All of lore.kernel.org
 help / color / mirror / Atom feed
* ANN: SELinux userspace 3.8
@ 2025-01-29 19:23 Petr Lautrbach
  0 siblings, 0 replies; only message in thread
From: Petr Lautrbach @ 2025-01-29 19:23 UTC (permalink / raw)
  To: selinux

Hello!

The 3.8 release for the SELinux userspace is now available at:

https://github.com/SELinuxProject/selinux/wiki/Releases

I signed all tarballs using my gpg key, see .asc files.
You can download the public key from
https://github.com/bachradsusi.gpg

Thanks to all the contributors, reviewers, testers and reporters!

Important change:
--------------------

The internal representation of file_contexts.*.bin files is completely
rewritten and new format stores all multi-byte data in network
byte-order, so that such compiled files can be cross-compiled,
e.g. for embedded devices with read-only filesystems.

User-visible changes
--------------------

* libsemanage: Preserve file context and ownership in policy store

* libselinux: deprecate security_disable(3)

* libsepol: Support nlmsg extended permissions
 
* libsepol: Add policy capability netlink_xperm

* libsemanage: Optionally allow duplicate declarations

* policycoreutils: introduce unsetfiles

* libselinux/utils: introduce selabel_compare

* improved selabel_lookup performance

* libselinux: support parallel usage of selabel_lookup(3)

* libsepol: add support for xperms in conditional policies

* Improved man pages

* Code improvements and bug fixes

* Always build for LFS mode on 32-bit archs.

* libsemanage: Mute error messages from selinux_restorecon introduced in 3.8-rc1

* Regex spec ordering is restored to pre 3.8-rc1

* Binary fcontext files format changed, files using old format are ignored

* Code improvements and bug fixes

Shortlog of the changes since 3.7 release
-----------------------------------------
Christian Göttsche (95):
      libselinux: deprecate security_disable(3)
      libselinux: avoid errno modification by fclose(3)
      selinux: free memory in error branch
      libsemanage: check for rewind(3) failure
      selinux: set missing errno in failure branch
      checkpolicy/fuzz: fix setjmp condition
      policycoreutils: introduce unsetfiles
      libselinux/utils: introduce selabel_compare
      libselinux: use more appropriate types in sidtab
      libselinux: add unique id to sidtab entries
      libselinux: sidtab updates
      libselinux: rework selabel_file(5) database
      libselinux: remove unused hashtab code
      libselinux: add selabel_file(5) fuzzer
      libselinux: support parallel selabel_lookup(3)
      checkpolicy: avoid memory leaks on redeclarations
      checkpolicy: avoid leak of identifier on required attribute
      libsepol: misc assertion cleanup
      libsepol: add support for xperms in conditional policies
      checkpolicy: add support for xperms in conditional policies
      libsepol/cil: add support for xperms in conditional policies
      libsepol: indent printed allow rule on assertion failure
      libsepol/tests: add cond xperm neverallow tests
      libsemanage: white space cleanup
      libsemanage: fix typo
      libsemanage: drop unused macro
      libsemanage: drop dead assignments
      libsemanage: drop dead variable
      libsemanage: drop unnecessary declarations
      libsemanage: drop unnecessary return statements
      libsemanage: drop duplicate include
      libsemanage: drop const from function declaration
      libsemanage: check memory allocations
      libsemanage: use unlink on non directory
      libsemanage: free resources on failed connect attempt
      libsemanage: declare file local function tables static
      libsemanage: avoid const dropping casts
      libsemanage: cast to unsigned char for character checking functions
      libsemanage: drop casts to same type
      libsemanage: fix asprintf error branch
      libsemanage: avoid leak on realloc failure
      libsemanage: use strtok_r for thread safety
      libsemanage: free ibdev names in semanage_ibendport_validate_local()
      libsemanage: simplify malloc plus strcpy via strndup
      libsemanage: check for path formatting failures
      libsemanage: introduce write_full wrapper
      libsemanage: more strict value parsing
      libsemanage: constify function pointer structures
      libsemanage: simplify loop exit
      libsemanage: constify read only parameters and variables
      libsemanage: avoid misc function pointer casts
      libsemanage: adjust sizes to avoid implicit truncations
      libsemanage: use asprintf(3) to simplify code
      libsemanage: use size_t for hash input sizes
      libsemanage: drop macros used once
      libsemanage: drop dead code
      libsemanage: preserve errno during internal logging
      libsemanage: avoid strerror(3)
      libsemanage: avoid writing directly to stderr
      libsemanage: skip sort of empty arrays
      libsemanage/tests: misc cleanup
      libsemanage: set O_CLOEXEC flag for file descriptors
      libsemanage: handle cil_set_handle_unknown() failure
      libsemanage: handle shell allocation failure
      libsemanage: drop duplicate newlines and error descriptions in error messages
      libsemanage: check closing written files
      libsemanage: simplify file deletion
      libsemanage: optimize policy by default
      libsemanage/man: add documentation for command overrides
      libsemanage: respect shell paths with /usr prefix
      libselinux: make use of calloc(3)
      libselinux: avoid dynamic allocation in openattr()
      libselinux: move functions out of header file
      libsepol: harden availability check against user CFLAGS
      libselinux: harden availability check against user CFLAGS
      libselinux: avoid memory allocation in common file label lookup
      libselinux: use vector instead of linked list for substitutions
      libselinux: simplify string formatting
      libselinux/utils: use correct error handling
      libsepol: avoid unnecessary memset(3) calls in hashtab
      checkpolicy: drop host bits in IPv6 CIDR address
      libselinux/utils: drop reachable assert in sefcontext_compile
      libsepol: add missing word separators in error message
      libselinux/fuzz: update for lookup_all() change
      libselinux: restore previous regex spec ordering
      libselinux/fuzz: readjust load_mmap() update
      libsepol/cil: free nlmsg hashtable on error
      libselinux/fuzz: handle inputs with trailing data
      libsepol: fix typos
      python: fix typos
      libselinux: set errno in failure case
      checkpolicy: check identifier before copying
      checkpolicy: remove unneeded queue_head()
      checkpolicy: do not consume unmatched identifiers
      checkpolicy: clear queue between parser passes

Daniel Burgener (1):
      CONTRIBUTING.md: Drop dependency and build instructions

Dmitry Sharshakov (2):
      sepolgen: initialize gen_cil
      policygen: respect CIL option when generating comments

Fabian Vogt (2):
      restorecond: Set GLib IO channels to binary mode
      restorecond: Set GLib IO channels to nonblocking

James Carter (9):
      checkpolicy: Check the right bits of an ibpkeycon rule subnet prefix
      libselinux: Fix integer comparison issues when compiling for 32-bit
      libsepol/cil: Allow dotted names in aliasactual rules
      checkpolicy: Fix MLS users in optional blocks
      libsepol/cil: Optionally allow duplicate role declarations
      libsemanage: Optionally allow duplicate declarations
      libsepol: Remove special handling of roles in module_to_cil.c
      libselinux: Close old selabel handle when setting a new one
      libsemanage: Set new restorecon handle before doing restorecon

Ondrej Mosnacek (5):
      ci: use Testing Farm for running the testsuite
      ci: update Python versions
      ci: add missing libbz2-dev dependency
      ci: fix pypy conditional
      README: fix broken testsuite run status badge

Petr Lautrbach (11):
      libselinux: set free'd data to NULL
      libselinux: fix swig bindings for 4.3.0
      libsemanage: fix swig bindings for 4.3.0
      libsemanage: open lock_file with O_RDWR
      fixfiles: use `grep -F` when search in mounts
      Update VERSIONs to 3.8-rc1 for release.
      Update VERSIONs to 3.8-rc2 for release.
      sepolgen-ifgen: allow M4 escaped filenames
      Update VERSIONs to 3.8-rc3 for release.
      Update VERSIONs to 3.8-rc4 for release.
      Update VERSIONs to 3.8 for release.

Stephen Smalley (1):
      libselinux: formally deprecate security_compute_user()

Steve Langasek (1):
      Always build for LFS mode on 32-bit archs.

Thiébaud Weksteen (5):
      libsepol: Rename ioctl xperms structures and functions
      libsepol: Support nlmsg extended permissions
      libsepol: Add policy capability netlink_xperm
      libselinux: rename hashtab functions
      libsepol: Support nlmsg xperms in assertions

Vit Mojzis (12):
      libselinux/restorecon: Include <selinux/label.h>
      libsemanage: Preserve file context and ownership in policy store
      libsepol/sepol_compute_sid: Do not destroy uninitialized context
      libsepol/cil: Check that sym_index is within bounds
      libsepol/cil: Initialize avtab_datum on declaration
      libsepol/mls: Do not destroy context on memory error
      libsepol/cil/cil_post: Initialize tmp on declaration
      libsepol: Initialize "strs" on declaration
      libselinux/setexecfilecon: Remove useless rc check
      libselinux/matchpathcon: RESOURCE_LEAK: Variable "con"
      libsemanage/direct_api: INTEGER_OVERFLOW read_len = read()
      libsemanage: Mute error messages from selinux_restorecon


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2025-01-29 19:23 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-29 19:23 ANN: SELinux userspace 3.8 Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.