* ANN: SELinux userspace 3.1-rc1 release candidate
@ 2020-05-18 12:52 Petr Lautrbach
2020-05-18 13:08 ` Christian Göttsche
0 siblings, 1 reply; 2+ messages in thread
From: Petr Lautrbach @ 2020-05-18 12:52 UTC (permalink / raw
To: selinux
[-- Attachment #1: Type: text/plain, Size: 9749 bytes --]
Hello,
A 3.1-rc1 release candidate for the SELinux userspace is now
available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
Please give it a test and let us know if there are any issues.
If there are specific changes that you think should be called out
in release notes for packagers and users in the final release
announcement, let us know.
Thanks to all the contributors to this release candidate!
User-visible changes:
* selinux/flask.h and selinux/av_permissions.h were removed
The flask.h and av_permissions.h header files were deprecated and
all selinux userspace references to them were removed in
commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
back in 2014 and included in the 20150202 / 2.4 release.
All userspace object managers should have been updated
to use the dynamic class/perm mapping support since that time.
Remove these headers finally to ensure that no users remain and
that no future uses are ever introduced.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class and
permission names to their policy values, or selinux_set_mapping(3) to create a
mapping from class and permission index values used by the application to the
policy values.
* Support for new polcap genfs_seclabel_symlinks
* New `setfiles -E` option - treat conflicting specifications as errors, such
as where two hardlinks for the same inode have different contexts.
* `restorecond_user.service` - new systemd user service which runs `restorecond -u`
* `setsebool -V` reports errors from commit phase
* Improved man pages
* `semanage` uses ipaddress Python module instead of IPy
* matchpathcon related interfaces are deprecated
* selinuxfs is mounted with noexec and nosuid
* Improved README which was renamed to README.md and converted to markdown.
* `setup.py` builds can be customized using PYTHON_SETUP_ARGS, e.g. to for
Debian Python layout use: `make PYTHON_SETUP_ARGS=--install-layout=deb ...`
Issues fixed:
* https://github.com/SELinuxProject/selinux/issues/239
* https://github.com/SELinuxProject/selinux/issues/237
* https://github.com/SELinuxProject/selinux/issues/225
* https://github.com/SELinuxProject/selinux/issues/217
* https://github.com/SELinuxProject/selinux/issues/204
* https://github.com/SELinuxProject/selinux/issues/187
* https://github.com/SELinuxProject/selinux/issues/179
* https://github.com/SELinuxProject/selinux/issues/164
* https://github.com/SELinuxProject/selinux/issues/70
* https://github.com/SELinuxProject/selinux/issues/28
A shortlog of changes since the 3.0 release:
Adam Duskett (1):
Fix building against musl and uClibc libc libraries.
Chris PeBenito (2):
libselinux: Add selinux_restorecon option to treat conflicting specifications as an error.
setfiles: Add -E option to treat conflicting specifications as errors.
Christian Göttsche (10):
libsepol: add support for new polcap genfs_seclabel_symlinks
libselinux: drop error return from is_selinux_enabled documentation
libsepol: set correct second argument of (t1 == t2) constraint
checkpolicy: add missing forward declaration
tree-wide: replace last occurrences of security_context_t
tree-wide: use python module importlib instead of the deprecated imp
libsemanage: clarify handle-unknown configuration setting in man page
semodule: mention ignoredirs setting in genhomedircon man page
libselinux: mark security_context_t typedef as deprecated
tree-wide: introduce PYTHON_SETUP_ARGS to customize setup.py calls on Debian
Daniel Burgener (2):
checkpolicy: Treat invalid characters as an error
checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors.
Dominick Grift (1):
mcstrans: start early and stop late
James Carter (6):
libsepol/cil: Fix bug in cil_copy_avrule() in extended permission handling
libsepol/cil: Rewrite verification of map classes and classpermissionsets
libsepol: Create the macro ebitmap_is_empty() and use it where needed
libsepol/cil: Check if name is a macro parameter first
libsepol/cil: Do not check flavor when checking for duplicate parameters
Revert "libsepol/cil: raise default attrs_expand_size to 2"
Joshua Schmidlkofer (1):
python/semanage: check variable type of port before trying to split
Mikhail Novosyolov (1):
libselinux: Fix Ru translation of failsafe context
Nick Kralevich (1):
label_file.c: Fix MAC build
Nicolas Iooss (16):
libsepol: make ebitmap_cardinality() of linear complexity
libselinux: add missing glue code to grab errno in Python bindings
libselinux: copy the reason why selinux_status_open() returns 1
libselinux: make context_*_set() return -1 when an error occurs
libselinux/utils: remove unneeded variable in Makefile
libselinux,libsemanage: remove double blank lines
python/semanage: check rc after getting it
restorecond: migrate to GDbus API provided by glib-gio
restorecond: add systemd user service
restorecond/user: handle SIGTERM properly
libsepol/tests: drop ncurses dependency
README: add much useful information
scripts/env_use_destdir: fix Fedora support
scripts/env_use_destdir: propagate PREFIX, LIBDIR, BINDIR, etc.
Travis-CI: upgrade to Ubuntu 18.04 and latest releases of Python and Ruby
python/sepolicy: silence new flake8 warnings
Ondrej Mosnacek (16):
libsepol: fix CIL_KEY_* build errors with -fno-common
libsepol: remove leftovers of cil_mem_error_handler
checkpolicy: remove unused te_assertions
Makefile: always build with -fno-common
libsemanage: preserve parent Makefile's flags in debug mode
Travis-CI: test that DEBUG build works
libsepol/cil: remove unnecessary hash tables
libsepol: cache ebitmap cardinality value
libsepol, newrole: remove unused hashtab functions
libsepol: grow hashtab dynamically
Revert "libsepol: cache ebitmap cardinality value"
libsepol/cil: raise default attrs_expand_size to 2
secilc: add basic test for policy optimization
libsepol: skip unnecessary check in build_type_map()
libsepol: optimize inner loop in build_type_map()
libsepol: speed up policy optimization
Petr Lautrbach (9):
libselinux: Eliminate use of security_compute_user()
Convert README to README.md
python/semanage: Use ipaddress module instead of IPy
restorecond: Rename restorecond-user.service to restorecond_user.service
restorecond: Use pkg-config to get locations for systemd units
semanage/test-semanage.py: Return non-zero value when some of unittest tests fail
run-flake8: Filter out ./.git/ directory
secilc: Fix policy optimization test
Update VERSIONs to 3.1-rc1 for release.
Richard Filo (1):
libselinux: Add missing errno setup
Stephen Smalley (8):
libselinux: remove flask.h and av_permissions.h
libselinux: update man pages for userspace policy enforcers
libselinux: export flush_class_cache(), call it on policyload
libsepol,checkpolicy: support omitting unused initial sid contexts
libselinux: deprecate security_compute_user(), update man pages
libsepol,checkpolicy: remove use of hardcoded security class values
libsemanage: fsync final files before rename
libsepol: drop broken warning on duplicate filename transitions
Topi Miettinen (4):
setsebool: report errors from commit phase
libselinux: mount selinuxfs noexec and nosuid
sepolicy-gui: fix columns in transitions view
sepolicy: fix some typos and port definitions
William Roberts (34):
dso: drop hidden_proto and hidden_def
Makefile: add -fno-semantic-interposition
Makefile: add linker script to minimize exports
libselinux: drop symbols from map
libsepol/dso: drop hidden_proto and hidden_def
libsepol/Makefile: add -fno-semantic-interposition
libsepol: remove wild cards in mapfile
cil: drop remaining dso.h include
libsemanage: drop hidden
libsemanage/Makefile: add -fno-semantic-interposition
libsemanage: update linker script
libsemanage: cleanup linker map file
cil: rm dead dso.h file
cil: re-enable DISABLE_SYMVER define
libsemanage: fix linker script symbol versions
libsemanage: rm semanage_module_upgrade_info from map
security_load_booleans: update return comment
security_load_booleans: annotate deprecated
selinux_booleans_path: annotate deprecated
selinux_users_path: annotate deprecated
rpm_execcon: annotate deprecated
sidget: annotate deprecated
sidput: annotate deprecated
checkPasswdAccess: annotate deprecated
matchpathcon_init: annotate deprecated
matchpathcon_fini: annotate deprecated
matchpathcon: annotate deprecated
avc_init: annotate deprecated
avc: create internal avc_init interface
matchpathcon: create internal matchpathcon_fini interface
selinux_check_passwd_access: annotate deprecated
matchpathcon: allow use of deprecated routines
utils: matchpathcon add deprecated warning
Makefile: swig build allow deprecated functions
bauen1 (1):
mcstransd: fix memory leak in new_context_str
--
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ANN: SELinux userspace 3.1-rc1 release candidate
2020-05-18 12:52 ANN: SELinux userspace 3.1-rc1 release candidate Petr Lautrbach
@ 2020-05-18 13:08 ` Christian Göttsche
0 siblings, 0 replies; 2+ messages in thread
From: Christian Göttsche @ 2020-05-18 13:08 UTC (permalink / raw
To: Petr Lautrbach; +Cc: SElinux list
Am Mo., 18. Mai 2020 um 14:52 Uhr schrieb Petr Lautrbach <plautrba@redhat.com>:
>
> Hello,
>
> A 3.1-rc1 release candidate for the SELinux userspace is now
> available at:
>
> https://github.com/SELinuxProject/selinux/wiki/Releases
>
> Please give it a test and let us know if there are any issues.
>
> If there are specific changes that you think should be called out
> in release notes for packagers and users in the final release
> announcement, let us know.
>
I think some further changes can be mentioned:
* the dso wrappers for internal calls were removed (and as a result I
think it is now strongly recommend to compile with
`-fno-semantic-interposition`?)
* `security_compute_user()` was deprecated (usage of
/sys/fs/selinux/user { security:compute_user } might be revisited)
* commit 42b13ba15a1ef5764eea8b84196fa5a1aea2e094 ("checkpolicy: Treat
invalid characters as an error ") might break (but intentional) rare
use cases
>
> Thanks to all the contributors to this release candidate!
>
>
> User-visible changes:
>
> * selinux/flask.h and selinux/av_permissions.h were removed
>
> The flask.h and av_permissions.h header files were deprecated and
> all selinux userspace references to them were removed in
> commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
> back in 2014 and included in the 20150202 / 2.4 release.
> All userspace object managers should have been updated
> to use the dynamic class/perm mapping support since that time.
> Remove these headers finally to ensure that no users remain and
> that no future uses are ever introduced.
>
> Use string_to_security_class(3) and string_to_av_perm(3) to map the class and
> permission names to their policy values, or selinux_set_mapping(3) to create a
> mapping from class and permission index values used by the application to the
> policy values.
>
> * Support for new polcap genfs_seclabel_symlinks
>
> * New `setfiles -E` option - treat conflicting specifications as errors, such
> as where two hardlinks for the same inode have different contexts.
>
> * `restorecond_user.service` - new systemd user service which runs `restorecond -u`
>
> * `setsebool -V` reports errors from commit phase
>
> * Improved man pages
>
> * `semanage` uses ipaddress Python module instead of IPy
>
> * matchpathcon related interfaces are deprecated
>
> * selinuxfs is mounted with noexec and nosuid
>
> * Improved README which was renamed to README.md and converted to markdown.
>
> * `setup.py` builds can be customized using PYTHON_SETUP_ARGS, e.g. to for
> Debian Python layout use: `make PYTHON_SETUP_ARGS=--install-layout=deb ...`
>
>
> Issues fixed:
>
> * https://github.com/SELinuxProject/selinux/issues/239
> * https://github.com/SELinuxProject/selinux/issues/237
> * https://github.com/SELinuxProject/selinux/issues/225
> * https://github.com/SELinuxProject/selinux/issues/217
> * https://github.com/SELinuxProject/selinux/issues/204
> * https://github.com/SELinuxProject/selinux/issues/187
> * https://github.com/SELinuxProject/selinux/issues/179
> * https://github.com/SELinuxProject/selinux/issues/164
> * https://github.com/SELinuxProject/selinux/issues/70
> * https://github.com/SELinuxProject/selinux/issues/28
>
> A shortlog of changes since the 3.0 release:
>
> Adam Duskett (1):
> Fix building against musl and uClibc libc libraries.
>
> Chris PeBenito (2):
> libselinux: Add selinux_restorecon option to treat conflicting specifications as an error.
> setfiles: Add -E option to treat conflicting specifications as errors.
>
> Christian Göttsche (10):
> libsepol: add support for new polcap genfs_seclabel_symlinks
> libselinux: drop error return from is_selinux_enabled documentation
> libsepol: set correct second argument of (t1 == t2) constraint
> checkpolicy: add missing forward declaration
> tree-wide: replace last occurrences of security_context_t
> tree-wide: use python module importlib instead of the deprecated imp
> libsemanage: clarify handle-unknown configuration setting in man page
> semodule: mention ignoredirs setting in genhomedircon man page
> libselinux: mark security_context_t typedef as deprecated
> tree-wide: introduce PYTHON_SETUP_ARGS to customize setup.py calls on Debian
>
> Daniel Burgener (2):
> checkpolicy: Treat invalid characters as an error
> checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors.
>
> Dominick Grift (1):
> mcstrans: start early and stop late
>
> James Carter (6):
> libsepol/cil: Fix bug in cil_copy_avrule() in extended permission handling
> libsepol/cil: Rewrite verification of map classes and classpermissionsets
> libsepol: Create the macro ebitmap_is_empty() and use it where needed
> libsepol/cil: Check if name is a macro parameter first
> libsepol/cil: Do not check flavor when checking for duplicate parameters
> Revert "libsepol/cil: raise default attrs_expand_size to 2"
>
> Joshua Schmidlkofer (1):
> python/semanage: check variable type of port before trying to split
>
> Mikhail Novosyolov (1):
> libselinux: Fix Ru translation of failsafe context
>
> Nick Kralevich (1):
> label_file.c: Fix MAC build
>
> Nicolas Iooss (16):
> libsepol: make ebitmap_cardinality() of linear complexity
> libselinux: add missing glue code to grab errno in Python bindings
> libselinux: copy the reason why selinux_status_open() returns 1
> libselinux: make context_*_set() return -1 when an error occurs
> libselinux/utils: remove unneeded variable in Makefile
> libselinux,libsemanage: remove double blank lines
> python/semanage: check rc after getting it
> restorecond: migrate to GDbus API provided by glib-gio
> restorecond: add systemd user service
> restorecond/user: handle SIGTERM properly
> libsepol/tests: drop ncurses dependency
> README: add much useful information
> scripts/env_use_destdir: fix Fedora support
> scripts/env_use_destdir: propagate PREFIX, LIBDIR, BINDIR, etc.
> Travis-CI: upgrade to Ubuntu 18.04 and latest releases of Python and Ruby
> python/sepolicy: silence new flake8 warnings
>
> Ondrej Mosnacek (16):
> libsepol: fix CIL_KEY_* build errors with -fno-common
> libsepol: remove leftovers of cil_mem_error_handler
> checkpolicy: remove unused te_assertions
> Makefile: always build with -fno-common
> libsemanage: preserve parent Makefile's flags in debug mode
> Travis-CI: test that DEBUG build works
> libsepol/cil: remove unnecessary hash tables
> libsepol: cache ebitmap cardinality value
> libsepol, newrole: remove unused hashtab functions
> libsepol: grow hashtab dynamically
> Revert "libsepol: cache ebitmap cardinality value"
> libsepol/cil: raise default attrs_expand_size to 2
> secilc: add basic test for policy optimization
> libsepol: skip unnecessary check in build_type_map()
> libsepol: optimize inner loop in build_type_map()
> libsepol: speed up policy optimization
>
> Petr Lautrbach (9):
> libselinux: Eliminate use of security_compute_user()
> Convert README to README.md
> python/semanage: Use ipaddress module instead of IPy
> restorecond: Rename restorecond-user.service to restorecond_user.service
> restorecond: Use pkg-config to get locations for systemd units
> semanage/test-semanage.py: Return non-zero value when some of unittest tests fail
> run-flake8: Filter out ./.git/ directory
> secilc: Fix policy optimization test
> Update VERSIONs to 3.1-rc1 for release.
>
> Richard Filo (1):
> libselinux: Add missing errno setup
>
> Stephen Smalley (8):
> libselinux: remove flask.h and av_permissions.h
> libselinux: update man pages for userspace policy enforcers
> libselinux: export flush_class_cache(), call it on policyload
> libsepol,checkpolicy: support omitting unused initial sid contexts
> libselinux: deprecate security_compute_user(), update man pages
> libsepol,checkpolicy: remove use of hardcoded security class values
> libsemanage: fsync final files before rename
> libsepol: drop broken warning on duplicate filename transitions
>
> Topi Miettinen (4):
> setsebool: report errors from commit phase
> libselinux: mount selinuxfs noexec and nosuid
> sepolicy-gui: fix columns in transitions view
> sepolicy: fix some typos and port definitions
>
> William Roberts (34):
> dso: drop hidden_proto and hidden_def
> Makefile: add -fno-semantic-interposition
> Makefile: add linker script to minimize exports
> libselinux: drop symbols from map
> libsepol/dso: drop hidden_proto and hidden_def
> libsepol/Makefile: add -fno-semantic-interposition
> libsepol: remove wild cards in mapfile
> cil: drop remaining dso.h include
> libsemanage: drop hidden
> libsemanage/Makefile: add -fno-semantic-interposition
> libsemanage: update linker script
> libsemanage: cleanup linker map file
> cil: rm dead dso.h file
> cil: re-enable DISABLE_SYMVER define
> libsemanage: fix linker script symbol versions
> libsemanage: rm semanage_module_upgrade_info from map
> security_load_booleans: update return comment
> security_load_booleans: annotate deprecated
> selinux_booleans_path: annotate deprecated
> selinux_users_path: annotate deprecated
> rpm_execcon: annotate deprecated
> sidget: annotate deprecated
> sidput: annotate deprecated
> checkPasswdAccess: annotate deprecated
> matchpathcon_init: annotate deprecated
> matchpathcon_fini: annotate deprecated
> matchpathcon: annotate deprecated
> avc_init: annotate deprecated
> avc: create internal avc_init interface
> matchpathcon: create internal matchpathcon_fini interface
> selinux_check_passwd_access: annotate deprecated
> matchpathcon: allow use of deprecated routines
> utils: matchpathcon add deprecated warning
> Makefile: swig build allow deprecated functions
>
> bauen1 (1):
> mcstransd: fix memory leak in new_context_str
>
>
>
> --
> () ascii ribbon campaign - against html e-mail
> /\ www.asciiribbon.org - against proprietary attachments
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-18 13:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-18 12:52 ANN: SELinux userspace 3.1-rc1 release candidate Petr Lautrbach
2020-05-18 13:08 ` Christian Göttsche
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.