libselinux Changelog

What's new in libselinux 3.0

Dec 4, 2019
  • User-visible changes:
  • Optional support for kernel policy optimization (enable with optimize-policy=true in /etc/selinux/semanage.conf for modular policy or -O option to checkpolicy/secilc for monolithic policy); this is optional because it provides relatively small savings with non-trivial policy compile-time overhead for some policies e.g. Android.
  • New digest scheme for setfiles/restorecon -D; instead of a single hash of the entire file contexts configuration stored in a security.restorecon_last xattr on only the top-level directory, use a hash of all partial matches from file contexts stored in a security.sehash xattr on each directory,
  • Support for default_range glblub in source policy (.te/policy.conf and CIL) and kernel policy version 32,
  • New libselinux APIs for querying validatetrans rules,
  • Unknown permissions are now handled as errors in CIL,
  • security_av_string() no longer returns immediately upon encountering an unknown permission and will log all known permissions,
  • checkmodule -c support for specifying module policy version,
  • mcstransd reverted to original color range matching based on dominance,
  • Support for 'dccp' and 'sctp' protocols in semanage port command,
  • 'checkpolicy -o -' writes policy to standard output,
  • 'semodule -v' sets also cil's log level
  • Python 2 code is not be supported in this project anymore and new Python code should be written only for Python 3.
  • Messages about the statement failing to resolve and the optional block being disabled are displayed at the highest verbosity level.
  • Fixed redundant console log output error in restorecond

New in libselinux 2.2 (Oct 31, 2013)

  • checkpolicy: Support space and colon in filenames.
  • libselinux: Add selinux_set_policy_root, selinux_systemd_contexts_path, selinux_current_policy_path interfaces.
  • libselinux: Fix avc_has_perm() returns -1 even when SELinux is permissive.
  • libselinux: Mount sysfs before trying to mount selinuxfs.
  • libselinux: Support udev-197 and higher.
  • libsemanage: Add audit support.
  • libsemanage: Apply a MAX_UID check for genhomedircon.
  • libsepol: Allow constraint denial cause to be determined (policy version 29).
  • policycoreutils: Extend audit2why to report constraint denial cause.
  • policycoreutils: Replace genhomedircon script with link to semodule.
  • policycoreutils: Add sepolicy and semanage tests.
  • policycoreutils: Many improvements to sepolicy, semanage, and gui.
  • sepolgen: Return constraint denial cause information, add support for file name transitions.
  • All: Man page fixes/updates and Makefile improvements.