All of lore.kernel.org
 help / color / mirror / Atom feed
From: Petr Lautrbach <lautrbach@redhat.com>
To: SElinux list <selinux@vger.kernel.org>
Subject: 3.11 release notes draft
Date: Tue, 30 Jun 2026 12:21:54 +0200	[thread overview]
Message-ID: <87zf0cs4zh.fsf@redhat.com> (raw)

Hi,

I'll push 3.11 release tomorrow. Bellow is release notes draft. feel
free to comment on it if you feel it needs another info of if you find
some information incorrect.

it's based on rc1, rc2, rc3 release notes together with notes provided
by Stephen Smalley.



RELEASE 3.11
============

User-visible changes since 3.10
--------------------------------

- Several security improvements in libselinux, dbus, gui, mcstrans and sandbox
- Added `secilcheck` program to check CIL neverallows against binary policies
- Improved `restorecond.service` to use new `restorecond -F` option to run in
  foreground
- restorecon only logs error on read-only filesystem instead of failing (allows
  relabeling with read-only BTRFS subvolumes)
- Added `setfiles -A` option to disable SELINUX_RESTORECON_ADD_ASSOC
- Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to
  selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse to
  relabel files with multiple hard links to prevent mislabeling them. Updated
  restorecond(8) to always pass this flag when relabeling files to prevent
  mislabeling hard links to files owned by others, e.g. when relabeling user
  home directories or /tmp.
- Dropped sandbox/seunshare -k/--kill support (unused by sandbox, fundamentally
  racy, redundant with killall -Z).
- Fixed sandbox/seunshare getopt flags to match the actual options.
- Fixed sandbox/seunshare remounting of /tmp and /var/tmp within the sandbox.
- Fixed sandbox interactive prompt for saving files.
- Added a cache size cap, max client cap, receive timeout, and maxbit cap to
  mcstrans to reduce the risk of DoS from misbehaving clients.
- Fixed mcstrans UAF on SIGHUP reload of its configuration files.
- Fixed mcstrans translation for uncached entries.
- Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on large
  semanage import operations (#291).
- Fixed libsepol generation of constraint expressions with a list of names when
  writing policy.conf from CIL.
- Fixed libsepol to generate constrain/validatetrans instead of
  mlsconstrain/mlsvalidatetrans when converting a module to CIL unless the
  constraint contains an expression based on level.
- Fixed libsepol selection of tunableif or booleanif and to skip empty
  conditional blocks when converting a module to CIL.
- Fixed libsepol/secilc reporting of CIL source file info.
- Fixed libsepol to require at least one perm in a CIL classperm and to
  correctly count the number of elements in the avtab.
- Fixed libsepol to link xperm rule permissions correctly.
- Fixed libsepol off-by-one error in cats_ebitmap_len().
- Fixed dispol and dismod to show all options in the -h text.
- Fixed checkpolicy handling of out-of-range and complement at range boundaries
  for xperm rules (#530, #531).
- Dropped legacy fscon statement support from checkpolicy - never used in
  SELinux policies for mainline kernels (#518).
- Fixed libselinux constructor to not clobber errno (#445).
- Fixed libselinux selabel_partial_match(3) to correctly find partial matches.
- Fixed libselinux selinux_init_policy_load() to still try to mount selinuxfs on
  /sys/fs/selinux even if the mount of sysfs on /sys fails - this can occur
  legitimately within a user namespace.
- Improved restorecon related functionality in libselinux
- Improved semanage-fcontext(8) manpage
- Dropped Python 2 support from audit2why
- Multiple documentation improvements.
- Bug fixes

Security/hardening changes
--------------------------

- Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues in file
  relabeling if /proc is available (so that it can use /proc/self/fd-based
  pathnames). If /proc is not available, selinux_restorecon(3) falls back to
  just passing the full pathname each time for compatibility within chroot or
  other environments. For callers that pass the SELINUX_RESTORECON_REALPATH
  flag, like restorecon(8), selinux_restorecon(3) will still follow any
  intermediate symlinks in the initial pathname as part of realpath(3)
  canonicalization. Otherwise, selinux_restorecon(3) will not follow any
  symlinks. This may yield different user-visible behavior for setfiles(8) and
  restorecond(8) but only if a path containing an intermediate symlink is
  specified on the command-line (setfiles) or configuration (restorecond) since
  they did not follow any symlinks found during the tree walk regardless.

- Rewrote restorecond and sandbox/seunshare to eliminate TOCTOU issues on their
  other path-based operations via /proc/self/fd and the use of a safe_open()
  helper. This may yield different behavior if a path containing an intermediate
  symlink is passed to them via configuration (restorecond) or command-line
  (seunshare).

- Many hardening fixes spanning the entire tree (including but not limited to
  #522, #523, #525 thru #529, #532 thru #534)

Development-relevant changes
----------------------------

- Reformatted entire tree based on .clang-format and added new
  check-format/format make targets to check and/or reformat code to match.
  This is now a requirement for new patches.
- Improved CI and refactored CI build into a custom GH action
- libselinux and python use system Python3 build module
- Fixed build errors with glibc 2.43.
- Fixed libselinux build for non-pthread builds.
- Build shared libraries with -fPIC for LTO.
- Fixed uclibc build failure (#435).
- Multiple fixes for musl/llvm-based builds, including adding a new
  EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass
  --undefined-version through to lld (#511 thru #515).
- Fixed libsemanage pywrap target deps for parallel builds.
- Updated pywrap build targets for modern python builds using the Python3 build
  module.
- Disabled build isolation for sepolicy python module.


                 reply	other threads:[~2026-06-30 10:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87zf0cs4zh.fsf@redhat.com \
    --to=lautrbach@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.