Releases · SELinuxProject/selinux

RELEASE 20190124 (2.9-rc1)

User-visible changes:

Spelling errors were fixed in libselinux man pages
audit2allow supports xperms now. There are new '-x'/'--xperms' options which
turn on generating of extended permisssion AV rules.
semanage login is fixed in order not to log two audit events which one of them
was correct.
libsemanage resets umask before creating directories so that file permissions
should not change after a change is committed.
Correct user name is used in ROLE_REMOVE audit events
The noise produced by checkpolicy command line tool is reduced now.
A new option '-S' or '--sort' is added to checkpolicy to sort the ocontexts
before writing out the binary policy.
sepolicy and semanage accept aliases now.
Deprecated at_console statement was removed from dbus configuration.
semanage export output includes ibpkey and ibendport now.
audit2why can be run as non-root user now.

Packaging-relevant changes:

Issues fixed:

RELEASE 20180524 (2.8)

User-visible changes:

semanage fcontext -l now also lists home directory entries from
file_contexts.homedirs.
semodule can now enable or disable multiple modules in the same
operation by specifying a list of modules after -e or -d, making them
consistent with the -i/u/r/E options.
CIL now supports multiple declarations of types, attributes, and
(non-conflicting) object contexts (e.g. genfscon), enabled via the -m
or --multiple-decls option to secilc.
libsemanage no longer deletes the tmp directory if there is an error
while committing the policy transaction, so that any temporary files
can be further inspected for debugging purposes (e.g. to examine a
particular line of the generated CIL module). The tmp directory will
be deleted upon the next transaction, so no manual removal is needed.
Support was added for SCTP portcon statements. The corresponding
kernel support was introduced in Linux 4.17, and is only active if the
extended_socket_class policy capability is enabled in the policy. This
support is required to build the refpolicy master branch (and thus future
refpolicy releases).
sepol_polcap_getnum/name() were exported as part of the shared libsepol
interface, initially for use by setools4.
semodule_deps was removed since it has long been broken and is not useful
for CIL modules.

Packaging-relevant changes:

When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
DESTDIR has to be removed from the definition. For example on Arch
Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
no longer mandatory (thanks to the switch to "-l:libsepol.a" in
Makefiles).
PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
selinux-gui (i.e. system-config-selinux GUI application) is now
compatible with Python 3. Doing this required migrating away from
PyGTK to the supported PyGI library. This means that selinux-gui now
depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
requires PyGtk or Python 2.

Provide feedback