From: Petr Lautrbach <lautrbach@redhat.com>
To: selinux@vger.kernel.org
Subject: ANN: SELinux userspace 3.6-rc2 release
Date: Wed, 13 Dec 2023 16:45:19 +0100 [thread overview]
Message-ID: <87bkaurtrk.fsf@redhat.com> (raw)
Hello!
The 3.6 release for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
Thanks to all the contributors, reviewers, testers and reporters!
User-visible changes
--------------------
* dispol: add option to display users, drop duplicate option to display booleans,
show number of entries before listing them
* libsepol: struct cond_expr_t `bool` renamed to `boolean`
The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro
* cil: Allow IP address and mask values to be directly written
* cil: Allow paths in filecon rules to be passed as arguments
* Add not self support for neverallow rules
* dispol: Add the ability to show booleans, classes, roles, types and type attributes of policies
* Improve man pages
* libselinux: performance optimization for duplicate detection
* dismod: add options: --actions ACTIONS, --help
* dispol: add options: --actions ACTIONS, --help
* checkpolicy: Add the command line argument -N, --disable-neverallow
* Introduce getpolicyload - a helper binary to print the number of policy reloads on the running system
* man pages: Remove the Russian translations
* Add notself and other support to CIL
* Add support for deny rules
* Translations updated from
https://translate.fedoraproject.org/projects/selinux/
* Bug fixes
Development-relevant changes
----------------------------
* ci: bump Fedora to version 39
* Drop LGTM.com and Travis CI configuration
Shortlog of the changes since 3.5 release
-----------------------------------------
Bruno Victal (1):
secilc: Use versioned DocBook public identifier.
Cameron Williams (1):
Add CPPFLAGS to Makefiles
Cathy Hu (1):
sepolicy/manpage.py: make output deterministic
Christian Göttsche (115):
libsepol: Add not self support for neverallow rules
checkpolicy: add not-self neverallow support
libsepol/tests: add tests for not self neverallow rules
libsepol/tests: add tests for minus self neverallow rules
libsepol: rename struct member
checkpolicy: update cond_expr_t struct member name
libsepol/tests: rename bool indentifiers
checkpolicy: rename bool identifiers
libsepol: rename bool identifiers
libsemanage/tests: rename bool identifiers
libsemanage: fix memory leak in semanage_user_roles
checkpolicy/dispol: add output functions
libselinux: set CFLAGS for pip installation
checkpolicy: drop unused token CLONE
checkpolicy: reject condition with bool and tunable in expression
checkpolicy: only set declared permission bits for wildcards
libsepol: dump non-mls validatetrans rules as such
libsepol: validate some object contexts
libsepol: validate old style range trans classes
libsepol: validate: check low category is not bigger than high
libsepol: validate: reject XEN policy with xperm rules
libsepol: expand: skip invalid cat
libsepol: drop message for uncommon error cases
libsepol: drop duplicate newline in sepol_log_err() calls
libsepol: replace sepol_log_err() by ERR()
libsepol: replace log_err() by ERR()
checkpolicy: add option to skip checking neverallow rules
checkpolicy/dismod: misc improvements
libsepol: free initial sid names
libsepol: check for overflow in put_entry()
libsepol/fuzz: more strict fuzzing of binary policies
setsebool: improve bash-completion script
setsebool: drop unnecessary linking against libsepol
semodule_expand: update
semodule_link: update
semodule_package: update
semodule_unpackage: update
libselinux/utils: introduce getpolicyload
libsepol: validate: use fixed sized integers
hashtab: update
libsepol: expand: use identical type to avoid implicit conversion
libsepol: expand: check for memory allocation failure
libsepol: ebitmap: avoid branches for iteration
libsemanage/tests: use strict prototypes
libsepol: update CIL generation for trivial not-self rules
libselinux/utils: update selabel_partial_match
libselinux: misc label cleanup
libselinux: drop obsolete optimization flag
libselinux: drop unnecessary warning overrides
setfiles: do not issue AUDIT_FS_RELABEL on dry run
libselinux: constify selabel_cmp(3) parameters
libselinux: simplify zeroing allocation
libselinux/utils: use type safe union assignment
libselinux: avoid regex serialization truncations
libselinux: parameter simplifications
libselinux/utils: use correct type for backend argument
libselinux: update string_to_mode()
libselinux: fix logic for building android backend
libselinux: avoid unused function
libselinux: check for stream rewind failures
libselinux: simplify internal selabel_validate prototype
libselinux/utils: drop include of internal header file
libselinux: free elements on read_spec_entries() failure
libselinux: set errno on label lookup failure
libsepol: reject avtab entries with invalid specifier
libsepol: avtab: check read counts for saturation
checkpolicy: add round-trip tests
libselinux/utils: update getdefaultcon
libselinux: cast to unsigned char for character handling function
libselinux: introduce reallocarray(3)
libsepol: validate default type of transition is not an attribute
libsepol: validate constraint depth
libsepol: more strict validation
libsepol: reject unsupported policy capabilities
libsepol: use str_read() where appropriate
libsepol: adjust type for saturation check
libsepol: enhance saturation check
libsepol: validate the identifier for initials SID is valid
Drop LGTM.com configuration
Drop Travis CI configuration
scripts: ignore unavailable interpreters
ci: bump Fedora to version 39
libselinux: update Python binding
Update Python installation on Debian
scripts: update run-scan-build
semodule_link: avoid NULL dereference on OOM
libsepol: set number of target names
libselinux: fix memory leak in customizable_init()
libsepol: avoid leak in OOM branch
libsepol: avoid memory corruption on realloc failure
libsepol: update policy capabilities array
github: bump action dependencies
libsepol: validate common classes have at least one permissions
libsepol: include length squared in hashtab_hash_eval()
libsepol: use DJB2a string hash function
libsepol/cil: use DJB2a string hash function
libselinux: use DJB2a string hash function
newrole: use DJB2a string hash function
libsepol: avoid fixed sized format buffer for xperms
libsepol: avoid fixed sized format buffer for xperms
libsepol: validate conditional type rules have a simple default type
libsepol: use correct type to avoid truncations
checkpolicy/dismod: avoid duplicate initialization and fix module linking
libsepol: reject invalid class datums
libsepol/fuzz: handle empty and non kernel policies
libsepol: reject linking modules with no avrules
libsepol: simplify string formatting
checkpolicy/dispol: misc updates
libsepol: constify tokenized input
libsepol: avoid integer overflow in add_i_to_a()
libsepol: extended permission formatting cleanup
libsepol: validate empty common classes in scope indices
libselinux: update const qualifier of parameters in man pages
libselinux: always set errno on context translation failure
libselinux: state setexecfilecon(3) sets errno on failure
Dominick Grift (1):
secilc/docs: fixes filecon example
Huaxin Lu (4):
libselinux: add check for calloc in check_booleans
restorecond: add check for strdup in strings_list_add
secilc: add check for malloc in secilc
libsepol: add check for category value before printing
Huizhao Wang (1):
restorecond: compatible with the use of EUID
James Carter (53):
Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL"
Revert "checkpolicy,libsepol: add prefix/suffix support to module policy"
Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy"
Revert "libsepol: implement new module binary format of avrule"
Revert "libsepol: implement new kernel binary format for avtab"
Revert "checkpolicy,libsepol: move filename transition rules to avrule"
Revert "checkpolicy,libsepol: move filename transitions to avtab"
Revert "checkpolicy,libsepol: move transition to separate structure in avtab"
libsepol/cil: Fix class permission verification in CIL
python: Use isinstance() instead of type()
checkpolicy: Remove the Russian translations
gui: Remove the Russian translations
libselinux: Remove the Russian translations
libselinux: Remove the Russian translations
libsemanage: Remove the Russian translations
libsepol: Remove the Russian translations
mcstrans: Remove the Russian translations
policycoreutils: Remove the Russian translations
python: Remove the Russian translations
python: Remove the Russian translations
restorecond: Remove the Russian translations
sandbox: Remove the Russian translations
semodule-utils: Remove the Russian translations
Do not automatically install Russian translations
libsepol: Changes to ebitmap.h to fix compiler warnings
libsepol/cil: Do not call ebitmap_init twice for an ebitmap
libsepol/cil: Add notself and other support to CIL
libsepol: Use ERR() instead of log_err()
secilc/docs: Add notself and other keywords to CIL documentation
secilc/test: Add notself and other tests
libsepol/cil: Parse and add deny rule to AST, but do not process
libsepol/cil: Add cil_list_is_empty macro
libsepol/cil: Add cil_tree_node_remove function
libsepol/cil: Process deny rules
libsepol/cil: Add cil_write_post_ast function
libsepol: Export the cil_write_post_ast function
secilc/secil2tree: Add option to write CIL AST after post processing
secilc/test: Add deny rule tests
secilc/docs: Add deny rule to CIL documentation
checkpolicy: Remove support for role dominance rules
libsepol: Fix the version number for the latest exported function
libsepol/tests: Update the order of neverallow test results
libsepol/cil: Use struct cil_db * instead of void *
libsepol/cil: Refactor and improve handling of order rules
libsepol/cil: Allow IP address and mask values to be directly written
secilc/docs: Update syntax for IP addresses and nodecon
libsepol/cil: Refactor Named Type Transition Filename Creation
libsepol/cil: Allow paths in filecon rules to be passed as arguments
secilc/docs: Fix and update the documentation for macro parameters
libsepol/cil: Add pointers to datums to improve writing out AST
libsepol/cil: Give warning for name that has different flavor
libsepol/cil: Do not allow classpermissionset to use anonymous classpermission
libsepol/cil: Clear AST node after destroying bad filecon rule
Jeffery To (1):
python/sepolicy: Fix get_os_version except clause
Juraj Marcin (8):
checkpolicy,libsepol: move transition to separate structure in avtab
checkpolicy,libsepol: move filename transitions to avtab
checkpolicy,libsepol: move filename transition rules to avrule
libsepol: implement new kernel binary format for avtab
libsepol: implement new module binary format of avrule
checkpolicy,libsepol: add prefix/suffix support to kernel policy
checkpolicy,libsepol: add prefix/suffix support to module policy
libsepol/cil: add support for prefix/suffix filename transtions to CIL
Masatake YAMATO (10):
dismod: add --help option
dismod: delete an unnecessary empty line
dismod: handle EOF in user interaction
dismod: add --actions option for non-interactive use
dispol: add --help option
dispol: delete an unnecessary empty line
dispol: handle EOF in user interaction
dispol: add --actions option for non-interactive use
dismod: print the policy version only in interactive mode
dismod, dispol: reduce the messages in batch mode
Ondrej Mosnacek (4):
libsemanage: include more parameters in the module checksum
scripts/ci: install rdma-core-devel for selinux-testsuite
libsepol: stop translating deprecated intial SIDs to strings
libsepol: add support for the new "init" initial SID
Petr Lautrbach (9):
python: improve format strings for proper localization
python: Drop hard formating from localized strings
semanage: Drop unnecessary import from seobject
python: update python.pot
Update translations
Update VERSIONs to 3.6-rc1 for release.
Update VERSIONs to 3.6-rc2 for release.
sepolicy: port to dnf4 python API
Update VERSIONs to 3.6 for release.
Sergei Trofimovich (1):
libsemanage: fix src/genhomedircon.c build on `gcc-14` (`-Werror=alloc-size`)
Stephen Smalley (2):
libselinux,policycoreutils,python,semodule-utils: de-brand SELinux
checkpolicy,libselinux,libsepol,policycoreutils,semodule-utils: update my email
Topi Miettinen (1):
sepolicy: clarify manual page of sepolicy interface
Vit Mojzis (12):
python/chcat: Improve man pages
python/audit2allow: Add missing options to man page
python/semanage: Improve man pages
python/audit2allow: Remove unused "debug" option
policycoreutils: Add examples to man pages
python/sepolicy: Improve man pages
sandbox: Add examples to man pages
checkpolicy: Add examples to man pages
libselinux: Add examples to man pages
python/sepolicy: Fix template for confined user policy modules
python/sepolicy: Add/remove user even when SELinux is disabled
python: Harden more tools against "rogue" modules
wanghuizhao (3):
libselinux: migrating hashtab from policycoreutils
libselinux: adapting hashtab to libselinux
libselinux: performance optimization for duplicate detection
next reply other threads:[~2023-12-13 15:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-13 15:45 Petr Lautrbach [this message]
2023-12-13 16:09 ` ANN: SELinux userspace 3.6 Petr Lautrbach
2023-12-20 9:55 ` Cathy Hu
2023-12-20 12:21 ` Petr Lautrbach
2023-12-20 21:35 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2023-11-22 16:01 ANN: SELinux userspace 3.6-rc2 release Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bkaurtrk.fsf@redhat.com \
--to=lautrbach@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.