Skip to content

SELinux userspace release 2020-07-10 / 3.1
Compare
Choose a tag to compare
@bachradsusi bachradsusi released this 10 Jul 15:42
· 733 commits to master since this release
20200710
7df27b7

User-visible changes

  • selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were removed

    The flask.h and av_permissions.h header files were deprecated and
    all selinux userspace references to them were removed in
    commit 76913d8 ("Deprecate use of flask.h and av_permissions.h.")
    back in 2014 and included in the 20150202 / 2.4 release.
    All userspace object managers should have been updated
    to use the dynamic class/perm mapping support since that time.
    Remove these headers finally to ensure that no users remain and
    that no future uses are ever introduced.

    Use string_to_security_class(3) and string_to_av_perm(3) to map the class and
    permission names to their policy values, or selinux_set_mapping(3) to create a
    mapping from class and permission index values used by the application to the
    policy values.

  • Removed restrictions in libsepol and checkpolicy that required all declared
    initial SIDs to be assigned a context.

  • Support for new policy capability genfs_seclabel_symlinks

  • New setfiles -E option - treat conflicting specifications as errors, such
    as where two hardlinks for the same inode have different contexts.

  • restorecond_user.service - new systemd user service which runs restorecond -u

  • setsebool -V reports errors from commit phase

  • Improved man pages

  • semanage uses ipaddress Python module instead of IPy

  • matchpathcon related interfaces are deprecated

  • selinuxfs is mounted with noexec and nosuid

  • the dso wrappers for internal calls were removed and it is now strongly recommended to CFLAGS with
    -fno-semantic-interposition

  • security_compute_user() was deprecated

  • checkpolicy treats invalid characters as an error - might break rare use cases (intentionally)

  • New restorecon -x option which prevents it from crossing file system boundaries.

  • Handle semanage module in semanage bash completion

  • sepolgen-ifgen parses a gen_tunable statement as bool

  • semanage handles getprotobyname() failure case on Debian where /etc/protocols does not contain an entry for "ipv4"

Packaging-relevant changes

  • Setting CFLAGS during the make process will cause the omission of many defaults. While the project strives
    to provide a reasonable set of default flags, custom CFLAGS could break the build, or have other undesired
    changes on the build output. Thus, be very careful when setting CFLAGS. CFLAGS that are encouraged to be
    set when overriding are:

    • -fno-semantic-interposition for gcc or compilers that do not do this. clang does this by default. clang-10 and up
      will support passing this flag, but ignore it. Previous clang versions fail.

  • setup.py builds can be customized using PYTHON_SETUP_ARGS, e.g. to for
    Debian Python layout use: make PYTHON_SETUP_ARGS=--install-layout=deb ...

Development-relevant changes

  • Improved README which was renamed to README.md and converted to markdown.

  • Added Travis CI job to run SELinux kernel testsuite on latest Fedora cloud image

Issues fixed

Assets 18