* Fix dead links to www.nsa.gov/selinux
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
* Fix dead links to www.nsa.gov/selinux
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove
This package requires now 'filesystem' >= 3, which is only installable
on a system which has /bin, /sbin, /lib, /lib64 as symlinks to /usr and
not regular directories. The 'filesystem' package acts as a guard, to
prevent *this* package to be installed on old unconverted systems.
New installations will have the 'filesystem' >=3 layout right away, old
installations need to be converted with anaconda or dracut first; only
after that, the 'filesystem' package, and also *this* package can be
installed.
Packages *should* not install files in /bin, /sbin, /lib, /lib64, but
only in the corresponding directories in /usr. Packages *must* not
install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibility symlinks must not be
installed.
Feel free to modify any of the changes to the spec file, but keep the
above in mind.
When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file.
The fix is to store the spec file name in the selabel_lookup_rec on
selabel_open and use this as output for logs. Also a minor fix if key is
NULL to stop seg faults.
Fix setenforce manage page.
* selinuxswig_python.i: don't make syscall if it won't change anything
* Remove assert in security_get_boolean_names(3)
* Mapped compute functions now obey deny_unknown flag
* get_default_type now sets EINVAL if no entry.
* return EINVAL if invalid role selected
* Updated selabel_file(5) man page
* Updated selabel_db(5) man page
* Updated selabel_media(5) man page
* Updated selabel_x(5) man page
* Add man/man5 man pages
* Add man/man5 man pages
* Add man/man5 man pages
* use -W and -Werror in utils
* load_policy: handle selinux=0 and /sys/fs/selinux not exist
* regenerate .pc on VERSION change
* label: cosmetic cleanups
* simple interface for access checks
* Don't reinitialize avc_init if it has been called previously
* seusers: fix to handle large sets of groups
* audit2why: close fd on enomem
* rename and export symlink_realpath
* label_file: style changes to make Eric happy.
* utils: matchpathcon: remove duplicate declaration
* src: matchpathcon: use myprintf not fprintf
* src: matchpathcon: make sure resolved path starts
* put libselinux.so.1 in /lib not /usr/lib
* tree: default make target to all not
* utils: matchpathcon: remove duplicate declaration
* src: matchpathcon: use myprintf not fprintf
* src: matchpathcon: make sure resolved path starts
* put libselinux.so.1 in /lib not /usr/lib
* tree: default make target to all not
2.1.4 2011-0817
* mapping fix for invalid class/perms after selinux_set_mapping
* audit2why: work around python bug not defining
* resolv symlinks and dot directories before matching
* Release, minor version bump
* Give correct names to mount points in load_policy by Dan Walsh.
* Make sure selinux state is reported correctly if selinux is disabled or
fails to load by Dan Walsh.
* Fix crash if selinux_key_create was never called by Dan Walsh.
* Add new file_context.subs_dist for distro specific filecon substitutions
by Dan Walsh.
* Update man pages for selinux_color_* functions by Richard Haines.
* Give correct names to mount points in load_policy by Dan Walsh.
* Make sure selinux state is reported correctly if selinux is disabled or
fails to load by Dan Walsh.
* Fix crash if selinux_key_create was never called by Dan Walsh.
* Add new file_context.subs_dist for distro specific filecon substitutions
by Dan Walsh.
* Update man pages for selinux_color_* functions by Richard Haines.
Errors were being seen in libpthread/libdl that were related
to corrupt thread specific keys. Global destructors that are called on dl
unload. During destruction delete a thread specific key without checking
if it has been initialized. Since the constructor is not called each time
(i.e. key is not initialized with pthread_key_create each time), and the
default is 0, there is a possibility that key 0 for an active thread gets
deleted. This is exactly what is happening in case of OpenJDK.
Change the AVC to only audit the permissions specified by the policy,
excluding any permissions specified via dontaudit or not specified via
auditallow.
Fix compilation of label_file.c with latest glibc headers.
add/reformat man pages by Guido Trentalancia <guido@trentalancia.com>.
Change exception.sh to be called with bash by Manoj Srivastava
<srivasta@debian.org>
Add exception handling in libselinux from Dan Walsh. This uses a shell
script called exception.sh to generate a swig interface file.
make swigify
Make matchpathcon print <<none>> if path not found in fcontext file.
Reverted Tomas Mraz's fix for freeing thread local storage to avoid pthread
dependency.
Removed fini_context_translations() altogether.
Merged lazy init patch from Stephen Smalley based on original patch by
Steve Grubb.
Add per-service seuser support from Dan Walsh.
Let load_policy gracefully handle selinuxfs being mounted from Stephen
Smalley.
Check /proc/filesystems before /proc/mounts for selinuxfs from Eric Paris.
Fix improper use of thread local storage from Tomas Mraz
<tmraz@redhat.com>.
Label substitution support from Dan Walsh.
Support for labeling virtual machine images from Dan Walsh.
Trim / from the end of input paths to matchpathcon from Dan Walsh.
Fix leak in process_line in label_file.c from Hiroshi Shinji.
Move matchpathcon to /sbin, add matchpathcon to clean target from Dan
Walsh.
getdefaultcon to print just the correct match and add verbose option from
Dan Walsh.
deny_unknown wrapper function from KaiGai Kohei.
security_compute_av_flags API from KaiGai Kohei.
Netlink socket management and callbacks from KaiGai Kohei.
Add group support to seusers using %groupname syntax from Dan Walsh.
Mark setrans socket close-on-exec from Stephen Smalley.
Only apply nodups checking to base file contexts from Stephen Smalley.
Handle duplicate file context regexes as a fatal error from Stephen
Smalley. This prevents adding them via semanage.
Fix audit2why shadowed variables from Stephen Smalley.
Note that freecon NULL is legal in man page from Karel Zak.
Handle duplicate file context regexes as a fatal error from Stephen
Smalley. This prevents adding them via semanage.
Fix audit2why shadowed variables from Stephen Smalley.
Note that freecon NULL is legal in man page from Karel Zak.
Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call
matchpathcon_init_prefix if not already initialized.
Add -q qualifier for -V option of matchpathcon and change it to indicate
whether verification succeeded or failed via exit status.
Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call
matchpathcon_init_prefix if not already initialized.
Add -q qualifier for -V option of matchpathcon and change it to indicate
whether verification succeeded or failed via exit status.
Fixed selinux_set_callback man page.
Try loading the max of the kernel-supported version and the
libsepol-supported version when no manipulation of the binary policy is
needed from Stephen Smalley.
Fix memory leaks in matchpathcon from Eamon Walsh.
Disable setlocaldefs if no local boolean or users files are present from
Stephen Smalley.
Skip userspace preservebools processing for Linux >= 2.6.22 from Stephen
Smalley.
dlopen libsepol.so.1 rather than libsepol.so from Stephen Smalley.
Based on a suggestion from Ulrich Drepper, defer regex compilation until we
have a stem match, by Stephen Smalley.
A further optimization would be to defer regex compilation until we have a
complete match of the constant prefix of the regex - TBD.
AVC enforcing mode override patch from Eamon Walsh.
Aligned attributes in AVC netlink code from Eamon Walsh.
- Move libselinux.so back into devel package, procps has been fixed
Merged refactored AVC netlink code from Eamon Walsh.
Merged new X label namespaces from Eamon Walsh.
Bux fix and minor refactoring in string representation code.
Class and permission mapping support patches from Eamon Walsh.
Object class discovery support patches from Chris PeBenito.
Refactoring and errno support in string representation code.
Merged patch to reduce size of libselinux and remove need for libsepol for
embedded systems from Yuichi Nakamura. This patch also turns the
link-time dependency on libsepol into a runtime (dlopen) dependency
even in the non-embedded case.
Merged userspace AVC patch to follow kernel's behavior for permissive mode
in caching previous denials from Eamon Walsh.
Merged sidput(NULL) patch from Eamon Walsh.
the use of the non-standard format %as. (original patch changed for
style).
Merged patch from Todd Miller to fix memory leak in matchpathcon.c.
Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> - 1.34.0-2
- Add context function to python to split context into 4 parts
Merged man page updates to make "apropos selinux" work from Dan Walsh.
Mon Jan 15 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
- Upgrade to upstream
Merged getdefaultcon utility from Dan Walsh.
Merged updated flask definitions from Darrel Goeddel. This adds the context
security class, and also adds the string definitions for setsockcreate
and polmatch.
Merged patch to not log avc stats upon a reset from Steve Grubb.
Applied patch to revert compat_net setting upon policy load.
Merged file context homedir and local path functions from Chris PeBenito.
Merged file context homedir and local path functions from Chris PeBenito.
Rework functions that access /proc/pid/attr to access the per-thread nodes,
and unify the code to simplify maintenance.
Lindent.
Merged {get,set}procattrcon patch set from Eric Paris.
Merged re-base of keycreate patch originally by Michael LeMay from Eric
Paris.
Regenerated Flask headers from refpolicy.
- Added selinux_file_context_{cmp,verify}.
- Added selinux_lsetfilecon_default.
- Delay translation of contexts in matchpathcon.
Added selinux_getpolicytype() function.
Modified setrans code to skip processing if !mls_enabled.
Set errno in the !selinux_mnt case.
Allocate large buffers from the heap, not on stack. Affects
is_context_customizable, selinux_init_load_policy, and
selinux_getenforcemode.
Merged simple setrans client cache from Dan Walsh. Merged avcstat patch
from Russell Coker.
Modified selinux_mkload_policy() to also set /selinux/compat_net
appropriately for the loaded policy.
Merged simple setrans client cache from Dan Walsh. Merged avcstat patch
from Russell Coker.
Modified selinux_mkload_policy() to also set /selinux/compat_net
appropriately for the loaded policy.
Dan Walsh
Kay Sievers
Harald Hoyer
Dennis Gilmore
Jesse Keating
Adam Tkac
Daniel J Walsh
dmalcolm
Jesse Keating
Ignacio Vazquez-Abrams
Jeremy Katz