Skip to content

SELinux userspace release 3.11

Latest

Choose a tag to compare

@bachradsusi bachradsusi released this 01 Jul 17:11
2233a23

RELEASE 3.11

User-visible changes since 3.10

  • Several security improvements in libselinux, dbus, gui, mcstrans and sandbox
  • Added secilcheck program to check CIL neverallows against binary policies
  • Improved restorecond.service to use new restorecond -F option to run in
    foreground
  • restorecon only logs error on read-only filesystem instead of failing (allows
    relabeling with read-only BTRFS subvolumes)
  • Added setfiles -A option to disable SELINUX_RESTORECON_ADD_ASSOC
  • Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to
    selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse to
    relabel files with multiple hard links to prevent mislabeling them. Updated
    restorecond(8) to always pass this flag when relabeling files to prevent
    mislabeling hard links to files owned by others, e.g. when relabeling user
    home directories or /tmp.
  • Dropped sandbox/seunshare -k/--kill support (unused by sandbox, fundamentally
    racy, redundant with killall -Z).
  • Fixed sandbox/seunshare getopt flags to match the actual options.
  • Fixed sandbox/seunshare remounting of /tmp and /var/tmp within the sandbox.
  • Fixed sandbox interactive prompt for saving files.
  • Added a cache size cap, max client cap, receive timeout, and maxbit cap to
    mcstrans to reduce the risk of DoS from misbehaving clients.
  • Fixed mcstrans UAF on SIGHUP reload of its configuration files.
  • Fixed mcstrans translation for uncached entries.
  • Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on large
    semanage import operations (#291).
  • Fixed libsepol generation of constraint expressions with a list of names when
    writing policy.conf from CIL.
  • Fixed libsepol to generate constrain/validatetrans instead of
    mlsconstrain/mlsvalidatetrans when converting a module to CIL unless the
    constraint contains an expression based on level.
  • Fixed libsepol selection of tunableif or booleanif and to skip empty
    conditional blocks when converting a module to CIL.
  • Fixed libsepol/secilc reporting of CIL source file info.
  • Fixed libsepol to require at least one perm in a CIL classperm and to
    correctly count the number of elements in the avtab.
  • Fixed libsepol to link xperm rule permissions correctly.
  • Fixed libsepol off-by-one error in cats_ebitmap_len().
  • Fixed dispol and dismod to show all options in the -h text.
  • Fixed checkpolicy handling of out-of-range and complement at range boundaries
    for xperm rules (#530, #531).
  • Dropped legacy fscon statement support from checkpolicy - never used in
    SELinux policies for mainline kernels (#518).
  • Fixed libselinux constructor to not clobber errno (#445).
  • Fixed libselinux selabel_partial_match(3) to correctly find partial matches.
  • Fixed libselinux selinux_init_policy_load() to still try to mount selinuxfs on
    /sys/fs/selinux even if the mount of sysfs on /sys fails - this can occur
    legitimately within a user namespace.
  • Improved restorecon related functionality in libselinux
  • Improved semanage-fcontext(8) manpage
  • Dropped Python 2 support from audit2why
  • Multiple documentation improvements.
  • Bug fixes

Security/hardening changes

  • Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues in file
    relabeling if /proc is available (so that it can use /proc/self/fd-based
    pathnames). If /proc is not available, selinux_restorecon(3) falls back to
    just passing the full pathname each time for compatibility within chroot or
    other environments. For callers that pass the SELINUX_RESTORECON_REALPATH
    flag, like restorecon(8), selinux_restorecon(3) will still follow any
    intermediate symlinks in the initial pathname as part of realpath(3)
    canonicalization. Otherwise, selinux_restorecon(3) will not follow any
    symlinks. This may yield different user-visible behavior for setfiles(8) and
    restorecond(8) but only if a path containing an intermediate symlink is
    specified on the command-line (setfiles) or configuration (restorecond) since
    they did not follow any symlinks found during the tree walk regardless.

  • Rewrote restorecond and sandbox/seunshare to eliminate TOCTOU issues on their
    other path-based operations via /proc/self/fd and the use of a safe_open()
    helper. This may yield different behavior if a path containing an intermediate
    symlink is passed to them via configuration (restorecond) or command-line
    (seunshare).

  • Many hardening fixes spanning the entire tree (including but not limited to
    #522, #523, #525 thru #529, #532 thru #534)

Development-relevant changes

  • Reformatted entire tree based on .clang-format and added new
    check-format/format make targets to check and/or reformat code to match.
    This is now a requirement for new patches.
  • Improved CI and refactored CI build into a custom GH action
  • libselinux and python use system Python3 build module
  • Fixed build errors with glibc 2.43.
  • Fixed libselinux build for non-pthread builds.
  • Build shared libraries with -fPIC for LTO.
  • Fixed uclibc build failure (#435).
  • Multiple fixes for musl/llvm-based builds, including adding a new
    EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass
    --undefined-version through to lld (#511 thru #515).
  • Fixed libsemanage pywrap target deps for parallel builds.
  • Updated pywrap build targets for modern python builds using the Python3 build
    module.
  • Disabled build isolation for sepolicy python module.