* ANN: SELinux userspace 3.6-rc2 release
@ 2023-12-13 15:45 Petr Lautrbach
2023-12-13 16:09 ` ANN: SELinux userspace 3.6 Petr Lautrbach
0 siblings, 1 reply; 5+ messages in thread
From: Petr Lautrbach @ 2023-12-13 15:45 UTC (permalink / raw)
To: selinux
Hello!
The 3.6 release for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
Thanks to all the contributors, reviewers, testers and reporters!
User-visible changes
--------------------
* dispol: add option to display users, drop duplicate option to display booleans,
show number of entries before listing them
* libsepol: struct cond_expr_t `bool` renamed to `boolean`
The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro
* cil: Allow IP address and mask values to be directly written
* cil: Allow paths in filecon rules to be passed as arguments
* Add not self support for neverallow rules
* dispol: Add the ability to show booleans, classes, roles, types and type attributes of policies
* Improve man pages
* libselinux: performance optimization for duplicate detection
* dismod: add options: --actions ACTIONS, --help
* dispol: add options: --actions ACTIONS, --help
* checkpolicy: Add the command line argument -N, --disable-neverallow
* Introduce getpolicyload - a helper binary to print the number of policy reloads on the running system
* man pages: Remove the Russian translations
* Add notself and other support to CIL
* Add support for deny rules
* Translations updated from
https://translate.fedoraproject.org/projects/selinux/
* Bug fixes
Development-relevant changes
----------------------------
* ci: bump Fedora to version 39
* Drop LGTM.com and Travis CI configuration
Shortlog of the changes since 3.5 release
-----------------------------------------
Bruno Victal (1):
secilc: Use versioned DocBook public identifier.
Cameron Williams (1):
Add CPPFLAGS to Makefiles
Cathy Hu (1):
sepolicy/manpage.py: make output deterministic
Christian Göttsche (115):
libsepol: Add not self support for neverallow rules
checkpolicy: add not-self neverallow support
libsepol/tests: add tests for not self neverallow rules
libsepol/tests: add tests for minus self neverallow rules
libsepol: rename struct member
checkpolicy: update cond_expr_t struct member name
libsepol/tests: rename bool indentifiers
checkpolicy: rename bool identifiers
libsepol: rename bool identifiers
libsemanage/tests: rename bool identifiers
libsemanage: fix memory leak in semanage_user_roles
checkpolicy/dispol: add output functions
libselinux: set CFLAGS for pip installation
checkpolicy: drop unused token CLONE
checkpolicy: reject condition with bool and tunable in expression
checkpolicy: only set declared permission bits for wildcards
libsepol: dump non-mls validatetrans rules as such
libsepol: validate some object contexts
libsepol: validate old style range trans classes
libsepol: validate: check low category is not bigger than high
libsepol: validate: reject XEN policy with xperm rules
libsepol: expand: skip invalid cat
libsepol: drop message for uncommon error cases
libsepol: drop duplicate newline in sepol_log_err() calls
libsepol: replace sepol_log_err() by ERR()
libsepol: replace log_err() by ERR()
checkpolicy: add option to skip checking neverallow rules
checkpolicy/dismod: misc improvements
libsepol: free initial sid names
libsepol: check for overflow in put_entry()
libsepol/fuzz: more strict fuzzing of binary policies
setsebool: improve bash-completion script
setsebool: drop unnecessary linking against libsepol
semodule_expand: update
semodule_link: update
semodule_package: update
semodule_unpackage: update
libselinux/utils: introduce getpolicyload
libsepol: validate: use fixed sized integers
hashtab: update
libsepol: expand: use identical type to avoid implicit conversion
libsepol: expand: check for memory allocation failure
libsepol: ebitmap: avoid branches for iteration
libsemanage/tests: use strict prototypes
libsepol: update CIL generation for trivial not-self rules
libselinux/utils: update selabel_partial_match
libselinux: misc label cleanup
libselinux: drop obsolete optimization flag
libselinux: drop unnecessary warning overrides
setfiles: do not issue AUDIT_FS_RELABEL on dry run
libselinux: constify selabel_cmp(3) parameters
libselinux: simplify zeroing allocation
libselinux/utils: use type safe union assignment
libselinux: avoid regex serialization truncations
libselinux: parameter simplifications
libselinux/utils: use correct type for backend argument
libselinux: update string_to_mode()
libselinux: fix logic for building android backend
libselinux: avoid unused function
libselinux: check for stream rewind failures
libselinux: simplify internal selabel_validate prototype
libselinux/utils: drop include of internal header file
libselinux: free elements on read_spec_entries() failure
libselinux: set errno on label lookup failure
libsepol: reject avtab entries with invalid specifier
libsepol: avtab: check read counts for saturation
checkpolicy: add round-trip tests
libselinux/utils: update getdefaultcon
libselinux: cast to unsigned char for character handling function
libselinux: introduce reallocarray(3)
libsepol: validate default type of transition is not an attribute
libsepol: validate constraint depth
libsepol: more strict validation
libsepol: reject unsupported policy capabilities
libsepol: use str_read() where appropriate
libsepol: adjust type for saturation check
libsepol: enhance saturation check
libsepol: validate the identifier for initials SID is valid
Drop LGTM.com configuration
Drop Travis CI configuration
scripts: ignore unavailable interpreters
ci: bump Fedora to version 39
libselinux: update Python binding
Update Python installation on Debian
scripts: update run-scan-build
semodule_link: avoid NULL dereference on OOM
libsepol: set number of target names
libselinux: fix memory leak in customizable_init()
libsepol: avoid leak in OOM branch
libsepol: avoid memory corruption on realloc failure
libsepol: update policy capabilities array
github: bump action dependencies
libsepol: validate common classes have at least one permissions
libsepol: include length squared in hashtab_hash_eval()
libsepol: use DJB2a string hash function
libsepol/cil: use DJB2a string hash function
libselinux: use DJB2a string hash function
newrole: use DJB2a string hash function
libsepol: avoid fixed sized format buffer for xperms
libsepol: avoid fixed sized format buffer for xperms
libsepol: validate conditional type rules have a simple default type
libsepol: use correct type to avoid truncations
checkpolicy/dismod: avoid duplicate initialization and fix module linking
libsepol: reject invalid class datums
libsepol/fuzz: handle empty and non kernel policies
libsepol: reject linking modules with no avrules
libsepol: simplify string formatting
checkpolicy/dispol: misc updates
libsepol: constify tokenized input
libsepol: avoid integer overflow in add_i_to_a()
libsepol: extended permission formatting cleanup
libsepol: validate empty common classes in scope indices
libselinux: update const qualifier of parameters in man pages
libselinux: always set errno on context translation failure
libselinux: state setexecfilecon(3) sets errno on failure
Dominick Grift (1):
secilc/docs: fixes filecon example
Huaxin Lu (4):
libselinux: add check for calloc in check_booleans
restorecond: add check for strdup in strings_list_add
secilc: add check for malloc in secilc
libsepol: add check for category value before printing
Huizhao Wang (1):
restorecond: compatible with the use of EUID
James Carter (53):
Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL"
Revert "checkpolicy,libsepol: add prefix/suffix support to module policy"
Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy"
Revert "libsepol: implement new module binary format of avrule"
Revert "libsepol: implement new kernel binary format for avtab"
Revert "checkpolicy,libsepol: move filename transition rules to avrule"
Revert "checkpolicy,libsepol: move filename transitions to avtab"
Revert "checkpolicy,libsepol: move transition to separate structure in avtab"
libsepol/cil: Fix class permission verification in CIL
python: Use isinstance() instead of type()
checkpolicy: Remove the Russian translations
gui: Remove the Russian translations
libselinux: Remove the Russian translations
libselinux: Remove the Russian translations
libsemanage: Remove the Russian translations
libsepol: Remove the Russian translations
mcstrans: Remove the Russian translations
policycoreutils: Remove the Russian translations
python: Remove the Russian translations
python: Remove the Russian translations
restorecond: Remove the Russian translations
sandbox: Remove the Russian translations
semodule-utils: Remove the Russian translations
Do not automatically install Russian translations
libsepol: Changes to ebitmap.h to fix compiler warnings
libsepol/cil: Do not call ebitmap_init twice for an ebitmap
libsepol/cil: Add notself and other support to CIL
libsepol: Use ERR() instead of log_err()
secilc/docs: Add notself and other keywords to CIL documentation
secilc/test: Add notself and other tests
libsepol/cil: Parse and add deny rule to AST, but do not process
libsepol/cil: Add cil_list_is_empty macro
libsepol/cil: Add cil_tree_node_remove function
libsepol/cil: Process deny rules
libsepol/cil: Add cil_write_post_ast function
libsepol: Export the cil_write_post_ast function
secilc/secil2tree: Add option to write CIL AST after post processing
secilc/test: Add deny rule tests
secilc/docs: Add deny rule to CIL documentation
checkpolicy: Remove support for role dominance rules
libsepol: Fix the version number for the latest exported function
libsepol/tests: Update the order of neverallow test results
libsepol/cil: Use struct cil_db * instead of void *
libsepol/cil: Refactor and improve handling of order rules
libsepol/cil: Allow IP address and mask values to be directly written
secilc/docs: Update syntax for IP addresses and nodecon
libsepol/cil: Refactor Named Type Transition Filename Creation
libsepol/cil: Allow paths in filecon rules to be passed as arguments
secilc/docs: Fix and update the documentation for macro parameters
libsepol/cil: Add pointers to datums to improve writing out AST
libsepol/cil: Give warning for name that has different flavor
libsepol/cil: Do not allow classpermissionset to use anonymous classpermission
libsepol/cil: Clear AST node after destroying bad filecon rule
Jeffery To (1):
python/sepolicy: Fix get_os_version except clause
Juraj Marcin (8):
checkpolicy,libsepol: move transition to separate structure in avtab
checkpolicy,libsepol: move filename transitions to avtab
checkpolicy,libsepol: move filename transition rules to avrule
libsepol: implement new kernel binary format for avtab
libsepol: implement new module binary format of avrule
checkpolicy,libsepol: add prefix/suffix support to kernel policy
checkpolicy,libsepol: add prefix/suffix support to module policy
libsepol/cil: add support for prefix/suffix filename transtions to CIL
Masatake YAMATO (10):
dismod: add --help option
dismod: delete an unnecessary empty line
dismod: handle EOF in user interaction
dismod: add --actions option for non-interactive use
dispol: add --help option
dispol: delete an unnecessary empty line
dispol: handle EOF in user interaction
dispol: add --actions option for non-interactive use
dismod: print the policy version only in interactive mode
dismod, dispol: reduce the messages in batch mode
Ondrej Mosnacek (4):
libsemanage: include more parameters in the module checksum
scripts/ci: install rdma-core-devel for selinux-testsuite
libsepol: stop translating deprecated intial SIDs to strings
libsepol: add support for the new "init" initial SID
Petr Lautrbach (9):
python: improve format strings for proper localization
python: Drop hard formating from localized strings
semanage: Drop unnecessary import from seobject
python: update python.pot
Update translations
Update VERSIONs to 3.6-rc1 for release.
Update VERSIONs to 3.6-rc2 for release.
sepolicy: port to dnf4 python API
Update VERSIONs to 3.6 for release.
Sergei Trofimovich (1):
libsemanage: fix src/genhomedircon.c build on `gcc-14` (`-Werror=alloc-size`)
Stephen Smalley (2):
libselinux,policycoreutils,python,semodule-utils: de-brand SELinux
checkpolicy,libselinux,libsepol,policycoreutils,semodule-utils: update my email
Topi Miettinen (1):
sepolicy: clarify manual page of sepolicy interface
Vit Mojzis (12):
python/chcat: Improve man pages
python/audit2allow: Add missing options to man page
python/semanage: Improve man pages
python/audit2allow: Remove unused "debug" option
policycoreutils: Add examples to man pages
python/sepolicy: Improve man pages
sandbox: Add examples to man pages
checkpolicy: Add examples to man pages
libselinux: Add examples to man pages
python/sepolicy: Fix template for confined user policy modules
python/sepolicy: Add/remove user even when SELinux is disabled
python: Harden more tools against "rogue" modules
wanghuizhao (3):
libselinux: migrating hashtab from policycoreutils
libselinux: adapting hashtab to libselinux
libselinux: performance optimization for duplicate detection
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: ANN: SELinux userspace 3.6 2023-12-13 15:45 ANN: SELinux userspace 3.6-rc2 release Petr Lautrbach @ 2023-12-13 16:09 ` Petr Lautrbach 2023-12-20 9:55 ` Cathy Hu 0 siblings, 1 reply; 5+ messages in thread From: Petr Lautrbach @ 2023-12-13 16:09 UTC (permalink / raw) To: selinux Petr Lautrbach <lautrbach@redhat.com> writes: Ups. It 3.6 release, not 3.6-rc2 > Hello! > > The 3.6 release for the SELinux userspace is now available at: > > https://github.com/SELinuxProject/selinux/wiki/Releases > > Thanks to all the contributors, reviewers, testers and reporters! > > User-visible changes > -------------------- > > * dispol: add option to display users, drop duplicate option to display booleans, > show number of entries before listing them > > * libsepol: struct cond_expr_t `bool` renamed to `boolean` > The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro > > * cil: Allow IP address and mask values to be directly written > > * cil: Allow paths in filecon rules to be passed as arguments > > * Add not self support for neverallow rules > > * dispol: Add the ability to show booleans, classes, roles, types and type attributes of policies > > * Improve man pages > > * libselinux: performance optimization for duplicate detection > > * dismod: add options: --actions ACTIONS, --help > > * dispol: add options: --actions ACTIONS, --help > > * checkpolicy: Add the command line argument -N, --disable-neverallow > > * Introduce getpolicyload - a helper binary to print the number of policy reloads on the running system > > * man pages: Remove the Russian translations > > * Add notself and other support to CIL > > * Add support for deny rules > > * Translations updated from > https://translate.fedoraproject.org/projects/selinux/ > > * Bug fixes > > Development-relevant changes > ---------------------------- > > * ci: bump Fedora to version 39 > > * Drop LGTM.com and Travis CI configuration > > Shortlog of the changes since 3.5 release > ----------------------------------------- > Bruno Victal (1): > secilc: Use versioned DocBook public identifier. > > Cameron Williams (1): > Add CPPFLAGS to Makefiles > > Cathy Hu (1): > sepolicy/manpage.py: make output deterministic > > Christian Göttsche (115): > libsepol: Add not self support for neverallow rules > checkpolicy: add not-self neverallow support > libsepol/tests: add tests for not self neverallow rules > libsepol/tests: add tests for minus self neverallow rules > libsepol: rename struct member > checkpolicy: update cond_expr_t struct member name > libsepol/tests: rename bool indentifiers > checkpolicy: rename bool identifiers > libsepol: rename bool identifiers > libsemanage/tests: rename bool identifiers > libsemanage: fix memory leak in semanage_user_roles > checkpolicy/dispol: add output functions > libselinux: set CFLAGS for pip installation > checkpolicy: drop unused token CLONE > checkpolicy: reject condition with bool and tunable in expression > checkpolicy: only set declared permission bits for wildcards > libsepol: dump non-mls validatetrans rules as such > libsepol: validate some object contexts > libsepol: validate old style range trans classes > libsepol: validate: check low category is not bigger than high > libsepol: validate: reject XEN policy with xperm rules > libsepol: expand: skip invalid cat > libsepol: drop message for uncommon error cases > libsepol: drop duplicate newline in sepol_log_err() calls > libsepol: replace sepol_log_err() by ERR() > libsepol: replace log_err() by ERR() > checkpolicy: add option to skip checking neverallow rules > checkpolicy/dismod: misc improvements > libsepol: free initial sid names > libsepol: check for overflow in put_entry() > libsepol/fuzz: more strict fuzzing of binary policies > setsebool: improve bash-completion script > setsebool: drop unnecessary linking against libsepol > semodule_expand: update > semodule_link: update > semodule_package: update > semodule_unpackage: update > libselinux/utils: introduce getpolicyload > libsepol: validate: use fixed sized integers > hashtab: update > libsepol: expand: use identical type to avoid implicit conversion > libsepol: expand: check for memory allocation failure > libsepol: ebitmap: avoid branches for iteration > libsemanage/tests: use strict prototypes > libsepol: update CIL generation for trivial not-self rules > libselinux/utils: update selabel_partial_match > libselinux: misc label cleanup > libselinux: drop obsolete optimization flag > libselinux: drop unnecessary warning overrides > setfiles: do not issue AUDIT_FS_RELABEL on dry run > libselinux: constify selabel_cmp(3) parameters > libselinux: simplify zeroing allocation > libselinux/utils: use type safe union assignment > libselinux: avoid regex serialization truncations > libselinux: parameter simplifications > libselinux/utils: use correct type for backend argument > libselinux: update string_to_mode() > libselinux: fix logic for building android backend > libselinux: avoid unused function > libselinux: check for stream rewind failures > libselinux: simplify internal selabel_validate prototype > libselinux/utils: drop include of internal header file > libselinux: free elements on read_spec_entries() failure > libselinux: set errno on label lookup failure > libsepol: reject avtab entries with invalid specifier > libsepol: avtab: check read counts for saturation > checkpolicy: add round-trip tests > libselinux/utils: update getdefaultcon > libselinux: cast to unsigned char for character handling function > libselinux: introduce reallocarray(3) > libsepol: validate default type of transition is not an attribute > libsepol: validate constraint depth > libsepol: more strict validation > libsepol: reject unsupported policy capabilities > libsepol: use str_read() where appropriate > libsepol: adjust type for saturation check > libsepol: enhance saturation check > libsepol: validate the identifier for initials SID is valid > Drop LGTM.com configuration > Drop Travis CI configuration > scripts: ignore unavailable interpreters > ci: bump Fedora to version 39 > libselinux: update Python binding > Update Python installation on Debian > scripts: update run-scan-build > semodule_link: avoid NULL dereference on OOM > libsepol: set number of target names > libselinux: fix memory leak in customizable_init() > libsepol: avoid leak in OOM branch > libsepol: avoid memory corruption on realloc failure > libsepol: update policy capabilities array > github: bump action dependencies > libsepol: validate common classes have at least one permissions > libsepol: include length squared in hashtab_hash_eval() > libsepol: use DJB2a string hash function > libsepol/cil: use DJB2a string hash function > libselinux: use DJB2a string hash function > newrole: use DJB2a string hash function > libsepol: avoid fixed sized format buffer for xperms > libsepol: avoid fixed sized format buffer for xperms > libsepol: validate conditional type rules have a simple default type > libsepol: use correct type to avoid truncations > checkpolicy/dismod: avoid duplicate initialization and fix module linking > libsepol: reject invalid class datums > libsepol/fuzz: handle empty and non kernel policies > libsepol: reject linking modules with no avrules > libsepol: simplify string formatting > checkpolicy/dispol: misc updates > libsepol: constify tokenized input > libsepol: avoid integer overflow in add_i_to_a() > libsepol: extended permission formatting cleanup > libsepol: validate empty common classes in scope indices > libselinux: update const qualifier of parameters in man pages > libselinux: always set errno on context translation failure > libselinux: state setexecfilecon(3) sets errno on failure > > Dominick Grift (1): > secilc/docs: fixes filecon example > > Huaxin Lu (4): > libselinux: add check for calloc in check_booleans > restorecond: add check for strdup in strings_list_add > secilc: add check for malloc in secilc > libsepol: add check for category value before printing > > Huizhao Wang (1): > restorecond: compatible with the use of EUID > > James Carter (53): > Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" > Revert "checkpolicy,libsepol: add prefix/suffix support to module policy" > Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy" > Revert "libsepol: implement new module binary format of avrule" > Revert "libsepol: implement new kernel binary format for avtab" > Revert "checkpolicy,libsepol: move filename transition rules to avrule" > Revert "checkpolicy,libsepol: move filename transitions to avtab" > Revert "checkpolicy,libsepol: move transition to separate structure in avtab" > libsepol/cil: Fix class permission verification in CIL > python: Use isinstance() instead of type() > checkpolicy: Remove the Russian translations > gui: Remove the Russian translations > libselinux: Remove the Russian translations > libselinux: Remove the Russian translations > libsemanage: Remove the Russian translations > libsepol: Remove the Russian translations > mcstrans: Remove the Russian translations > policycoreutils: Remove the Russian translations > python: Remove the Russian translations > python: Remove the Russian translations > restorecond: Remove the Russian translations > sandbox: Remove the Russian translations > semodule-utils: Remove the Russian translations > Do not automatically install Russian translations > libsepol: Changes to ebitmap.h to fix compiler warnings > libsepol/cil: Do not call ebitmap_init twice for an ebitmap > libsepol/cil: Add notself and other support to CIL > libsepol: Use ERR() instead of log_err() > secilc/docs: Add notself and other keywords to CIL documentation > secilc/test: Add notself and other tests > libsepol/cil: Parse and add deny rule to AST, but do not process > libsepol/cil: Add cil_list_is_empty macro > libsepol/cil: Add cil_tree_node_remove function > libsepol/cil: Process deny rules > libsepol/cil: Add cil_write_post_ast function > libsepol: Export the cil_write_post_ast function > secilc/secil2tree: Add option to write CIL AST after post processing > secilc/test: Add deny rule tests > secilc/docs: Add deny rule to CIL documentation > checkpolicy: Remove support for role dominance rules > libsepol: Fix the version number for the latest exported function > libsepol/tests: Update the order of neverallow test results > libsepol/cil: Use struct cil_db * instead of void * > libsepol/cil: Refactor and improve handling of order rules > libsepol/cil: Allow IP address and mask values to be directly written > secilc/docs: Update syntax for IP addresses and nodecon > libsepol/cil: Refactor Named Type Transition Filename Creation > libsepol/cil: Allow paths in filecon rules to be passed as arguments > secilc/docs: Fix and update the documentation for macro parameters > libsepol/cil: Add pointers to datums to improve writing out AST > libsepol/cil: Give warning for name that has different flavor > libsepol/cil: Do not allow classpermissionset to use anonymous classpermission > libsepol/cil: Clear AST node after destroying bad filecon rule > > Jeffery To (1): > python/sepolicy: Fix get_os_version except clause > > Juraj Marcin (8): > checkpolicy,libsepol: move transition to separate structure in avtab > checkpolicy,libsepol: move filename transitions to avtab > checkpolicy,libsepol: move filename transition rules to avrule > libsepol: implement new kernel binary format for avtab > libsepol: implement new module binary format of avrule > checkpolicy,libsepol: add prefix/suffix support to kernel policy > checkpolicy,libsepol: add prefix/suffix support to module policy > libsepol/cil: add support for prefix/suffix filename transtions to CIL > > Masatake YAMATO (10): > dismod: add --help option > dismod: delete an unnecessary empty line > dismod: handle EOF in user interaction > dismod: add --actions option for non-interactive use > dispol: add --help option > dispol: delete an unnecessary empty line > dispol: handle EOF in user interaction > dispol: add --actions option for non-interactive use > dismod: print the policy version only in interactive mode > dismod, dispol: reduce the messages in batch mode > > Ondrej Mosnacek (4): > libsemanage: include more parameters in the module checksum > scripts/ci: install rdma-core-devel for selinux-testsuite > libsepol: stop translating deprecated intial SIDs to strings > libsepol: add support for the new "init" initial SID > > Petr Lautrbach (9): > python: improve format strings for proper localization > python: Drop hard formating from localized strings > semanage: Drop unnecessary import from seobject > python: update python.pot > Update translations > Update VERSIONs to 3.6-rc1 for release. > Update VERSIONs to 3.6-rc2 for release. > sepolicy: port to dnf4 python API > Update VERSIONs to 3.6 for release. > > Sergei Trofimovich (1): > libsemanage: fix src/genhomedircon.c build on `gcc-14` (`-Werror=alloc-size`) > > Stephen Smalley (2): > libselinux,policycoreutils,python,semodule-utils: de-brand SELinux > checkpolicy,libselinux,libsepol,policycoreutils,semodule-utils: update my email > > Topi Miettinen (1): > sepolicy: clarify manual page of sepolicy interface > > Vit Mojzis (12): > python/chcat: Improve man pages > python/audit2allow: Add missing options to man page > python/semanage: Improve man pages > python/audit2allow: Remove unused "debug" option > policycoreutils: Add examples to man pages > python/sepolicy: Improve man pages > sandbox: Add examples to man pages > checkpolicy: Add examples to man pages > libselinux: Add examples to man pages > python/sepolicy: Fix template for confined user policy modules > python/sepolicy: Add/remove user even when SELinux is disabled > python: Harden more tools against "rogue" modules > > wanghuizhao (3): > libselinux: migrating hashtab from policycoreutils > libselinux: adapting hashtab to libselinux > libselinux: performance optimization for duplicate detection ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ANN: SELinux userspace 3.6 2023-12-13 16:09 ` ANN: SELinux userspace 3.6 Petr Lautrbach @ 2023-12-20 9:55 ` Cathy Hu 2023-12-20 12:21 ` Petr Lautrbach 0 siblings, 1 reply; 5+ messages in thread From: Cathy Hu @ 2023-12-20 9:55 UTC (permalink / raw) To: Petr Lautrbach, selinux [-- Attachment #1: Type: text/plain, Size: 18407 bytes --] Hi, thanks for the new userspace release. I was just packaging it for opensuse when I saw that the signing key changed. Could someone confirm if that is correct? I am just a bit unsure since the new key has no signatures from people that I frequently see on this mailinglist. New key (almost no signatures): https://keyserver.ubuntu.com/pks/lookup?search=1BE2C0FF08949623102FD2564695881C254508D1&fingerprint=on&op=index Old key (lots of signatures): https://keyserver.ubuntu.com/pks/lookup?search=E853C1848B0185CF42864DF363A8AD4B982C4373&fingerprint=on&op=index Thanks! Kind regards, Cathy On Wed, 2023-12-13 at 17:09 +0100, Petr Lautrbach wrote: > Petr Lautrbach <lautrbach@redhat.com> writes: > > Ups. > > It 3.6 release, not 3.6-rc2 > > > > > Hello! > > > > The 3.6 release for the SELinux userspace is now available at: > > > > https://github.com/SELinuxProject/selinux/wiki/Releases > > > > Thanks to all the contributors, reviewers, testers and reporters! > > > > User-visible changes > > -------------------- > > > > * dispol: add option to display users, drop duplicate option to > > display booleans, > > show number of entries before listing them > > > > * libsepol: struct cond_expr_t `bool` renamed to `boolean` > > The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro > > > > * cil: Allow IP address and mask values to be directly written > > > > * cil: Allow paths in filecon rules to be passed as arguments > > > > * Add not self support for neverallow rules > > > > * dispol: Add the ability to show booleans, classes, roles, types > > and type attributes of policies > > > > * Improve man pages > > > > * libselinux: performance optimization for duplicate detection > > > > * dismod: add options: --actions ACTIONS, --help > > > > * dispol: add options: --actions ACTIONS, --help > > > > * checkpolicy: Add the command line argument -N, --disable- > > neverallow > > > > * Introduce getpolicyload - a helper binary to print the number of > > policy reloads on the running system > > > > * man pages: Remove the Russian translations > > > > * Add notself and other support to CIL > > > > * Add support for deny rules > > > > * Translations updated from > > https://translate.fedoraproject.org/projects/selinux/ > > > > * Bug fixes > > > > Development-relevant changes > > ---------------------------- > > > > * ci: bump Fedora to version 39 > > > > * Drop LGTM.com and Travis CI configuration > > > > Shortlog of the changes since 3.5 release > > ----------------------------------------- > > Bruno Victal (1): > > secilc: Use versioned DocBook public identifier. > > > > Cameron Williams (1): > > Add CPPFLAGS to Makefiles > > > > Cathy Hu (1): > > sepolicy/manpage.py: make output deterministic > > > > Christian Göttsche (115): > > libsepol: Add not self support for neverallow rules > > checkpolicy: add not-self neverallow support > > libsepol/tests: add tests for not self neverallow rules > > libsepol/tests: add tests for minus self neverallow rules > > libsepol: rename struct member > > checkpolicy: update cond_expr_t struct member name > > libsepol/tests: rename bool indentifiers > > checkpolicy: rename bool identifiers > > libsepol: rename bool identifiers > > libsemanage/tests: rename bool identifiers > > libsemanage: fix memory leak in semanage_user_roles > > checkpolicy/dispol: add output functions > > libselinux: set CFLAGS for pip installation > > checkpolicy: drop unused token CLONE > > checkpolicy: reject condition with bool and tunable in > > expression > > checkpolicy: only set declared permission bits for wildcards > > libsepol: dump non-mls validatetrans rules as such > > libsepol: validate some object contexts > > libsepol: validate old style range trans classes > > libsepol: validate: check low category is not bigger than > > high > > libsepol: validate: reject XEN policy with xperm rules > > libsepol: expand: skip invalid cat > > libsepol: drop message for uncommon error cases > > libsepol: drop duplicate newline in sepol_log_err() calls > > libsepol: replace sepol_log_err() by ERR() > > libsepol: replace log_err() by ERR() > > checkpolicy: add option to skip checking neverallow rules > > checkpolicy/dismod: misc improvements > > libsepol: free initial sid names > > libsepol: check for overflow in put_entry() > > libsepol/fuzz: more strict fuzzing of binary policies > > setsebool: improve bash-completion script > > setsebool: drop unnecessary linking against libsepol > > semodule_expand: update > > semodule_link: update > > semodule_package: update > > semodule_unpackage: update > > libselinux/utils: introduce getpolicyload > > libsepol: validate: use fixed sized integers > > hashtab: update > > libsepol: expand: use identical type to avoid implicit > > conversion > > libsepol: expand: check for memory allocation failure > > libsepol: ebitmap: avoid branches for iteration > > libsemanage/tests: use strict prototypes > > libsepol: update CIL generation for trivial not-self rules > > libselinux/utils: update selabel_partial_match > > libselinux: misc label cleanup > > libselinux: drop obsolete optimization flag > > libselinux: drop unnecessary warning overrides > > setfiles: do not issue AUDIT_FS_RELABEL on dry run > > libselinux: constify selabel_cmp(3) parameters > > libselinux: simplify zeroing allocation > > libselinux/utils: use type safe union assignment > > libselinux: avoid regex serialization truncations > > libselinux: parameter simplifications > > libselinux/utils: use correct type for backend argument > > libselinux: update string_to_mode() > > libselinux: fix logic for building android backend > > libselinux: avoid unused function > > libselinux: check for stream rewind failures > > libselinux: simplify internal selabel_validate prototype > > libselinux/utils: drop include of internal header file > > libselinux: free elements on read_spec_entries() failure > > libselinux: set errno on label lookup failure > > libsepol: reject avtab entries with invalid specifier > > libsepol: avtab: check read counts for saturation > > checkpolicy: add round-trip tests > > libselinux/utils: update getdefaultcon > > libselinux: cast to unsigned char for character handling > > function > > libselinux: introduce reallocarray(3) > > libsepol: validate default type of transition is not an > > attribute > > libsepol: validate constraint depth > > libsepol: more strict validation > > libsepol: reject unsupported policy capabilities > > libsepol: use str_read() where appropriate > > libsepol: adjust type for saturation check > > libsepol: enhance saturation check > > libsepol: validate the identifier for initials SID is valid > > Drop LGTM.com configuration > > Drop Travis CI configuration > > scripts: ignore unavailable interpreters > > ci: bump Fedora to version 39 > > libselinux: update Python binding > > Update Python installation on Debian > > scripts: update run-scan-build > > semodule_link: avoid NULL dereference on OOM > > libsepol: set number of target names > > libselinux: fix memory leak in customizable_init() > > libsepol: avoid leak in OOM branch > > libsepol: avoid memory corruption on realloc failure > > libsepol: update policy capabilities array > > github: bump action dependencies > > libsepol: validate common classes have at least one > > permissions > > libsepol: include length squared in hashtab_hash_eval() > > libsepol: use DJB2a string hash function > > libsepol/cil: use DJB2a string hash function > > libselinux: use DJB2a string hash function > > newrole: use DJB2a string hash function > > libsepol: avoid fixed sized format buffer for xperms > > libsepol: avoid fixed sized format buffer for xperms > > libsepol: validate conditional type rules have a simple > > default type > > libsepol: use correct type to avoid truncations > > checkpolicy/dismod: avoid duplicate initialization and fix > > module linking > > libsepol: reject invalid class datums > > libsepol/fuzz: handle empty and non kernel policies > > libsepol: reject linking modules with no avrules > > libsepol: simplify string formatting > > checkpolicy/dispol: misc updates > > libsepol: constify tokenized input > > libsepol: avoid integer overflow in add_i_to_a() > > libsepol: extended permission formatting cleanup > > libsepol: validate empty common classes in scope indices > > libselinux: update const qualifier of parameters in man pages > > libselinux: always set errno on context translation failure > > libselinux: state setexecfilecon(3) sets errno on failure > > > > Dominick Grift (1): > > secilc/docs: fixes filecon example > > > > Huaxin Lu (4): > > libselinux: add check for calloc in check_booleans > > restorecond: add check for strdup in strings_list_add > > secilc: add check for malloc in secilc > > libsepol: add check for category value before printing > > > > Huizhao Wang (1): > > restorecond: compatible with the use of EUID > > > > James Carter (53): > > Revert "libsepol/cil: add support for prefix/suffix filename > > transtions to CIL" > > Revert "checkpolicy,libsepol: add prefix/suffix support to > > module policy" > > Revert "checkpolicy,libsepol: add prefix/suffix support to > > kernel policy" > > Revert "libsepol: implement new module binary format of > > avrule" > > Revert "libsepol: implement new kernel binary format for > > avtab" > > Revert "checkpolicy,libsepol: move filename transition rules > > to avrule" > > Revert "checkpolicy,libsepol: move filename transitions to > > avtab" > > Revert "checkpolicy,libsepol: move transition to separate > > structure in avtab" > > libsepol/cil: Fix class permission verification in CIL > > python: Use isinstance() instead of type() > > checkpolicy: Remove the Russian translations > > gui: Remove the Russian translations > > libselinux: Remove the Russian translations > > libselinux: Remove the Russian translations > > libsemanage: Remove the Russian translations > > libsepol: Remove the Russian translations > > mcstrans: Remove the Russian translations > > policycoreutils: Remove the Russian translations > > python: Remove the Russian translations > > python: Remove the Russian translations > > restorecond: Remove the Russian translations > > sandbox: Remove the Russian translations > > semodule-utils: Remove the Russian translations > > Do not automatically install Russian translations > > libsepol: Changes to ebitmap.h to fix compiler warnings > > libsepol/cil: Do not call ebitmap_init twice for an ebitmap > > libsepol/cil: Add notself and other support to CIL > > libsepol: Use ERR() instead of log_err() > > secilc/docs: Add notself and other keywords to CIL > > documentation > > secilc/test: Add notself and other tests > > libsepol/cil: Parse and add deny rule to AST, but do not > > process > > libsepol/cil: Add cil_list_is_empty macro > > libsepol/cil: Add cil_tree_node_remove function > > libsepol/cil: Process deny rules > > libsepol/cil: Add cil_write_post_ast function > > libsepol: Export the cil_write_post_ast function > > secilc/secil2tree: Add option to write CIL AST after post > > processing > > secilc/test: Add deny rule tests > > secilc/docs: Add deny rule to CIL documentation > > checkpolicy: Remove support for role dominance rules > > libsepol: Fix the version number for the latest exported > > function > > libsepol/tests: Update the order of neverallow test results > > libsepol/cil: Use struct cil_db * instead of void * > > libsepol/cil: Refactor and improve handling of order rules > > libsepol/cil: Allow IP address and mask values to be directly > > written > > secilc/docs: Update syntax for IP addresses and nodecon > > libsepol/cil: Refactor Named Type Transition Filename > > Creation > > libsepol/cil: Allow paths in filecon rules to be passed as > > arguments > > secilc/docs: Fix and update the documentation for macro > > parameters > > libsepol/cil: Add pointers to datums to improve writing out > > AST > > libsepol/cil: Give warning for name that has different flavor > > libsepol/cil: Do not allow classpermissionset to use > > anonymous classpermission > > libsepol/cil: Clear AST node after destroying bad filecon > > rule > > > > Jeffery To (1): > > python/sepolicy: Fix get_os_version except clause > > > > Juraj Marcin (8): > > checkpolicy,libsepol: move transition to separate structure > > in avtab > > checkpolicy,libsepol: move filename transitions to avtab > > checkpolicy,libsepol: move filename transition rules to > > avrule > > libsepol: implement new kernel binary format for avtab > > libsepol: implement new module binary format of avrule > > checkpolicy,libsepol: add prefix/suffix support to kernel > > policy > > checkpolicy,libsepol: add prefix/suffix support to module > > policy > > libsepol/cil: add support for prefix/suffix filename > > transtions to CIL > > > > Masatake YAMATO (10): > > dismod: add --help option > > dismod: delete an unnecessary empty line > > dismod: handle EOF in user interaction > > dismod: add --actions option for non-interactive use > > dispol: add --help option > > dispol: delete an unnecessary empty line > > dispol: handle EOF in user interaction > > dispol: add --actions option for non-interactive use > > dismod: print the policy version only in interactive mode > > dismod, dispol: reduce the messages in batch mode > > > > Ondrej Mosnacek (4): > > libsemanage: include more parameters in the module checksum > > scripts/ci: install rdma-core-devel for selinux-testsuite > > libsepol: stop translating deprecated intial SIDs to strings > > libsepol: add support for the new "init" initial SID > > > > Petr Lautrbach (9): > > python: improve format strings for proper localization > > python: Drop hard formating from localized strings > > semanage: Drop unnecessary import from seobject > > python: update python.pot > > Update translations > > Update VERSIONs to 3.6-rc1 for release. > > Update VERSIONs to 3.6-rc2 for release. > > sepolicy: port to dnf4 python API > > Update VERSIONs to 3.6 for release. > > > > Sergei Trofimovich (1): > > libsemanage: fix src/genhomedircon.c build on `gcc-14` (`- > > Werror=alloc-size`) > > > > Stephen Smalley (2): > > libselinux,policycoreutils,python,semodule-utils: de-brand > > SELinux > > checkpolicy,libselinux,libsepol,policycoreutils,semodule- > > utils: update my email > > > > Topi Miettinen (1): > > sepolicy: clarify manual page of sepolicy interface > > > > Vit Mojzis (12): > > python/chcat: Improve man pages > > python/audit2allow: Add missing options to man page > > python/semanage: Improve man pages > > python/audit2allow: Remove unused "debug" option > > policycoreutils: Add examples to man pages > > python/sepolicy: Improve man pages > > sandbox: Add examples to man pages > > checkpolicy: Add examples to man pages > > libselinux: Add examples to man pages > > python/sepolicy: Fix template for confined user policy > > modules > > python/sepolicy: Add/remove user even when SELinux is > > disabled > > python: Harden more tools against "rogue" modules > > > > wanghuizhao (3): > > libselinux: migrating hashtab from policycoreutils > > libselinux: adapting hashtab to libselinux > > libselinux: performance optimization for duplicate detection > > -- Cathy Hu <cahu@suse.de> SELinux Security Engineer GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg) [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ANN: SELinux userspace 3.6 2023-12-20 9:55 ` Cathy Hu @ 2023-12-20 12:21 ` Petr Lautrbach 2023-12-20 21:35 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: Petr Lautrbach @ 2023-12-20 12:21 UTC (permalink / raw) To: Cathy Hu, selinux Cathy Hu <cahu@suse.de> writes: > Hi, > > thanks for the new userspace release. I was just packaging it for > opensuse when I saw that the signing key changed. > > Could someone confirm if that is correct? I am just a bit unsure since > the new key has no signatures from people that I frequently see on this > mailinglist. > > New key (almost no signatures): > https://keyserver.ubuntu.com/pks/lookup?search=1BE2C0FF08949623102FD2564695881C254508D1&fingerprint=on&op=index > > Old key (lots of signatures): > https://keyserver.ubuntu.com/pks/lookup?search=E853C1848B0185CF42864DF363A8AD4B982C4373&fingerprint=on&op=index > Thanks for checking signatures! This is correct. It's signed by me - Petr Lautrbach <lautrbach@redhat.com> known as bachradsusi on github and the public key could be found at https://github.com/bachradsusi.gpg This key is signed by E853C1848B0185CF42864DF363A8AD4B982C4373 Petr Lautrbach <plautrba@redhat.com> which is signed by other guys. The key used for signing release tar balls is the same key as I used for signing the release commit: # git show --show-signature -s 3.6 tag 3.6 Tagger: Petr Lautrbach <lautrbach@redhat.com> Date: Wed Dec 13 15:47:30 2023 +0100 Release 3.6 -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmV5xAIACgkQRpWIHCVF CNG+Cw/+Ie5771Z4TzUYNHrjz7cKHI3PMzD4QmfyXNfFAvRK8u4QeGDwiPA/7pQe FS9RMMgbm7AQUndg6v4wTF3qgoAFnBXX3cwiYZLVESQ08sLGwFDILei+P9r+9rmQ d7H3sHodZ+M5883qb1NASe9S5uMCq07eeMkgZJ/m6qnyhK5hYvXLRejgXppn+6Sv mP6B1Weqh7WyHHOA6stFr2TvH1Nc5/2hwe9hbzxk/m0C6wf9JMk40tdN/AqLKg/9 RA5IDFt2AHGHciAlXWJaIkc6jKKGgDjOd2Cb3MyIHDQ8LDyhSENRYfKp5n2N6v3Z i5lZSqF9Mgvj6lOVlxK5p+hxSG6OheqRLB5852peAUtZH1oyF9zaMcAOfXaIR/1i 3bKO9RDn+dlrXA//xRGMIcgxBk7h/AjFVEUJPW52z83lMUqM+kDVj6WbwnLZswTy 3WCy26KKDIl2HbhyCzjtmuVMUF/kVn32WR/zzP2UzD4wj0bCRpF02YbHdX5e9SMi 8n0VDR3RM82KrTZkNWZKwkEKXNETSfCX5g/L6BZl21jREKF2GKc9T2zwjXwwGaHr VarC0FHwW/ZXH/7pCTDbDc30BK6HsPKtoqmpUQWskWfG2hq97P8RcM/i6t0vyYX6 KdD2Xk4iNXLXQNmU6EGKvEev8FOrvdu58hsBnm9ePTyckfoiNTE= =H3ax -----END PGP SIGNATURE----- commit 97fa708d867ecb26e8d1c766760947f8e3b9e59a (HEAD -> main, tag: semodule-utils-3.6, tag: selinux-sandbox-3.6, tag: selinux-python-3.6, tag: selinux-gui-3.6, tag: selinux-dbus-3.6, tag: secilc-3.6, tag: restorecond-3.6, tag: policycoreutils-3.6, tag: mcstrans-3.6, tag: libsepol-3.6, tag: libsemanage-3.6, tag: libselinux-3.6, tag: checkpolicy-3.6, tag: 3.6, origin/main, origin/HEAD) gpg: Signature made Wed Dec 13 14:46:22 2023 UTC gpg: using RSA key 1BE2C0FF08949623102FD2564695881C254508D1 gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B868 2847 764D F60D F52D 992C BC39 05F2 3517 9CF1 Subkey fingerprint: 1BE2 C0FF 0894 9623 102F D256 4695 881C 2545 08D1 Author: Petr Lautrbach <lautrbach@redhat.com> Date: Wed Dec 13 15:46:22 2023 +0100 Update VERSIONs to 3.6 for release. Signed-off-by: Petr Lautrbach <lautrbach@redhat.com> # gpg2 --fingerprint --verify checkpolicy-3.6.tar.gz.asc checkpolicy-3.6.tar.gz gpg: Signature made Wed Dec 13 14:47:30 2023 UTC gpg: using RSA key 1BE2C0FF08949623102FD2564695881C254508D1 gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B868 2847 764D F60D F52D 992C BC39 05F2 3517 9CF1 Subkey fingerprint: 1BE2 C0FF 0894 9623 102F D256 4695 881C 2545 08D1 > > > On Wed, 2023-12-13 at 17:09 +0100, Petr Lautrbach wrote: >> Petr Lautrbach <lautrbach@redhat.com> writes: >> >> Ups. >> >> It 3.6 release, not 3.6-rc2 >> >> >> >> > Hello! >> > >> > The 3.6 release for the SELinux userspace is now available at: >> > >> > https://github.com/SELinuxProject/selinux/wiki/Releases >> > >> > Thanks to all the contributors, reviewers, testers and reporters! >> > >> > User-visible changes >> > -------------------- >> > >> > * dispol: add option to display users, drop duplicate option to >> > display booleans, >> > show number of entries before listing them >> > >> > * libsepol: struct cond_expr_t `bool` renamed to `boolean` >> > The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro >> > >> > * cil: Allow IP address and mask values to be directly written >> > >> > * cil: Allow paths in filecon rules to be passed as arguments >> > >> > * Add not self support for neverallow rules >> > >> > * dispol: Add the ability to show booleans, classes, roles, types >> > and type attributes of policies >> > >> > * Improve man pages >> > >> > * libselinux: performance optimization for duplicate detection >> > >> > * dismod: add options: --actions ACTIONS, --help >> > >> > * dispol: add options: --actions ACTIONS, --help >> > >> > * checkpolicy: Add the command line argument -N, --disable- >> > neverallow >> > >> > * Introduce getpolicyload - a helper binary to print the number of >> > policy reloads on the running system >> > >> > * man pages: Remove the Russian translations >> > >> > * Add notself and other support to CIL >> > >> > * Add support for deny rules >> > >> > * Translations updated from >> > https://translate.fedoraproject.org/projects/selinux/ >> > >> > * Bug fixes >> > >> > Development-relevant changes >> > ---------------------------- >> > >> > * ci: bump Fedora to version 39 >> > >> > * Drop LGTM.com and Travis CI configuration >> > >> > Shortlog of the changes since 3.5 release >> > ----------------------------------------- >> > Bruno Victal (1): >> > secilc: Use versioned DocBook public identifier. >> > >> > Cameron Williams (1): >> > Add CPPFLAGS to Makefiles >> > >> > Cathy Hu (1): >> > sepolicy/manpage.py: make output deterministic >> > >> > Christian Göttsche (115): >> > libsepol: Add not self support for neverallow rules >> > checkpolicy: add not-self neverallow support >> > libsepol/tests: add tests for not self neverallow rules >> > libsepol/tests: add tests for minus self neverallow rules >> > libsepol: rename struct member >> > checkpolicy: update cond_expr_t struct member name >> > libsepol/tests: rename bool indentifiers >> > checkpolicy: rename bool identifiers >> > libsepol: rename bool identifiers >> > libsemanage/tests: rename bool identifiers >> > libsemanage: fix memory leak in semanage_user_roles >> > checkpolicy/dispol: add output functions >> > libselinux: set CFLAGS for pip installation >> > checkpolicy: drop unused token CLONE >> > checkpolicy: reject condition with bool and tunable in >> > expression >> > checkpolicy: only set declared permission bits for wildcards >> > libsepol: dump non-mls validatetrans rules as such >> > libsepol: validate some object contexts >> > libsepol: validate old style range trans classes >> > libsepol: validate: check low category is not bigger than >> > high >> > libsepol: validate: reject XEN policy with xperm rules >> > libsepol: expand: skip invalid cat >> > libsepol: drop message for uncommon error cases >> > libsepol: drop duplicate newline in sepol_log_err() calls >> > libsepol: replace sepol_log_err() by ERR() >> > libsepol: replace log_err() by ERR() >> > checkpolicy: add option to skip checking neverallow rules >> > checkpolicy/dismod: misc improvements >> > libsepol: free initial sid names >> > libsepol: check for overflow in put_entry() >> > libsepol/fuzz: more strict fuzzing of binary policies >> > setsebool: improve bash-completion script >> > setsebool: drop unnecessary linking against libsepol >> > semodule_expand: update >> > semodule_link: update >> > semodule_package: update >> > semodule_unpackage: update >> > libselinux/utils: introduce getpolicyload >> > libsepol: validate: use fixed sized integers >> > hashtab: update >> > libsepol: expand: use identical type to avoid implicit >> > conversion >> > libsepol: expand: check for memory allocation failure >> > libsepol: ebitmap: avoid branches for iteration >> > libsemanage/tests: use strict prototypes >> > libsepol: update CIL generation for trivial not-self rules >> > libselinux/utils: update selabel_partial_match >> > libselinux: misc label cleanup >> > libselinux: drop obsolete optimization flag >> > libselinux: drop unnecessary warning overrides >> > setfiles: do not issue AUDIT_FS_RELABEL on dry run >> > libselinux: constify selabel_cmp(3) parameters >> > libselinux: simplify zeroing allocation >> > libselinux/utils: use type safe union assignment >> > libselinux: avoid regex serialization truncations >> > libselinux: parameter simplifications >> > libselinux/utils: use correct type for backend argument >> > libselinux: update string_to_mode() >> > libselinux: fix logic for building android backend >> > libselinux: avoid unused function >> > libselinux: check for stream rewind failures >> > libselinux: simplify internal selabel_validate prototype >> > libselinux/utils: drop include of internal header file >> > libselinux: free elements on read_spec_entries() failure >> > libselinux: set errno on label lookup failure >> > libsepol: reject avtab entries with invalid specifier >> > libsepol: avtab: check read counts for saturation >> > checkpolicy: add round-trip tests >> > libselinux/utils: update getdefaultcon >> > libselinux: cast to unsigned char for character handling >> > function >> > libselinux: introduce reallocarray(3) >> > libsepol: validate default type of transition is not an >> > attribute >> > libsepol: validate constraint depth >> > libsepol: more strict validation >> > libsepol: reject unsupported policy capabilities >> > libsepol: use str_read() where appropriate >> > libsepol: adjust type for saturation check >> > libsepol: enhance saturation check >> > libsepol: validate the identifier for initials SID is valid >> > Drop LGTM.com configuration >> > Drop Travis CI configuration >> > scripts: ignore unavailable interpreters >> > ci: bump Fedora to version 39 >> > libselinux: update Python binding >> > Update Python installation on Debian >> > scripts: update run-scan-build >> > semodule_link: avoid NULL dereference on OOM >> > libsepol: set number of target names >> > libselinux: fix memory leak in customizable_init() >> > libsepol: avoid leak in OOM branch >> > libsepol: avoid memory corruption on realloc failure >> > libsepol: update policy capabilities array >> > github: bump action dependencies >> > libsepol: validate common classes have at least one >> > permissions >> > libsepol: include length squared in hashtab_hash_eval() >> > libsepol: use DJB2a string hash function >> > libsepol/cil: use DJB2a string hash function >> > libselinux: use DJB2a string hash function >> > newrole: use DJB2a string hash function >> > libsepol: avoid fixed sized format buffer for xperms >> > libsepol: avoid fixed sized format buffer for xperms >> > libsepol: validate conditional type rules have a simple >> > default type >> > libsepol: use correct type to avoid truncations >> > checkpolicy/dismod: avoid duplicate initialization and fix >> > module linking >> > libsepol: reject invalid class datums >> > libsepol/fuzz: handle empty and non kernel policies >> > libsepol: reject linking modules with no avrules >> > libsepol: simplify string formatting >> > checkpolicy/dispol: misc updates >> > libsepol: constify tokenized input >> > libsepol: avoid integer overflow in add_i_to_a() >> > libsepol: extended permission formatting cleanup >> > libsepol: validate empty common classes in scope indices >> > libselinux: update const qualifier of parameters in man pages >> > libselinux: always set errno on context translation failure >> > libselinux: state setexecfilecon(3) sets errno on failure >> > >> > Dominick Grift (1): >> > secilc/docs: fixes filecon example >> > >> > Huaxin Lu (4): >> > libselinux: add check for calloc in check_booleans >> > restorecond: add check for strdup in strings_list_add >> > secilc: add check for malloc in secilc >> > libsepol: add check for category value before printing >> > >> > Huizhao Wang (1): >> > restorecond: compatible with the use of EUID >> > >> > James Carter (53): >> > Revert "libsepol/cil: add support for prefix/suffix filename >> > transtions to CIL" >> > Revert "checkpolicy,libsepol: add prefix/suffix support to >> > module policy" >> > Revert "checkpolicy,libsepol: add prefix/suffix support to >> > kernel policy" >> > Revert "libsepol: implement new module binary format of >> > avrule" >> > Revert "libsepol: implement new kernel binary format for >> > avtab" >> > Revert "checkpolicy,libsepol: move filename transition rules >> > to avrule" >> > Revert "checkpolicy,libsepol: move filename transitions to >> > avtab" >> > Revert "checkpolicy,libsepol: move transition to separate >> > structure in avtab" >> > libsepol/cil: Fix class permission verification in CIL >> > python: Use isinstance() instead of type() >> > checkpolicy: Remove the Russian translations >> > gui: Remove the Russian translations >> > libselinux: Remove the Russian translations >> > libselinux: Remove the Russian translations >> > libsemanage: Remove the Russian translations >> > libsepol: Remove the Russian translations >> > mcstrans: Remove the Russian translations >> > policycoreutils: Remove the Russian translations >> > python: Remove the Russian translations >> > python: Remove the Russian translations >> > restorecond: Remove the Russian translations >> > sandbox: Remove the Russian translations >> > semodule-utils: Remove the Russian translations >> > Do not automatically install Russian translations >> > libsepol: Changes to ebitmap.h to fix compiler warnings >> > libsepol/cil: Do not call ebitmap_init twice for an ebitmap >> > libsepol/cil: Add notself and other support to CIL >> > libsepol: Use ERR() instead of log_err() >> > secilc/docs: Add notself and other keywords to CIL >> > documentation >> > secilc/test: Add notself and other tests >> > libsepol/cil: Parse and add deny rule to AST, but do not >> > process >> > libsepol/cil: Add cil_list_is_empty macro >> > libsepol/cil: Add cil_tree_node_remove function >> > libsepol/cil: Process deny rules >> > libsepol/cil: Add cil_write_post_ast function >> > libsepol: Export the cil_write_post_ast function >> > secilc/secil2tree: Add option to write CIL AST after post >> > processing >> > secilc/test: Add deny rule tests >> > secilc/docs: Add deny rule to CIL documentation >> > checkpolicy: Remove support for role dominance rules >> > libsepol: Fix the version number for the latest exported >> > function >> > libsepol/tests: Update the order of neverallow test results >> > libsepol/cil: Use struct cil_db * instead of void * >> > libsepol/cil: Refactor and improve handling of order rules >> > libsepol/cil: Allow IP address and mask values to be directly >> > written >> > secilc/docs: Update syntax for IP addresses and nodecon >> > libsepol/cil: Refactor Named Type Transition Filename >> > Creation >> > libsepol/cil: Allow paths in filecon rules to be passed as >> > arguments >> > secilc/docs: Fix and update the documentation for macro >> > parameters >> > libsepol/cil: Add pointers to datums to improve writing out >> > AST >> > libsepol/cil: Give warning for name that has different flavor >> > libsepol/cil: Do not allow classpermissionset to use >> > anonymous classpermission >> > libsepol/cil: Clear AST node after destroying bad filecon >> > rule >> > >> > Jeffery To (1): >> > python/sepolicy: Fix get_os_version except clause >> > >> > Juraj Marcin (8): >> > checkpolicy,libsepol: move transition to separate structure >> > in avtab >> > checkpolicy,libsepol: move filename transitions to avtab >> > checkpolicy,libsepol: move filename transition rules to >> > avrule >> > libsepol: implement new kernel binary format for avtab >> > libsepol: implement new module binary format of avrule >> > checkpolicy,libsepol: add prefix/suffix support to kernel >> > policy >> > checkpolicy,libsepol: add prefix/suffix support to module >> > policy >> > libsepol/cil: add support for prefix/suffix filename >> > transtions to CIL >> > >> > Masatake YAMATO (10): >> > dismod: add --help option >> > dismod: delete an unnecessary empty line >> > dismod: handle EOF in user interaction >> > dismod: add --actions option for non-interactive use >> > dispol: add --help option >> > dispol: delete an unnecessary empty line >> > dispol: handle EOF in user interaction >> > dispol: add --actions option for non-interactive use >> > dismod: print the policy version only in interactive mode >> > dismod, dispol: reduce the messages in batch mode >> > >> > Ondrej Mosnacek (4): >> > libsemanage: include more parameters in the module checksum >> > scripts/ci: install rdma-core-devel for selinux-testsuite >> > libsepol: stop translating deprecated intial SIDs to strings >> > libsepol: add support for the new "init" initial SID >> > >> > Petr Lautrbach (9): >> > python: improve format strings for proper localization >> > python: Drop hard formating from localized strings >> > semanage: Drop unnecessary import from seobject >> > python: update python.pot >> > Update translations >> > Update VERSIONs to 3.6-rc1 for release. >> > Update VERSIONs to 3.6-rc2 for release. >> > sepolicy: port to dnf4 python API >> > Update VERSIONs to 3.6 for release. >> > >> > Sergei Trofimovich (1): >> > libsemanage: fix src/genhomedircon.c build on `gcc-14` (`- >> > Werror=alloc-size`) >> > >> > Stephen Smalley (2): >> > libselinux,policycoreutils,python,semodule-utils: de-brand >> > SELinux >> > checkpolicy,libselinux,libsepol,policycoreutils,semodule- >> > utils: update my email >> > >> > Topi Miettinen (1): >> > sepolicy: clarify manual page of sepolicy interface >> > >> > Vit Mojzis (12): >> > python/chcat: Improve man pages >> > python/audit2allow: Add missing options to man page >> > python/semanage: Improve man pages >> > python/audit2allow: Remove unused "debug" option >> > policycoreutils: Add examples to man pages >> > python/sepolicy: Improve man pages >> > sandbox: Add examples to man pages >> > checkpolicy: Add examples to man pages >> > libselinux: Add examples to man pages >> > python/sepolicy: Fix template for confined user policy >> > modules >> > python/sepolicy: Add/remove user even when SELinux is >> > disabled >> > python: Harden more tools against "rogue" modules >> > >> > wanghuizhao (3): >> > libselinux: migrating hashtab from policycoreutils >> > libselinux: adapting hashtab to libselinux >> > libselinux: performance optimization for duplicate detection >> >> > > -- > Cathy Hu <cahu@suse.de> > SELinux Security Engineer > GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A > > SUSE Software Solutions Germany GmbH > Frankenstrasse 146 > 90461 Nürnberg > > Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich > (HRB 36809, AG Nürnberg) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ANN: SELinux userspace 3.6 2023-12-20 12:21 ` Petr Lautrbach @ 2023-12-20 21:35 ` Paul Moore 0 siblings, 0 replies; 5+ messages in thread From: Paul Moore @ 2023-12-20 21:35 UTC (permalink / raw) To: Petr Lautrbach; +Cc: Cathy Hu, selinux On Wed, Dec 20, 2023 at 7:21 AM Petr Lautrbach <lautrbach@redhat.com> wrote: > > Cathy Hu <cahu@suse.de> writes: > > > Hi, > > > > thanks for the new userspace release. I was just packaging it for > > opensuse when I saw that the signing key changed. > > > > Could someone confirm if that is correct? I am just a bit unsure since > > the new key has no signatures from people that I frequently see on this > > mailinglist. > > > > New key (almost no signatures): > > https://keyserver.ubuntu.com/pks/lookup?search=1BE2C0FF08949623102FD2564695881C254508D1&fingerprint=on&op=index > > > > Old key (lots of signatures): > > https://keyserver.ubuntu.com/pks/lookup?search=E853C1848B0185CF42864DF363A8AD4B982C4373&fingerprint=on&op=index > > > > Thanks for checking signatures! > > This is correct. > > It's signed by me - Petr Lautrbach <lautrbach@redhat.com> known as > bachradsusi on github and the public key could be found at > > https://github.com/bachradsusi.gpg > > This key is signed by > E853C1848B0185CF42864DF363A8AD4B982C4373 Petr Lautrbach > <plautrba@redhat.com> which is signed by other guys ... Perhaps it makes sense to include some text in the README.md with information about what GPG fingerprints are valid for signing releases? Adding it to the README.md not only means that it is front and center on the GitHub page, it also means that any fingerprints added to the file will be part of the signed release tarballs providing a history of authorized GPG identities (although that doesn't help us until we build up that history). As an example, here is what we do in libseccomp: https://github.com/seccomp/libseccomp#verifying-release-tarballs -- paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-12-20 21:35 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-12-13 15:45 ANN: SELinux userspace 3.6-rc2 release Petr Lautrbach 2023-12-13 16:09 ` ANN: SELinux userspace 3.6 Petr Lautrbach 2023-12-20 9:55 ` Cathy Hu 2023-12-20 12:21 ` Petr Lautrbach 2023-12-20 21:35 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.