SELinux userspace release 3.5-rc1

RELEASE 3.5-rc1

User-visible changes

• Maintainer GPG fingerprints added to /SECURITY.md

• Remove dependency on the deprecated Python module distutils and install via pip

• semodule option --rebuild-if-modules-changed was renamed to --refresh

• Translation updated and better handling for unsupported languages

• fixfiles: Unmount temporary bind mounts on SIGINT

• sepolicy: Several python and GTK updates

• libsepol: Stricter policy validation

• A lot of static code analyse issues, fuzzer issues and compiler warnings fixed

• Bug fixes

Development-relevant changes

• ci: Run on Fedora36 instead of F34

SELinux userspace release 3.4

RELEASE 3.4

User-visible changes

• A new selinux_restorecon_parallel(3) function that allows to run relabeling over multiple threads

• setfiles/restorecon/fixfiles support parallel relabeling via [ -T ] threads option

• A new semodule options [ -m | --checksum ] to get SHA256 hashes of modules

• mcstrans ported to PCRE2

• libsepol/cil supports IPv4/IPv6 address embedding

• Add a new semodule option [ --rebuild-if-modules-changed ] to optionally rebuild policy when modules
  are changed externally

• A lot of static code analyse issues, fuzzer issues and compiler warnings fixed

• Translations split into sub-packages and updated from
  https://translate.fedoraproject.org/projects/selinux/

• New policy utilities in libsepol - sepol_check_access,
  sepol_compute_av, sepol_compute_member, sepol_compute_relabel,
  sepol_validate_transition

• A new setfiles option [-C] for distinguishing file tree walk errors

• Improved code quality and bug fixes

Development-relevant changes

• ci: run the tests under ASan/UBsan on GHActions

SELinux userspace release 3.4-rc3

RELEASE 3.4-rc3

User-visible changes

• A new setfiles option [-C] for distinguishing file tree walk errors

• Added missing sandbox translations

SELinux userspace release 3.4-rc2

RELEASE 3.4-rc2

User-visible changes

• New policy utilities in libsepol - sepol_check_access,
  sepol_compute_av, sepol_compute_member, sepol_compute_relabel,
  sepol_validate_transition

• Improved code quality and bug fixes

3.4-rc1

RELEASE 3.4-rc1

User-visible changes

• A new selinux_restorecon_parallel(3) function that allows to run relabeling over multiple threads

• setfiles/restorecon/fixfiles support parallel relabeling via [ -T ] threads option

• A new semodule options [ -m | --checksum ] to get SHA256 hashes of modules

• mcstrans ported to PCRE2

• libsepol/cil supports IPv4/IPv6 address embedding

• Add a new semodule option [ --rebuild-if-modules-changed ] to optionally rebuild policy when modules
  are changed externally

• A lot of static code analyse issues, fuzzer issues and compiler warnings fixed

• Translations split into sub-packages and updated from
  https://translate.fedoraproject.org/projects/selinux/

• Bug fixes

Development-relevant changes

• ci: run the tests under ASan/UBsan on GHActions

SELinux userspace release 3.3

RELEASE 3.3

User-visible changes

• When reading a binary policy by checkpolicy, do not automatically change the version
  to the max policy version supported by libsepol or, if specified, the value given
  using the "-c" flag.

• fixfiles -C doesn't exclude /dev and /run anymore

• CIL: Lists are allowed in constraint expressions

• CIL: Improved situation with duplicate macro and block declarations

• Added the new secilc2tree program to write out CIL AST.

• Improved documentation

• A lot of static code analyse issues, fuzzer issues and compiler warnings fixed

• Updated checkpolicy documentation

• checkpolicy prints the reason why opening a source policy file failed

• Bug fixes

Development-relevant changes

• CIFuzz is turned on in CI
  https://google.github.io/oss-fuzz/getting-started/continuous-integration/

• Fedora 34 image is used in CI

Issues fixed

• #293
• #307

SELinux userspace release 3.3-rc3

RELEASE 3.3-rc3

• Updated checkpolicy documentation
• checkpolicy prints the reason why opening a source policy file failed
• Bug fixes

SELinux userspace release 3.3-rc2

RELEASE 3.3-rc2

• Bug fixes

SELinux userspace release 3.3-rc1

RELEASE 3.3-rc1

User-visible changes

• When reading a binary policy by checkpolicy, do not automatically change the version
  to the max policy version supported by libsepol or, if specified, the value given
  using the "-c" flag.

• fixfiles -C doesn't exclude /dev and /run anymore

• CIL: Lists are allowed in constraint expressions

• CIL: Improved situation with duplicate macro and block declarations

• Added the new secilc2tree program to write out CIL AST.

• Improved documentation

• A lot of Static code analyse issues and compiler warnings fixed

• Bug fixes

Development-relevant changes

• CIFuzz is turned on in CI
  https://google.github.io/oss-fuzz/getting-started/continuous-integration/

• Fedora 34 image is used in CI

Issues fixed

• #293

SELinux userspace release 3.2

User-visible changes

• libsepol implemented a new, more space-efficient form of storing filename
  transitions in the binary policy and reduced the size of the binary policy

• libselinux: Use mmap()'ed kernel status page instead of netlink by default.
  See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
  Note: if you need to umount /sys/fs/selinux you need to use lazy umount -
  umount -l /sys/fs/selinux as the kernel status page /sys/fs/selinux/status
  stays mapped by processes like systemd, dbus, sshd.

• Tools using sepolgen, e.g. audit2allow, print extended permissions in
  hexadecimal

• sepolgen sorts extended rules like normal ones

• New log callback levels for enforcing and policy load notices -
  SELINUX_POLICYLOAD, SELINUX_SETENFORCE

• Changed userspace AVC setenforce and policy load messages to audit format.

• matchpathcon converted to selabel_lookup() - no more matchpathcon is
  deprecated warning

• libsepol and libsemanage dropped old and deprecated symbols and functions
  libsepol version was bumped to libsepol.so.2
  libsemanage version was bumped to libsemanage.so.2

• Release version for the whole project is same as for subcomponents, e.g.
  instead of 20210118 it's 3.2-rc1

• Improved usability of getseuser

• Fixed several issues in cil code found by OSS-FUZZ

• setfiles doesn't abort on labeling errors

• libsemanage tries to sync data to prevent empty files in SELinux module store

• Improved secilc documentation - fenced code blocks, syntax highlighting, custom
  color theme, ...

• Better error reporting in getconlist

• libsepol implemented a new, more space-efficient form of storing filename
  transitions in the binary policy and reduced the size of the binary policy

• libselinux: Use mmap()'ed kernel status page instead of netlink by default.
  See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
  Note: if you need to umount /sys/fs/selinux you need to use lazy umount -
  umount -l /sys/fs/selinux as the kernel status page /sys/fs/selinux/status
  stays mapped by processes like systemd, dbus, sshd.

• Tools using sepolgen, e.g. audit2allow, print extended permissions in
  hexadecimal

• sepolgen sorts extended rules like normal ones

• New log callback levels for enforcing and policy load notices -
  SELINUX_POLICYLOAD, SELINUX_SETENFORCE

• Changed userspace AVC setenforce and policy load messages to audit format.

• matchpathcon converted to selabel_lookup() - no more matchpathcon is
  deprecated warning

• libsepol and libsemanage dropped old and deprecated symbols and functions
  libsepol version was bumped to libsepol.so.2
  libsemanage version was bumped to libsemanage.so.2

• Release version for the whole project is same as for subcomponents, e.g.
  instead of 20210304 it's 3.2

• Improved man pages

• Bug fixes

Development-relevant changes

• License the CI scripts with a permissive, OSI approved license, such as MIT

• Several CI improvements

• Added configuration to build and run tests in GitHub Actions

• CI contains configuration for a Vagrant virtual machine - instructions on how
  to use it are documented at the beginning of Vagrantfile.

• scripts/release was improved to be more robust and release a source repository

Packaging-relevant changes

• Both libsepol and libsemanage bumped their soname versions. Especially
  libsemanage is linked to shadow-utils and direct update might cause problems to
  buildroots. Also SETools needs to be rebuilt against libsepol.so.2

• Source repository snapshot selinux-3.2-rc2.tar.gz is available on the release page

• sestatus is installed as /usr/bin/sestatus by default. Original /usr/sbin/sestatus is
  a relative symlink to the /usr/bin/sestatus.

Issues fixed

• #245
• #270