fixed uclibc build failure (#435).
> - Multiple fixes for musl/llvm-based builds, including adding a new
> EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass
> --undefined-version through to lld (#511 thru #515)
>
> Coding style/format:
> - Reformatted entire tree based on .clang-format and added new
> check-format/format make targets to check and/or reformat code to
> match. This is now a requirement for new patches.
>
>
>
>>
>> User-visible changes since 3.11-rc3
>> -----------------------------------
>> - Bug fixes
>>
>> Development-relevant changes
>> ----------------------------
>>
>> - Improved CI
>> - Added EXTRA_LD_FLAGS for use by musl+llvm builds to pass --undefined-version.
>>
>> Shortlog of the changes since 3.11-rc2 release
>> ----------------------------------------------
>> Chris PeBenito (2):
>> CI: Fix variable use in build-userspace action.
>> CI: Add explicit output variable for build-userspace action.
>>
>> Christian Göttsche (3):
>> secilc/docs: fix wrong CIL statements
>> secilc/docs: mention nlmsg extended permissions
>> Makefile: avoid 0 as NULL pointer constant
>>
>> James Carter (2):
>> libsepol: Check for proper length of addr and mask buffers
>> secilc: Use fstat instead of stat to avoid TOCTOU issues
>>
>> Kalevi Kolttonen (16):
>> libselinux: use null character with strings
>> policycoreutils: use stderr for error messages
>> policycoreutils: use null character in a string
>> policycoreutils: use null character in strings
>> policycoreutils: check strdup() failure
>> policycoreutils: use null character in a string
>> policycoreutils: use bool instead of int
>> policycoreutils: use null character in a string
>> policycoreutils: use bool instead of int
>> mcstrans: use null character in strings
>> mcstrans: use null character in strings
>> sandbox: use bool instead of int
>> audit2allow: make error message more helpful
>> policycoreutils: use bool instead of int
>> mcstrans: use sig_atomic_t and bool instead of int
>> libsepol: Add missing comment to context.h
>>
>> Petr Lautrbach (1):
>> Update VERSIONs to 3.11-rc3 for release.
>>
>> Stephen Smalley (2):
>> python/semanage: do not leak an audit fd per logger instance
>> libselinux: Add EXTRA_LD_FLAGS for musl+llvm builds
>>
>> netliomax25-code (11):
>> libsepol: fix out-of-bounds typealias_lists access in module_to_cil
>> libsepol: cast to unsigned char in ctype calls
>> libsepol: null-terminate temporary buffer in mls_to_string
>> libsepol: bound category values in mls_semantic_level_expand
>> libsemanage: guard end of path in semanage_fc_find_meta
>> libsepol: bound type values in type_set_expand negset loop
>> libsepol: test type_set_expand bounds negset type values
>> libsepol/cil: fix double free of borrowed type datum on error path
>> mcstrans: fix out-of-bounds read in parse_raw sensitivity parsing
>> checkpolicy: fix xperm complement at range boundaries
>> checkpolicy: reject out-of-range extended permission values
>>
>>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-30 10:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24 19:34 ANN: SELinux userspace 3.11-rc3 release Petr Lautrbach
2026-06-25 18:04 ` Stephen Smalley
2026-06-30 10:19 ` Petr Lautrbach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.