libselinux Changelog
What's new in libselinux 3.0
Dec 4, 2019- User-visible changes:
- Optional support for kernel policy optimization (enable with optimize-policy=true in /etc/selinux/semanage.conf for modular policy or -O option to checkpolicy/secilc for monolithic policy); this is optional because it provides relatively small savings with non-trivial policy compile-time overhead for some policies e.g. Android.
- New digest scheme for setfiles/restorecon -D; instead of a single hash of the entire file contexts configuration stored in a security.restorecon_last xattr on only the top-level directory, use a hash of all partial matches from file contexts stored in a security.sehash xattr on each directory,
- Support for default_range glblub in source policy (.te/policy.conf and CIL) and kernel policy version 32,
- New libselinux APIs for querying validatetrans rules,
- Unknown permissions are now handled as errors in CIL,
- security_av_string() no longer returns immediately upon encountering an unknown permission and will log all known permissions,
- checkmodule -c support for specifying module policy version,
- mcstransd reverted to original color range matching based on dominance,
- Support for 'dccp' and 'sctp' protocols in semanage port command,
- 'checkpolicy -o -' writes policy to standard output,
- 'semodule -v' sets also cil's log level
- Python 2 code is not be supported in this project anymore and new Python code should be written only for Python 3.
- Messages about the statement failing to resolve and the optional block being disabled are displayed at the highest verbosity level.
- Fixed redundant console log output error in restorecond
New in libselinux 2.2 (Oct 31, 2013)
- checkpolicy: Support space and colon in filenames.
- libselinux: Add selinux_set_policy_root, selinux_systemd_contexts_path, selinux_current_policy_path interfaces.
- libselinux: Fix avc_has_perm() returns -1 even when SELinux is permissive.
- libselinux: Mount sysfs before trying to mount selinuxfs.
- libselinux: Support udev-197 and higher.
- libsemanage: Add audit support.
- libsemanage: Apply a MAX_UID check for genhomedircon.
- libsepol: Allow constraint denial cause to be determined (policy version 29).
- policycoreutils: Extend audit2why to report constraint denial cause.
- policycoreutils: Replace genhomedircon script with link to semodule.
- policycoreutils: Add sepolicy and semanage tests.
- policycoreutils: Many improvements to sepolicy, semanage, and gui.
- sepolgen: Return constraint denial cause information, add support for file name transitions.
- All: Man page fixes/updates and Makefile improvements.