SELinux userspace release 3.3-rc1

RELEASE 3.3-rc1

User-visible changes

• When reading a binary policy by checkpolicy, do not automatically change the version
  to the max policy version supported by libsepol or, if specified, the value given
  using the "-c" flag.

• fixfiles -C doesn't exclude /dev and /run anymore

• CIL: Lists are allowed in constraint expressions

• CIL: Improved situation with duplicate macro and block declarations

• Added the new secilc2tree program to write out CIL AST.

• Improved documentation

• A lot of Static code analyse issues and compiler warnings fixed

• Bug fixes

Development-relevant changes

• CIFuzz is turned on in CI
  https://google.github.io/oss-fuzz/getting-started/continuous-integration/

• Fedora 34 image is used in CI

Issues fixed

• #293

SELinux userspace release 3.2

User-visible changes

• libsepol implemented a new, more space-efficient form of storing filename
  transitions in the binary policy and reduced the size of the binary policy

• libselinux: Use mmap()'ed kernel status page instead of netlink by default.
  See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
  Note: if you need to umount /sys/fs/selinux you need to use lazy umount -
  umount -l /sys/fs/selinux as the kernel status page /sys/fs/selinux/status
  stays mapped by processes like systemd, dbus, sshd.

• Tools using sepolgen, e.g. audit2allow, print extended permissions in
  hexadecimal

• sepolgen sorts extended rules like normal ones

• New log callback levels for enforcing and policy load notices -
  SELINUX_POLICYLOAD, SELINUX_SETENFORCE

• Changed userspace AVC setenforce and policy load messages to audit format.

• matchpathcon converted to selabel_lookup() - no more matchpathcon is
  deprecated warning

• libsepol and libsemanage dropped old and deprecated symbols and functions
  libsepol version was bumped to libsepol.so.2
  libsemanage version was bumped to libsemanage.so.2

• Release version for the whole project is same as for subcomponents, e.g.
  instead of 20210118 it's 3.2-rc1

• Improved usability of getseuser

• Fixed several issues in cil code found by OSS-FUZZ

• setfiles doesn't abort on labeling errors

• libsemanage tries to sync data to prevent empty files in SELinux module store

• Improved secilc documentation - fenced code blocks, syntax highlighting, custom
  color theme, ...

• Better error reporting in getconlist

• libsepol implemented a new, more space-efficient form of storing filename
  transitions in the binary policy and reduced the size of the binary policy

• libselinux: Use mmap()'ed kernel status page instead of netlink by default.
  See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
  Note: if you need to umount /sys/fs/selinux you need to use lazy umount -
  umount -l /sys/fs/selinux as the kernel status page /sys/fs/selinux/status
  stays mapped by processes like systemd, dbus, sshd.

• Tools using sepolgen, e.g. audit2allow, print extended permissions in
  hexadecimal

• sepolgen sorts extended rules like normal ones

• New log callback levels for enforcing and policy load notices -
  SELINUX_POLICYLOAD, SELINUX_SETENFORCE

• Changed userspace AVC setenforce and policy load messages to audit format.

• matchpathcon converted to selabel_lookup() - no more matchpathcon is
  deprecated warning

• libsepol and libsemanage dropped old and deprecated symbols and functions
  libsepol version was bumped to libsepol.so.2
  libsemanage version was bumped to libsemanage.so.2

• Release version for the whole project is same as for subcomponents, e.g.
  instead of 20210304 it's 3.2

• Improved man pages

• Bug fixes

Development-relevant changes

• License the CI scripts with a permissive, OSI approved license, such as MIT

• Several CI improvements

• Added configuration to build and run tests in GitHub Actions

• CI contains configuration for a Vagrant virtual machine - instructions on how
  to use it are documented at the beginning of Vagrantfile.

• scripts/release was improved to be more robust and release a source repository

Packaging-relevant changes

• Both libsepol and libsemanage bumped their soname versions. Especially
  libsemanage is linked to shadow-utils and direct update might cause problems to
  buildroots. Also SETools needs to be rebuilt against libsepol.so.2

• Source repository snapshot selinux-3.2-rc2.tar.gz is available on the release page

• sestatus is installed as /usr/bin/sestatus by default. Original /usr/sbin/sestatus is
  a relative symlink to the /usr/bin/sestatus.

Issues fixed

• #245
• #270

SELinux userspace release 3.2-rc3

RELEASE 3.2-rc3

User-visible changes since 3.2-rc2

• Improved secilc documentation - fenced code blocks, syntax highlighting, custom
  color theme, ...

• Better error reporting in getconlist

• Improved selinux(8,5) and fixiles(8) man pages

• Bug fixes

Packaging-relevant changes since 3.2-rc2

• sestatus is installed as /usr/bin/sestatus by default. Original /usr/sbin/sestatus is
  a relative symlink to the /usr/bin/sestatus.

SELinux userspace release 3.2-rc2

RELEASE 3.2-rc2

User-visible changes since 3.2-rc1

• Improved usability of getseuser

• Fixed several issues in cil code found by OSS-FUZZ

• setfiles doesn't abort on labeling errors

• libsemanage tries to sync data to prevent empty files in SELinux module store

Development-relevant changes since 3.2-rc1

• scripts/release was improved to be more robust and release a source repository

Packaging-relevant changes since 3.2-rc1

• Source repository snapshot selinux-3.2-rc2.tar.gz is available on the release page

SELinux userspace release 3.2-rc1

User-visible changes

• libsepol implemented a new, more space-efficient form of storing filename
  transitions in the binary policy and reduced the size of the binary policy

• libselinux: Use mmap()'ed kernel status page instead of netlink by default.
  See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
  Note: if you need to umount /sys/fs/selinux you need to use lazy umount -
  umount -l /sys/fs/selinux as the kernel status page /sys/fs/selinux/status
  stays mapped by processes like systemd, dbus, sshd.

• Tools using sepolgen, e.g. audit2allow, print extended permissions in
  hexadecimal

• sepolgen sorts extended rules like normal ones

• New log callback levels for enforcing and policy load notices -
  SELINUX_POLICYLOAD, SELINUX_SETENFORCE

• Changed userspace AVC setenforce and policy load messages to audit format.

• matchpathcon converted to selabel_lookup() - no more matchpathcon is
  deprecated warning

• libsepol and libsemanage dropped old and deprecated symbols and functions
  libsepol version was bumped to libsepol.so.2
  libsemanage version was bumped to libsemanage.so.2

• Release version for the whole project is same as for subcomponents, e.g.
  instead of 20210118 it's 3.2-rc1

• Improved man pages

• Bug fixes

Development-relevant changes

• License the CI scripts with a permissive, OSI approved license, such as MIT

• Several CI improvements

• Added configuration to build and run tests in GitHub Actions

• CI contains configuration for a Vagrant virtual machine - instructions on how
  to use it are documented at the beginning of Vagrantfile.

Packaging-relevant changes

• Both libsepol and libsemanage bumped their soname versions. Especially
  libsemanage is linked to shadow-utils and direct update might cause problems to
  buildroots. Also SETools needs to be rebuilt against libsepol.so.2

Issues fixed

• #245
• #270

SELinux userspace release 2020-07-10 / 3.1

User-visible changes

• selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were removed

  The flask.h and av_permissions.h header files were deprecated and
  all selinux userspace references to them were removed in
  commit 76913d8 ("Deprecate use of flask.h and av_permissions.h.")
  back in 2014 and included in the 20150202 / 2.4 release.
  All userspace object managers should have been updated
  to use the dynamic class/perm mapping support since that time.
  Remove these headers finally to ensure that no users remain and
  that no future uses are ever introduced.

  Use string_to_security_class(3) and string_to_av_perm(3) to map the class and
  permission names to their policy values, or selinux_set_mapping(3) to create a
  mapping from class and permission index values used by the application to the
  policy values.

• Removed restrictions in libsepol and checkpolicy that required all declared
  initial SIDs to be assigned a context.

• Support for new policy capability genfs_seclabel_symlinks

• New setfiles -E option - treat conflicting specifications as errors, such
  as where two hardlinks for the same inode have different contexts.

• restorecond_user.service - new systemd user service which runs restorecond -u

• setsebool -V reports errors from commit phase

• Improved man pages

• semanage uses ipaddress Python module instead of IPy

• matchpathcon related interfaces are deprecated

• selinuxfs is mounted with noexec and nosuid

• the dso wrappers for internal calls were removed and it is now strongly recommended to CFLAGS with
  -fno-semantic-interposition

• security_compute_user() was deprecated

• checkpolicy treats invalid characters as an error - might break rare use cases (intentionally)

• New restorecon -x option which prevents it from crossing file system boundaries.

• Handle semanage module in semanage bash completion

• sepolgen-ifgen parses a gen_tunable statement as bool

• semanage handles getprotobyname() failure case on Debian where /etc/protocols does not contain an entry for "ipv4"

Packaging-relevant changes

• Setting CFLAGS during the make process will cause the omission of many defaults. While the project strives
  to provide a reasonable set of default flags, custom CFLAGS could break the build, or have other undesired
  changes on the build output. Thus, be very careful when setting CFLAGS. CFLAGS that are encouraged to be
  set when overriding are:

  • -fno-semantic-interposition for gcc or compilers that do not do this. clang does this by default. clang-10 and up
    will support passing this flag, but ignore it. Previous clang versions fail.

• setup.py builds can be customized using PYTHON_SETUP_ARGS, e.g. to for
  Debian Python layout use: make PYTHON_SETUP_ARGS=--install-layout=deb ...

Development-relevant changes

• Improved README which was renamed to README.md and converted to markdown.

• Added Travis CI job to run SELinux kernel testsuite on latest Fedora cloud image

Issues fixed

• #248
• #239
• #237
• #225
• #217
• #208
• #204
• #187
• #179
• #164
• #70
• #28

SELinux userspace release 2020-06-19 / 3.1-rc2

User-visible changes since 20200518 / 3.1-rc1:

• New restorecon -x option - prevent restorecon from crossing file system
  boundaries.

• Handle semanage module in semanage bash completion

• Added section about CFLAGS to README.md, see Packaging-relevant changes

• Improved man pages

• Add Travis CI job to run SELinux kernel testsuite on latest Fedora cloud image

• sepolgen-ifgen parses a gen_tunable statement as bool

Packaging-relevant changes:

• Setting CFLAGS during the make process will cause the omission of many defaults. While the project strives
  to provide a reasonable set of default flags, custom CFLAGS could break the build, or have other undesired
  changes on the build output. Thus, be very careful when setting CFLAGS. CFLAGS that are encouraged to be
  set when overriding are:

  • -fno-semantic-interposition for gcc or compilers that do not do this. clang does this by default. clang-10 and up
    will support passing this flag, but ignore it. Previous clang versions fail.

Issues fixed:

• #248
• #208

SELinux userspace release 2020-05-18 / 3.1-rc1

RELEASE 20200518 (3.1-rc1)

User-visible changes:

• selinux/flask.h and selinux/av_permissions.h were removed

  The flask.h and av_permissions.h header files were deprecated and
  all selinux userspace references to them were removed in
  commit 76913d8 ("Deprecate use of flask.h and av_permissions.h.")
  back in 2014 and included in the 20150202 / 2.4 release.
  All userspace object managers should have been updated
  to use the dynamic class/perm mapping support since that time.
  Remove these headers finally to ensure that no users remain and
  that no future uses are ever introduced.

  Use string_to_security_class(3) and string_to_av_perm(3) to map the class and
  permission names to their policy values, or selinux_set_mapping(3) to create a
  mapping from class and permission index values used by the application to the
  policy values.

• Support for new polcap genfs_seclabel_symlinks

• New setfiles -E option - treat conflicting specifications as errors, such
  as where two hardlinks for the same inode have different contexts.

• restorecond_user.service - new systemd user service which runs restorecond -u

• setsebool -V reports errors from commit phase

• Improved man pages

• semanage uses ipaddress Python module instead of IPy

• matchpathcon related interfaces are deprecated

• selinuxfs is mounted with noexec and nosuid

• Improved README which was renamed to README.md and converted to markdown.

• setup.py builds can be customized using PYTHON_SETUP_ARGS, e.g. to for
  Debian Python layout use: make PYTHON_SETUP_ARGS=--install-layout=deb ...

• the dso wrappers for internal calls were removed and it is now strongly recommended to CFLAGS with
  -fno-semantic-interposition

• security_compute_user() was deprecated - usage of /sys/fs/selinux/user { security:compute_user } might be revisited

• checkpolicy treats invalid characters as an error - it might break (but intentional) rare use cases

Issues fixed:

• #239
• #237
• #225
• #217
• #204
• #187
• #179
• #164
• #70
• #28

SELinux userspace release 20191204 / 3.0

RELEASE 20191204 (3.0)

User-visible changes:

• Optional support for kernel policy optimization (enable with
  optimize-policy=true in /etc/selinux/semanage.conf for modular policy or -O
  option to checkpolicy/secilc for monolithic policy); this is optional because it
  provides relatively small savings with non-trivial policy compile-time overhead
  for some policies e.g. Android.

• New digest scheme for setfiles/restorecon -D; instead of a single hash of the
  entire file contexts configuration stored in a security.restorecon_last xattr on
  only the top-level directory, use a hash of all partial matches from file
  contexts stored in a security.sehash xattr on each directory,

• Support for default_range glblub in source policy (.te/policy.conf and CIL)
  and kernel policy version 32,

• New libselinux APIs for querying validatetrans rules,

• Unknown permissions are now handled as errors in CIL,

• security_av_string() no longer returns immediately upon encountering an
  unknown permission and will log all known permissions,

• checkmodule -c support for specifying module policy version,

• mcstransd reverted to original color range matching based on dominance,

• Support for 'dccp' and 'sctp' protocols in semanage port command,

• 'checkpolicy -o -' writes policy to standard output,

• 'semodule -v' sets also cil's log level

• Python 2 code is not be supported in this project anymore and new Python code
  should be written only for Python 3.

• Messages about the statement failing to resolve and the optional block being
  disabled are displayed at the highest verbosity level.

• Fixed redundant console log output error in restorecond

Issues fixed:

• #61
• #137
• #138
• #167
• #169
• #170
• #176

SELinux userspace release 20191122 / 3.0-rc2

RELEASE 20191122 (3.0-rc2)

User-visible changes:

• Python 2 code is not be supported in this project anymore and new Python code
  should be written only for Python 3.

• Messages about the statement failing to resolve and the optional block being
  disabled are displayed at the highest verbosity level.

• Fixed redundant console log output error in restorecond

Issues fixed:

• #170