SELinux userspace release 2020-05-18 / 3.1-rc1
Pre-release
RELEASE 20200518 (3.1-rc1)
User-visible changes:
-
selinux/flask.h and selinux/av_permissions.h were removed
The flask.h and av_permissions.h header files were deprecated and
all selinux userspace references to them were removed in
commit 76913d8 ("Deprecate use of flask.h and av_permissions.h.")
back in 2014 and included in the 20150202 / 2.4 release.
All userspace object managers should have been updated
to use the dynamic class/perm mapping support since that time.
Remove these headers finally to ensure that no users remain and
that no future uses are ever introduced.Use string_to_security_class(3) and string_to_av_perm(3) to map the class and
permission names to their policy values, or selinux_set_mapping(3) to create a
mapping from class and permission index values used by the application to the
policy values. -
Support for new polcap genfs_seclabel_symlinks
-
New
setfiles -Eoption - treat conflicting specifications as errors, such
as where two hardlinks for the same inode have different contexts. -
restorecond_user.service- new systemd user service which runsrestorecond -u -
setsebool -Vreports errors from commit phase -
Improved man pages
-
semanageuses ipaddress Python module instead of IPy -
matchpathcon related interfaces are deprecated
-
selinuxfs is mounted with noexec and nosuid
-
Improved README which was renamed to README.md and converted to markdown.
-
setup.pybuilds can be customized using PYTHON_SETUP_ARGS, e.g. to for
Debian Python layout use:make PYTHON_SETUP_ARGS=--install-layout=deb ... -
the dso wrappers for internal calls were removed and it is now strongly recommended to CFLAGS with
-fno-semantic-interposition -
security_compute_user()was deprecated - usage of /sys/fs/selinux/user { security:compute_user } might be revisited -
checkpolicy treats invalid characters as an error - it might break (but intentional) rare use cases
Issues fixed: