Releases: SELinuxProject/selinux
SELinux userspace release 3.5-rc1
RELEASE 3.5-rc1
User-visible changes
-
Maintainer GPG fingerprints added to /SECURITY.md
-
Remove dependency on the deprecated Python module distutils and install via pip
-
semodule option --rebuild-if-modules-changed was renamed to --refresh
-
Translation updated and better handling for unsupported languages
-
fixfiles: Unmount temporary bind mounts on SIGINT
-
sepolicy: Several python and GTK updates
-
libsepol: Stricter policy validation
-
A lot of static code analyse issues, fuzzer issues and compiler warnings fixed
-
Bug fixes
Development-relevant changes
- ci: Run on Fedora36 instead of F34
SELinux userspace release 3.4
RELEASE 3.4
User-visible changes
-
A new selinux_restorecon_parallel(3) function that allows to run relabeling over multiple threads
-
setfiles/restorecon/fixfiles support parallel relabeling via [ -T ] threads option
-
A new semodule options [ -m | --checksum ] to get SHA256 hashes of modules
-
mcstrans ported to PCRE2
-
libsepol/cil supports IPv4/IPv6 address embedding
-
Add a new semodule option [ --rebuild-if-modules-changed ] to optionally rebuild policy when modules
are changed externally -
A lot of static code analyse issues, fuzzer issues and compiler warnings fixed
-
Translations split into sub-packages and updated from
https://translate.fedoraproject.org/projects/selinux/ -
New policy utilities in libsepol - sepol_check_access,
sepol_compute_av, sepol_compute_member, sepol_compute_relabel,
sepol_validate_transition -
A new setfiles option [-C] for distinguishing file tree walk errors
-
Improved code quality and bug fixes
Development-relevant changes
- ci: run the tests under ASan/UBsan on GHActions
SELinux userspace release 3.4-rc3
RELEASE 3.4-rc3
User-visible changes
-
A new setfiles option [-C] for distinguishing file tree walk errors
-
Added missing sandbox translations
SELinux userspace release 3.4-rc2
RELEASE 3.4-rc2
User-visible changes
-
New policy utilities in libsepol - sepol_check_access,
sepol_compute_av, sepol_compute_member, sepol_compute_relabel,
sepol_validate_transition -
Improved code quality and bug fixes
3.4-rc1
RELEASE 3.4-rc1
User-visible changes
-
A new selinux_restorecon_parallel(3) function that allows to run relabeling over multiple threads
-
setfiles/restorecon/fixfiles support parallel relabeling via [ -T ] threads option
-
A new semodule options [ -m | --checksum ] to get SHA256 hashes of modules
-
mcstrans ported to PCRE2
-
libsepol/cil supports IPv4/IPv6 address embedding
-
Add a new semodule option [ --rebuild-if-modules-changed ] to optionally rebuild policy when modules
are changed externally -
A lot of static code analyse issues, fuzzer issues and compiler warnings fixed
-
Translations split into sub-packages and updated from
https://translate.fedoraproject.org/projects/selinux/ -
Bug fixes
Development-relevant changes
- ci: run the tests under ASan/UBsan on GHActions
SELinux userspace release 3.3
RELEASE 3.3
User-visible changes
-
When reading a binary policy by checkpolicy, do not automatically change the version
to the max policy version supported by libsepol or, if specified, the value given
using the "-c" flag. -
fixfiles -C
doesn't exclude /dev and /run anymore -
CIL: Lists are allowed in constraint expressions
-
CIL: Improved situation with duplicate macro and block declarations
-
Added the new
secilc2tree
program to write out CIL AST. -
Improved documentation
-
A lot of static code analyse issues, fuzzer issues and compiler warnings fixed
-
Updated checkpolicy documentation
-
checkpolicy prints the reason why opening a source policy file failed
-
Bug fixes
Development-relevant changes
-
CIFuzz is turned on in CI
https://google.github.io/oss-fuzz/getting-started/continuous-integration/ -
Fedora 34 image is used in CI
Issues fixed
SELinux userspace release 3.3-rc3
RELEASE 3.3-rc3
- Updated checkpolicy documentation
- checkpolicy prints the reason why opening a source policy file failed
- Bug fixes
SELinux userspace release 3.3-rc2
RELEASE 3.3-rc2
- Bug fixes
SELinux userspace release 3.3-rc1
RELEASE 3.3-rc1
User-visible changes
-
When reading a binary policy by checkpolicy, do not automatically change the version
to the max policy version supported by libsepol or, if specified, the value given
using the "-c" flag. -
fixfiles -C
doesn't exclude /dev and /run anymore -
CIL: Lists are allowed in constraint expressions
-
CIL: Improved situation with duplicate macro and block declarations
-
Added the new
secilc2tree
program to write out CIL AST. -
Improved documentation
-
A lot of Static code analyse issues and compiler warnings fixed
-
Bug fixes
Development-relevant changes
-
CIFuzz is turned on in CI
https://google.github.io/oss-fuzz/getting-started/continuous-integration/ -
Fedora 34 image is used in CI
Issues fixed
SELinux userspace release 3.2
User-visible changes
-
libsepol implemented a new, more space-efficient form of storing filename
transitions in the binary policy and reduced the size of the binary policy -
libselinux: Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
Note: if you need toumount /sys/fs/selinux
you need to use lazy umount -
umount -l /sys/fs/selinux
as the kernel status page /sys/fs/selinux/status
stays mapped by processes like systemd, dbus, sshd. -
Tools using sepolgen, e.g. audit2allow, print extended permissions in
hexadecimal -
sepolgen sorts extended rules like normal ones
-
New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE -
Changed userspace AVC setenforce and policy load messages to audit format.
-
matchpathcon converted to selabel_lookup() - no more matchpathcon is
deprecated warning -
libsepol and libsemanage dropped old and deprecated symbols and functions
libsepol version was bumped to libsepol.so.2
libsemanage version was bumped to libsemanage.so.2 -
Release version for the whole project is same as for subcomponents, e.g.
instead of 20210118 it's 3.2-rc1 -
Improved usability of
getseuser
-
Fixed several issues in cil code found by OSS-FUZZ
-
setfiles
doesn't abort on labeling errors -
libsemanage tries to sync data to prevent empty files in SELinux module store
-
Improved secilc documentation - fenced code blocks, syntax highlighting, custom
color theme, ... -
Better error reporting in getconlist
-
libsepol implemented a new, more space-efficient form of storing filename
transitions in the binary policy and reduced the size of the binary policy -
libselinux: Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
Note: if you need toumount /sys/fs/selinux
you need to use lazy umount -
umount -l /sys/fs/selinux
as the kernel status page /sys/fs/selinux/status
stays mapped by processes like systemd, dbus, sshd. -
Tools using sepolgen, e.g. audit2allow, print extended permissions in
hexadecimal -
sepolgen sorts extended rules like normal ones
-
New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE -
Changed userspace AVC setenforce and policy load messages to audit format.
-
matchpathcon converted to selabel_lookup() - no more matchpathcon is
deprecated warning -
libsepol and libsemanage dropped old and deprecated symbols and functions
libsepol version was bumped to libsepol.so.2
libsemanage version was bumped to libsemanage.so.2 -
Release version for the whole project is same as for subcomponents, e.g.
instead of 20210304 it's 3.2 -
Improved man pages
-
Bug fixes
Development-relevant changes
-
License the CI scripts with a permissive, OSI approved license, such as MIT
-
Several CI improvements
-
Added configuration to build and run tests in GitHub Actions
-
CI contains configuration for a Vagrant virtual machine - instructions on how
to use it are documented at the beginning of Vagrantfile. -
scripts/release
was improved to be more robust and release a source repository
Packaging-relevant changes
-
Both libsepol and libsemanage bumped their soname versions. Especially
libsemanage is linked to shadow-utils and direct update might cause problems to
buildroots. Also SETools needs to be rebuilt against libsepol.so.2 -
Source repository snapshot selinux-3.2-rc2.tar.gz is available on the release page
-
sestatus is installed as /usr/bin/sestatus by default. Original /usr/sbin/sestatus is
a relative symlink to the /usr/bin/sestatus.