From: Petr Lautrbach <lautrbach@redhat.com>
To: Cathy Hu <cahu@suse.de>, selinux@vger.kernel.org
Subject: Re: ANN: SELinux userspace 3.6
Date: Wed, 20 Dec 2023 13:21:03 +0100 [thread overview]
Message-ID: <87o7elxdxs.fsf@redhat.com> (raw)
In-Reply-To: <bea94ac8b2feca19ef51ad271e56ff88617614e1.camel@suse.de>
Cathy Hu <cahu@suse.de> writes:
> Hi,
>
> thanks for the new userspace release. I was just packaging it for
> opensuse when I saw that the signing key changed.
>
> Could someone confirm if that is correct? I am just a bit unsure since
> the new key has no signatures from people that I frequently see on this
> mailinglist.
>
> New key (almost no signatures):
> https://keyserver.ubuntu.com/pks/lookup?search=1BE2C0FF08949623102FD2564695881C254508D1&fingerprint=on&op=index
>
> Old key (lots of signatures):
> https://keyserver.ubuntu.com/pks/lookup?search=E853C1848B0185CF42864DF363A8AD4B982C4373&fingerprint=on&op=index
>
Thanks for checking signatures!
This is correct.
It's signed by me - Petr Lautrbach <lautrbach@redhat.com> known as
bachradsusi on github and the public key could be found at
https://github.com/bachradsusi.gpg
This key is signed by
E853C1848B0185CF42864DF363A8AD4B982C4373 Petr Lautrbach
<plautrba@redhat.com> which is signed by other guys.
The key used for signing release tar balls is the same key as I used for
signing the release commit:
# git show --show-signature -s 3.6
tag 3.6
Tagger: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed Dec 13 15:47:30 2023 +0100
Release 3.6
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmV5xAIACgkQRpWIHCVF
CNG+Cw/+Ie5771Z4TzUYNHrjz7cKHI3PMzD4QmfyXNfFAvRK8u4QeGDwiPA/7pQe
FS9RMMgbm7AQUndg6v4wTF3qgoAFnBXX3cwiYZLVESQ08sLGwFDILei+P9r+9rmQ
d7H3sHodZ+M5883qb1NASe9S5uMCq07eeMkgZJ/m6qnyhK5hYvXLRejgXppn+6Sv
mP6B1Weqh7WyHHOA6stFr2TvH1Nc5/2hwe9hbzxk/m0C6wf9JMk40tdN/AqLKg/9
RA5IDFt2AHGHciAlXWJaIkc6jKKGgDjOd2Cb3MyIHDQ8LDyhSENRYfKp5n2N6v3Z
i5lZSqF9Mgvj6lOVlxK5p+hxSG6OheqRLB5852peAUtZH1oyF9zaMcAOfXaIR/1i
3bKO9RDn+dlrXA//xRGMIcgxBk7h/AjFVEUJPW52z83lMUqM+kDVj6WbwnLZswTy
3WCy26KKDIl2HbhyCzjtmuVMUF/kVn32WR/zzP2UzD4wj0bCRpF02YbHdX5e9SMi
8n0VDR3RM82KrTZkNWZKwkEKXNETSfCX5g/L6BZl21jREKF2GKc9T2zwjXwwGaHr
VarC0FHwW/ZXH/7pCTDbDc30BK6HsPKtoqmpUQWskWfG2hq97P8RcM/i6t0vyYX6
KdD2Xk4iNXLXQNmU6EGKvEev8FOrvdu58hsBnm9ePTyckfoiNTE=
=H3ax
-----END PGP SIGNATURE-----
commit 97fa708d867ecb26e8d1c766760947f8e3b9e59a (HEAD -> main, tag: semodule-utils-3.6, tag: selinux-sandbox-3.6, tag: selinux-python-3.6, tag: selinux-gui-3.6, tag: selinux-dbus-3.6, tag: secilc-3.6, tag: restorecond-3.6, tag: policycoreutils-3.6, tag: mcstrans-3.6, tag: libsepol-3.6, tag: libsemanage-3.6, tag: libselinux-3.6, tag: checkpolicy-3.6, tag: 3.6, origin/main, origin/HEAD)
gpg: Signature made Wed Dec 13 14:46:22 2023 UTC
gpg: using RSA key 1BE2C0FF08949623102FD2564695881C254508D1
gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B868 2847 764D F60D F52D 992C BC39 05F2 3517 9CF1
Subkey fingerprint: 1BE2 C0FF 0894 9623 102F D256 4695 881C 2545 08D1
Author: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed Dec 13 15:46:22 2023 +0100
Update VERSIONs to 3.6 for release.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
# gpg2 --fingerprint --verify checkpolicy-3.6.tar.gz.asc checkpolicy-3.6.tar.gz
gpg: Signature made Wed Dec 13 14:47:30 2023 UTC
gpg: using RSA key 1BE2C0FF08949623102FD2564695881C254508D1
gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B868 2847 764D F60D F52D 992C BC39 05F2 3517 9CF1
Subkey fingerprint: 1BE2 C0FF 0894 9623 102F D256 4695 881C 2545 08D1
>
>
> On Wed, 2023-12-13 at 17:09 +0100, Petr Lautrbach wrote:
>> Petr Lautrbach <lautrbach@redhat.com> writes:
>>
>> Ups.
>>
>> It 3.6 release, not 3.6-rc2
>>
>>
>>
>> > Hello!
>> >
>> > The 3.6 release for the SELinux userspace is now available at:
>> >
>> > https://github.com/SELinuxProject/selinux/wiki/Releases
>> >
>> > Thanks to all the contributors, reviewers, testers and reporters!
>> >
>> > User-visible changes
>> > --------------------
>> >
>> > * dispol: add option to display users, drop duplicate option to
>> > display booleans,
>> > show number of entries before listing them
>> >
>> > * libsepol: struct cond_expr_t `bool` renamed to `boolean`
>> > The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro
>> >
>> > * cil: Allow IP address and mask values to be directly written
>> >
>> > * cil: Allow paths in filecon rules to be passed as arguments
>> >
>> > * Add not self support for neverallow rules
>> >
>> > * dispol: Add the ability to show booleans, classes, roles, types
>> > and type attributes of policies
>> >
>> > * Improve man pages
>> >
>> > * libselinux: performance optimization for duplicate detection
>> >
>> > * dismod: add options: --actions ACTIONS, --help
>> >
>> > * dispol: add options: --actions ACTIONS, --help
>> >
>> > * checkpolicy: Add the command line argument -N, --disable-
>> > neverallow
>> >
>> > * Introduce getpolicyload - a helper binary to print the number of
>> > policy reloads on the running system
>> >
>> > * man pages: Remove the Russian translations
>> >
>> > * Add notself and other support to CIL
>> >
>> > * Add support for deny rules
>> >
>> > * Translations updated from
>> > https://translate.fedoraproject.org/projects/selinux/
>> >
>> > * Bug fixes
>> >
>> > Development-relevant changes
>> > ----------------------------
>> >
>> > * ci: bump Fedora to version 39
>> >
>> > * Drop LGTM.com and Travis CI configuration
>> >
>> > Shortlog of the changes since 3.5 release
>> > -----------------------------------------
>> > Bruno Victal (1):
>> > secilc: Use versioned DocBook public identifier.
>> >
>> > Cameron Williams (1):
>> > Add CPPFLAGS to Makefiles
>> >
>> > Cathy Hu (1):
>> > sepolicy/manpage.py: make output deterministic
>> >
>> > Christian Göttsche (115):
>> > libsepol: Add not self support for neverallow rules
>> > checkpolicy: add not-self neverallow support
>> > libsepol/tests: add tests for not self neverallow rules
>> > libsepol/tests: add tests for minus self neverallow rules
>> > libsepol: rename struct member
>> > checkpolicy: update cond_expr_t struct member name
>> > libsepol/tests: rename bool indentifiers
>> > checkpolicy: rename bool identifiers
>> > libsepol: rename bool identifiers
>> > libsemanage/tests: rename bool identifiers
>> > libsemanage: fix memory leak in semanage_user_roles
>> > checkpolicy/dispol: add output functions
>> > libselinux: set CFLAGS for pip installation
>> > checkpolicy: drop unused token CLONE
>> > checkpolicy: reject condition with bool and tunable in
>> > expression
>> > checkpolicy: only set declared permission bits for wildcards
>> > libsepol: dump non-mls validatetrans rules as such
>> > libsepol: validate some object contexts
>> > libsepol: validate old style range trans classes
>> > libsepol: validate: check low category is not bigger than
>> > high
>> > libsepol: validate: reject XEN policy with xperm rules
>> > libsepol: expand: skip invalid cat
>> > libsepol: drop message for uncommon error cases
>> > libsepol: drop duplicate newline in sepol_log_err() calls
>> > libsepol: replace sepol_log_err() by ERR()
>> > libsepol: replace log_err() by ERR()
>> > checkpolicy: add option to skip checking neverallow rules
>> > checkpolicy/dismod: misc improvements
>> > libsepol: free initial sid names
>> > libsepol: check for overflow in put_entry()
>> > libsepol/fuzz: more strict fuzzing of binary policies
>> > setsebool: improve bash-completion script
>> > setsebool: drop unnecessary linking against libsepol
>> > semodule_expand: update
>> > semodule_link: update
>> > semodule_package: update
>> > semodule_unpackage: update
>> > libselinux/utils: introduce getpolicyload
>> > libsepol: validate: use fixed sized integers
>> > hashtab: update
>> > libsepol: expand: use identical type to avoid implicit
>> > conversion
>> > libsepol: expand: check for memory allocation failure
>> > libsepol: ebitmap: avoid branches for iteration
>> > libsemanage/tests: use strict prototypes
>> > libsepol: update CIL generation for trivial not-self rules
>> > libselinux/utils: update selabel_partial_match
>> > libselinux: misc label cleanup
>> > libselinux: drop obsolete optimization flag
>> > libselinux: drop unnecessary warning overrides
>> > setfiles: do not issue AUDIT_FS_RELABEL on dry run
>> > libselinux: constify selabel_cmp(3) parameters
>> > libselinux: simplify zeroing allocation
>> > libselinux/utils: use type safe union assignment
>> > libselinux: avoid regex serialization truncations
>> > libselinux: parameter simplifications
>> > libselinux/utils: use correct type for backend argument
>> > libselinux: update string_to_mode()
>> > libselinux: fix logic for building android backend
>> > libselinux: avoid unused function
>> > libselinux: check for stream rewind failures
>> > libselinux: simplify internal selabel_validate prototype
>> > libselinux/utils: drop include of internal header file
>> > libselinux: free elements on read_spec_entries() failure
>> > libselinux: set errno on label lookup failure
>> > libsepol: reject avtab entries with invalid specifier
>> > libsepol: avtab: check read counts for saturation
>> > checkpolicy: add round-trip tests
>> > libselinux/utils: update getdefaultcon
>> > libselinux: cast to unsigned char for character handling
>> > function
>> > libselinux: introduce reallocarray(3)
>> > libsepol: validate default type of transition is not an
>> > attribute
>> > libsepol: validate constraint depth
>> > libsepol: more strict validation
>> > libsepol: reject unsupported policy capabilities
>> > libsepol: use str_read() where appropriate
>> > libsepol: adjust type for saturation check
>> > libsepol: enhance saturation check
>> > libsepol: validate the identifier for initials SID is valid
>> > Drop LGTM.com configuration
>> > Drop Travis CI configuration
>> > scripts: ignore unavailable interpreters
>> > ci: bump Fedora to version 39
>> > libselinux: update Python binding
>> > Update Python installation on Debian
>> > scripts: update run-scan-build
>> > semodule_link: avoid NULL dereference on OOM
>> > libsepol: set number of target names
>> > libselinux: fix memory leak in customizable_init()
>> > libsepol: avoid leak in OOM branch
>> > libsepol: avoid memory corruption on realloc failure
>> > libsepol: update policy capabilities array
>> > github: bump action dependencies
>> > libsepol: validate common classes have at least one
>> > permissions
>> > libsepol: include length squared in hashtab_hash_eval()
>> > libsepol: use DJB2a string hash function
>> > libsepol/cil: use DJB2a string hash function
>> > libselinux: use DJB2a string hash function
>> > newrole: use DJB2a string hash function
>> > libsepol: avoid fixed sized format buffer for xperms
>> > libsepol: avoid fixed sized format buffer for xperms
>> > libsepol: validate conditional type rules have a simple
>> > default type
>> > libsepol: use correct type to avoid truncations
>> > checkpolicy/dismod: avoid duplicate initialization and fix
>> > module linking
>> > libsepol: reject invalid class datums
>> > libsepol/fuzz: handle empty and non kernel policies
>> > libsepol: reject linking modules with no avrules
>> > libsepol: simplify string formatting
>> > checkpolicy/dispol: misc updates
>> > libsepol: constify tokenized input
>> > libsepol: avoid integer overflow in add_i_to_a()
>> > libsepol: extended permission formatting cleanup
>> > libsepol: validate empty common classes in scope indices
>> > libselinux: update const qualifier of parameters in man pages
>> > libselinux: always set errno on context translation failure
>> > libselinux: state setexecfilecon(3) sets errno on failure
>> >
>> > Dominick Grift (1):
>> > secilc/docs: fixes filecon example
>> >
>> > Huaxin Lu (4):
>> > libselinux: add check for calloc in check_booleans
>> > restorecond: add check for strdup in strings_list_add
>> > secilc: add check for malloc in secilc
>> > libsepol: add check for category value before printing
>> >
>> > Huizhao Wang (1):
>> > restorecond: compatible with the use of EUID
>> >
>> > James Carter (53):
>> > Revert "libsepol/cil: add support for prefix/suffix filename
>> > transtions to CIL"
>> > Revert "checkpolicy,libsepol: add prefix/suffix support to
>> > module policy"
>> > Revert "checkpolicy,libsepol: add prefix/suffix support to
>> > kernel policy"
>> > Revert "libsepol: implement new module binary format of
>> > avrule"
>> > Revert "libsepol: implement new kernel binary format for
>> > avtab"
>> > Revert "checkpolicy,libsepol: move filename transition rules
>> > to avrule"
>> > Revert "checkpolicy,libsepol: move filename transitions to
>> > avtab"
>> > Revert "checkpolicy,libsepol: move transition to separate
>> > structure in avtab"
>> > libsepol/cil: Fix class permission verification in CIL
>> > python: Use isinstance() instead of type()
>> > checkpolicy: Remove the Russian translations
>> > gui: Remove the Russian translations
>> > libselinux: Remove the Russian translations
>> > libselinux: Remove the Russian translations
>> > libsemanage: Remove the Russian translations
>> > libsepol: Remove the Russian translations
>> > mcstrans: Remove the Russian translations
>> > policycoreutils: Remove the Russian translations
>> > python: Remove the Russian translations
>> > python: Remove the Russian translations
>> > restorecond: Remove the Russian translations
>> > sandbox: Remove the Russian translations
>> > semodule-utils: Remove the Russian translations
>> > Do not automatically install Russian translations
>> > libsepol: Changes to ebitmap.h to fix compiler warnings
>> > libsepol/cil: Do not call ebitmap_init twice for an ebitmap
>> > libsepol/cil: Add notself and other support to CIL
>> > libsepol: Use ERR() instead of log_err()
>> > secilc/docs: Add notself and other keywords to CIL
>> > documentation
>> > secilc/test: Add notself and other tests
>> > libsepol/cil: Parse and add deny rule to AST, but do not
>> > process
>> > libsepol/cil: Add cil_list_is_empty macro
>> > libsepol/cil: Add cil_tree_node_remove function
>> > libsepol/cil: Process deny rules
>> > libsepol/cil: Add cil_write_post_ast function
>> > libsepol: Export the cil_write_post_ast function
>> > secilc/secil2tree: Add option to write CIL AST after post
>> > processing
>> > secilc/test: Add deny rule tests
>> > secilc/docs: Add deny rule to CIL documentation
>> > checkpolicy: Remove support for role dominance rules
>> > libsepol: Fix the version number for the latest exported
>> > function
>> > libsepol/tests: Update the order of neverallow test results
>> > libsepol/cil: Use struct cil_db * instead of void *
>> > libsepol/cil: Refactor and improve handling of order rules
>> > libsepol/cil: Allow IP address and mask values to be directly
>> > written
>> > secilc/docs: Update syntax for IP addresses and nodecon
>> > libsepol/cil: Refactor Named Type Transition Filename
>> > Creation
>> > libsepol/cil: Allow paths in filecon rules to be passed as
>> > arguments
>> > secilc/docs: Fix and update the documentation for macro
>> > parameters
>> > libsepol/cil: Add pointers to datums to improve writing out
>> > AST
>> > libsepol/cil: Give warning for name that has different flavor
>> > libsepol/cil: Do not allow classpermissionset to use
>> > anonymous classpermission
>> > libsepol/cil: Clear AST node after destroying bad filecon
>> > rule
>> >
>> > Jeffery To (1):
>> > python/sepolicy: Fix get_os_version except clause
>> >
>> > Juraj Marcin (8):
>> > checkpolicy,libsepol: move transition to separate structure
>> > in avtab
>> > checkpolicy,libsepol: move filename transitions to avtab
>> > checkpolicy,libsepol: move filename transition rules to
>> > avrule
>> > libsepol: implement new kernel binary format for avtab
>> > libsepol: implement new module binary format of avrule
>> > checkpolicy,libsepol: add prefix/suffix support to kernel
>> > policy
>> > checkpolicy,libsepol: add prefix/suffix support to module
>> > policy
>> > libsepol/cil: add support for prefix/suffix filename
>> > transtions to CIL
>> >
>> > Masatake YAMATO (10):
>> > dismod: add --help option
>> > dismod: delete an unnecessary empty line
>> > dismod: handle EOF in user interaction
>> > dismod: add --actions option for non-interactive use
>> > dispol: add --help option
>> > dispol: delete an unnecessary empty line
>> > dispol: handle EOF in user interaction
>> > dispol: add --actions option for non-interactive use
>> > dismod: print the policy version only in interactive mode
>> > dismod, dispol: reduce the messages in batch mode
>> >
>> > Ondrej Mosnacek (4):
>> > libsemanage: include more parameters in the module checksum
>> > scripts/ci: install rdma-core-devel for selinux-testsuite
>> > libsepol: stop translating deprecated intial SIDs to strings
>> > libsepol: add support for the new "init" initial SID
>> >
>> > Petr Lautrbach (9):
>> > python: improve format strings for proper localization
>> > python: Drop hard formating from localized strings
>> > semanage: Drop unnecessary import from seobject
>> > python: update python.pot
>> > Update translations
>> > Update VERSIONs to 3.6-rc1 for release.
>> > Update VERSIONs to 3.6-rc2 for release.
>> > sepolicy: port to dnf4 python API
>> > Update VERSIONs to 3.6 for release.
>> >
>> > Sergei Trofimovich (1):
>> > libsemanage: fix src/genhomedircon.c build on `gcc-14` (`-
>> > Werror=alloc-size`)
>> >
>> > Stephen Smalley (2):
>> > libselinux,policycoreutils,python,semodule-utils: de-brand
>> > SELinux
>> > checkpolicy,libselinux,libsepol,policycoreutils,semodule-
>> > utils: update my email
>> >
>> > Topi Miettinen (1):
>> > sepolicy: clarify manual page of sepolicy interface
>> >
>> > Vit Mojzis (12):
>> > python/chcat: Improve man pages
>> > python/audit2allow: Add missing options to man page
>> > python/semanage: Improve man pages
>> > python/audit2allow: Remove unused "debug" option
>> > policycoreutils: Add examples to man pages
>> > python/sepolicy: Improve man pages
>> > sandbox: Add examples to man pages
>> > checkpolicy: Add examples to man pages
>> > libselinux: Add examples to man pages
>> > python/sepolicy: Fix template for confined user policy
>> > modules
>> > python/sepolicy: Add/remove user even when SELinux is
>> > disabled
>> > python: Harden more tools against "rogue" modules
>> >
>> > wanghuizhao (3):
>> > libselinux: migrating hashtab from policycoreutils
>> > libselinux: adapting hashtab to libselinux
>> > libselinux: performance optimization for duplicate detection
>>
>>
>
> --
> Cathy Hu <cahu@suse.de>
> SELinux Security Engineer
> GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A
>
> SUSE Software Solutions Germany GmbH
> Frankenstrasse 146
> 90461 Nürnberg
>
> Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich
> (HRB 36809, AG Nürnberg)
next prev parent reply other threads:[~2023-12-20 12:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-13 15:45 ANN: SELinux userspace 3.6-rc2 release Petr Lautrbach
2023-12-13 16:09 ` ANN: SELinux userspace 3.6 Petr Lautrbach
2023-12-20 9:55 ` Cathy Hu
2023-12-20 12:21 ` Petr Lautrbach [this message]
2023-12-20 21:35 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7elxdxs.fsf@redhat.com \
--to=lautrbach@redhat.com \
--cc=cahu@suse.de \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.