SELinux userspace release 3.10-rc2

SELinux userspace release 3.10-rc2

[Jason Zaman]

Hi All,

I just released 3.10-rc2 to github: https://github.com/SELinuxProject/selinux/releases/tag/3.10-rc2

Release notes are below, please send mail to me/the list if there are
any issues found.

With Kind Regards,
Jason Zaman

RELEASE 3.10-rc2
================

User-visible changes since 3.10-rc1
------------------------------

* sandbox/seunshare: Replace system() with execv() to prevent shell injection

* libsepol: Tighten checks on MLS range and level when validating

* libsepol: Fix potential NULL dereference in policydb_read()

* libsepol: Fix potential use of an uninitialized value in link.c


RELEASE 3.10-rc1
================

User-visible changes since 3.9
------------------------------

* libsepol: fix TARGET and LIBSO on Darwin

* secilc: use correct long option name for -X

* Fix problem with bounds statements in optional blocks

* libsepol: Fix processing of levels for user rule in an optional block

* libsepol: Fix problem with handling type attributes in role-types rule

* libsepol: Fix expand_role_attributes_in_attributes()

* Allow type attributes to be associated with other type attributes

* libsepol: Support functionfs_seclabel policycap

* improve semanage man pages: Add examples for -r RANGE flag usage

* libselinux: fix parsing of the enforcing kernel cmdline parameter

* seunshare: always use translations when printing

* treewide: add .clang-format configuration file

* setfiles: Add -A option to disable SELINUX_RESTORECON_ADD_ASSOC

* libsepol: add memfd_class capability

* semanage: Reset active value when deleting boolean customizations

* python/sepolicy: Add support for DNF5

* Bug fixes

Re: SELinux userspace release 3.10

[Jason Zaman]

[-- Attachment #1: Type: text/plain, Size: 1738 bytes --]

Hi All,

The SELinux userspace 3.10 release is now on github:
https://github.com/SELinuxProject/selinux/releases/tag/3.10

Thanks to everyone that contributed to this release!

With Kind Regards,
Jason Zaman

RELEASE 3.10
============

User-visible changes since 3.9
------------------------------

* libsepol: fix TARGET and LIBSO on Darwin

* secilc: use correct long option name for -X

* Fix problem with bounds statements in optional blocks

* libsepol: Fix processing of levels for user rule in an optional block

* libsepol: Fix problem with handling type attributes in role-types rule

* libsepol: Fix expand_role_attributes_in_attributes()

* Allow type attributes to be associated with other type attributes

* libsepol: Support functionfs_seclabel policycap

* improve semanage man pages: Add examples for -r RANGE flag usage

* libselinux: fix parsing of the enforcing kernel cmdline parameter

* seunshare: always use translations when printing

* treewide: add .clang-format configuration file

* setfiles: Add -A option to disable SELINUX_RESTORECON_ADD_ASSOC

* libsepol: add memfd_class capability

* semanage: Reset active value when deleting boolean customizations

* python/sepolicy: Add support for DNF5

* sandbox/seunshare: Replace system() with execv() to prevent shell injection

* libsepol: Tighten checks on MLS range and level when validating

* libsepol: Fix potential NULL dereference in policydb_read()

* libsepol: Fix potential use of an uninitialized value in link.c

* libsepol: add bpf_token_perms polcap

* libsepol: Fix possible use-after-free when expanding attributes

* libselinux/src/Makefile: build python module without isolation

* restorecon: Add option to count relabeled files

* Bug fixes

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1000 bytes --]

Re: SELinux userspace release 3.10

[Rahul Sandhu]

Earlier on the ML, I think we concluded that once 3.10 was released,
we would format all the code in the repo with clang-format[1]. Should
we do this now? After, we should be able to merge the formatting CI
patch[2].

[1] https://lore.kernel.org/selinux/CAEjxPJ7T-xTyPhbNnC5GgC4d9wMtMD+pkPF0JgRmOdMvM6opUg@mail.gmail.com/
[2] https://lore.kernel.org/selinux/CAEjxPJ4jsZ_bWrLF=1si18f09p2Q_TEPWf1rd_a9=_kCb6iTEw@mail.gmail.com/

Best Regards,
Rahul

On Mon Feb 2, 2026 at 2:21 AM GMT, Jason Zaman wrote:
> Hi All,
>
> The SELinux userspace 3.10 release is now on github:
> https://github.com/SELinuxProject/selinux/releases/tag/3.10
>
> Thanks to everyone that contributed to this release!
>
> With Kind Regards,
> Jason Zaman
>
> RELEASE 3.10
> ============
>
> User-visible changes since 3.9
> ------------------------------
>
> * libsepol: fix TARGET and LIBSO on Darwin
>
> * secilc: use correct long option name for -X
>
> * Fix problem with bounds statements in optional blocks
>
> * libsepol: Fix processing of levels for user rule in an optional block
>
> * libsepol: Fix problem with handling type attributes in role-types rule
>
> * libsepol: Fix expand_role_attributes_in_attributes()
>
> * Allow type attributes to be associated with other type attributes
>
> * libsepol: Support functionfs_seclabel policycap
>
> * improve semanage man pages: Add examples for -r RANGE flag usage
>
> * libselinux: fix parsing of the enforcing kernel cmdline parameter
>
> * seunshare: always use translations when printing
>
> * treewide: add .clang-format configuration file
>
> * setfiles: Add -A option to disable SELINUX_RESTORECON_ADD_ASSOC
>
> * libsepol: add memfd_class capability
>
> * semanage: Reset active value when deleting boolean customizations
>
> * python/sepolicy: Add support for DNF5
>
> * sandbox/seunshare: Replace system() with execv() to prevent shell injection
>
> * libsepol: Tighten checks on MLS range and level when validating
>
> * libsepol: Fix potential NULL dereference in policydb_read()
>
> * libsepol: Fix potential use of an uninitialized value in link.c
>
> * libsepol: add bpf_token_perms polcap
>
> * libsepol: Fix possible use-after-free when expanding attributes
>
> * libselinux/src/Makefile: build python module without isolation
>
> * restorecon: Add option to count relabeled files
>
> * Bug fixes

Re: SELinux userspace release 3.10

[James Carter]

Sorry, I forgot about reformatting. What we wanted to do was to
reformat and apply your patch as the last things before the release.

If we do it now, I think we cause all sorts of pain for the distros.
So, unfortunately, I think we need to wait to just before the next
release.

Jim

On Sun, Feb 1, 2026 at 9:40 PM Rahul Sandhu <nvraxn@gmail.com> wrote:
>
> Earlier on the ML, I think we concluded that once 3.10 was released,
> we would format all the code in the repo with clang-format[1]. Should
> we do this now? After, we should be able to merge the formatting CI
> patch[2].
>
> [1] https://lore.kernel.org/selinux/CAEjxPJ7T-xTyPhbNnC5GgC4d9wMtMD+pkPF0JgRmOdMvM6opUg@mail.gmail.com/
> [2] https://lore.kernel.org/selinux/CAEjxPJ4jsZ_bWrLF=1si18f09p2Q_TEPWf1rd_a9=_kCb6iTEw@mail.gmail.com/
>
> Best Regards,
> Rahul
>
> On Mon Feb 2, 2026 at 2:21 AM GMT, Jason Zaman wrote:
> > Hi All,
> >
> > The SELinux userspace 3.10 release is now on github:
> > https://github.com/SELinuxProject/selinux/releases/tag/3.10
> >
> > Thanks to everyone that contributed to this release!
> >
> > With Kind Regards,
> > Jason Zaman
> >
> > RELEASE 3.10
> > ============
> >
> > User-visible changes since 3.9
> > ------------------------------
> >
> > * libsepol: fix TARGET and LIBSO on Darwin
> >
> > * secilc: use correct long option name for -X
> >
> > * Fix problem with bounds statements in optional blocks
> >
> > * libsepol: Fix processing of levels for user rule in an optional block
> >
> > * libsepol: Fix problem with handling type attributes in role-types rule
> >
> > * libsepol: Fix expand_role_attributes_in_attributes()
> >
> > * Allow type attributes to be associated with other type attributes
> >
> > * libsepol: Support functionfs_seclabel policycap
> >
> > * improve semanage man pages: Add examples for -r RANGE flag usage
> >
> > * libselinux: fix parsing of the enforcing kernel cmdline parameter
> >
> > * seunshare: always use translations when printing
> >
> > * treewide: add .clang-format configuration file
> >
> > * setfiles: Add -A option to disable SELINUX_RESTORECON_ADD_ASSOC
> >
> > * libsepol: add memfd_class capability
> >
> > * semanage: Reset active value when deleting boolean customizations
> >
> > * python/sepolicy: Add support for DNF5
> >
> > * sandbox/seunshare: Replace system() with execv() to prevent shell injection
> >
> > * libsepol: Tighten checks on MLS range and level when validating
> >
> > * libsepol: Fix potential NULL dereference in policydb_read()
> >
> > * libsepol: Fix potential use of an uninitialized value in link.c
> >
> > * libsepol: add bpf_token_perms polcap
> >
> > * libsepol: Fix possible use-after-free when expanding attributes
> >
> > * libselinux/src/Makefile: build python module without isolation
> >
> > * restorecon: Add option to count relabeled files
> >
> > * Bug fixes
>
>