RELEASE 3.11
User-visible changes since 3.10
- Several security improvements in libselinux, dbus, gui, mcstrans and sandbox
- Added
secilcheckprogram to check CIL neverallows against binary policies - Improved
restorecond.serviceto use newrestorecond -Foption to run in
foreground - restorecon only logs error on read-only filesystem instead of failing (allows
relabeling with read-only BTRFS subvolumes) - Added
setfiles -Aoption to disable SELINUX_RESTORECON_ADD_ASSOC - Introduced a new SELINUX_RESTORECON_SKIP_MULTILINK flag to
selinux_restorecon(3); if set, then selinux_restorecon(3) will refuse to
relabel files with multiple hard links to prevent mislabeling them. Updated
restorecond(8) to always pass this flag when relabeling files to prevent
mislabeling hard links to files owned by others, e.g. when relabeling user
home directories or /tmp. - Dropped sandbox/seunshare -k/--kill support (unused by sandbox, fundamentally
racy, redundant with killall -Z). - Fixed sandbox/seunshare getopt flags to match the actual options.
- Fixed sandbox/seunshare remounting of /tmp and /var/tmp within the sandbox.
- Fixed sandbox interactive prompt for saving files.
- Added a cache size cap, max client cap, receive timeout, and maxbit cap to
mcstrans to reduce the risk of DoS from misbehaving clients. - Fixed mcstrans UAF on SIGHUP reload of its configuration files.
- Fixed mcstrans translation for uncached entries.
- Fixed semanage audit fd creation to avoid hitting RLIMIT_NOFILE on large
semanage import operations (#291). - Fixed libsepol generation of constraint expressions with a list of names when
writing policy.conf from CIL. - Fixed libsepol to generate constrain/validatetrans instead of
mlsconstrain/mlsvalidatetrans when converting a module to CIL unless the
constraint contains an expression based on level. - Fixed libsepol selection of tunableif or booleanif and to skip empty
conditional blocks when converting a module to CIL. - Fixed libsepol/secilc reporting of CIL source file info.
- Fixed libsepol to require at least one perm in a CIL classperm and to
correctly count the number of elements in the avtab. - Fixed libsepol to link xperm rule permissions correctly.
- Fixed libsepol off-by-one error in cats_ebitmap_len().
- Fixed dispol and dismod to show all options in the -h text.
- Fixed checkpolicy handling of out-of-range and complement at range boundaries
for xperm rules (#530, #531). - Dropped legacy fscon statement support from checkpolicy - never used in
SELinux policies for mainline kernels (#518). - Fixed libselinux constructor to not clobber errno (#445).
- Fixed libselinux selabel_partial_match(3) to correctly find partial matches.
- Fixed libselinux selinux_init_policy_load() to still try to mount selinuxfs on
/sys/fs/selinux even if the mount of sysfs on /sys fails - this can occur
legitimately within a user namespace. - Improved restorecon related functionality in libselinux
- Improved semanage-fcontext(8) manpage
- Dropped Python 2 support from audit2why
- Multiple documentation improvements.
- Bug fixes
Security/hardening changes
-
Rewrote libselinux selinux_restorecon(3) to eliminate TOCTOU issues in file
relabeling if /proc is available (so that it can use /proc/self/fd-based
pathnames). If /proc is not available, selinux_restorecon(3) falls back to
just passing the full pathname each time for compatibility within chroot or
other environments. For callers that pass the SELINUX_RESTORECON_REALPATH
flag, like restorecon(8), selinux_restorecon(3) will still follow any
intermediate symlinks in the initial pathname as part of realpath(3)
canonicalization. Otherwise, selinux_restorecon(3) will not follow any
symlinks. This may yield different user-visible behavior for setfiles(8) and
restorecond(8) but only if a path containing an intermediate symlink is
specified on the command-line (setfiles) or configuration (restorecond) since
they did not follow any symlinks found during the tree walk regardless. -
Rewrote restorecond and sandbox/seunshare to eliminate TOCTOU issues on their
other path-based operations via /proc/self/fd and the use of a safe_open()
helper. This may yield different behavior if a path containing an intermediate
symlink is passed to them via configuration (restorecond) or command-line
(seunshare). -
Many hardening fixes spanning the entire tree (including but not limited to
#522, #523, #525 thru #529, #532 thru #534)
Development-relevant changes
- Reformatted entire tree based on .clang-format and added new
check-format/format make targets to check and/or reformat code to match.
This is now a requirement for new patches. - Improved CI and refactored CI build into a custom GH action
- libselinux and python use system Python3 build module
- Fixed build errors with glibc 2.43.
- Fixed libselinux build for non-pthread builds.
- Build shared libraries with -fPIC for LTO.
- Fixed uclibc build failure (#435).
- Multiple fixes for musl/llvm-based builds, including adding a new
EXTRA_LD_FLAGS variable that can be set for libselinux builds to pass
--undefined-version through to lld (#511 thru #515). - Fixed libsemanage pywrap target deps for parallel builds.
- Updated pywrap build targets for modern python builds using the Python3 build
module. - Disabled build isolation for sepolicy python module.