Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:36:12AM -0400, Stephen Smalley wrote: > On 05/04/2018 09:26 AM, Dominick Grift wrote: > > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: > >> On 05/04/2018 03:55 AM, Jason Zaman wrote: > >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > Hi, > > If you have encountered any unreported problems with the 2.8-rcX > releases or have any > pending patches you believe should be included in the 2.8 release, > please post them soon. > >>> > >>> the rc2 release has been fine for me for several days now. And I havent > >>> heard any issues from any gentoo users either so we're probably good to > >>> go. -rc1 failed to boot properly for me because some important things in > >>> /run or /dev didnt get labeled but that was fixed in rc2. > >> > >> Hmm...I'd like to understand that better. The change was verifying > >> file_contexts when using restorecon, > >> which was reverted in -rc2. But the fact that it prevented labeling files > >> in -rc1 means that either > >> you have a bug in your file_contexts configuration or there is some other > >> bug there. > > > > If it cannot validate_context then it will be unhappy: > > > > [root@julius ~]# dnf history info last > > Transaction ID : 364 > > Begin time : Fri 04 May 2018 01:12:36 PM CEST > > Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 > > End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) > > End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** > > User : kcinimod > > Return-Code: Success > > Command Line : update --exclude efi-filesystem > > Transaction performed with: > > Installed dnf-2.7.5-12.fc29.noarch @rawhide > > Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide > > Packages Altered: > > Upgraded cockpit-166-1.fc29.x86_64 @rawhide > > ... snip ... > > Scriptlet output: > >1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 2 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 3 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 4 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > >5 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > So, just to be clear: these contexts are in fact valid but the lack of > permission to use the /sys/fs/selinux/context interface (for > security_check_context) causes it to think the context is invalid and > therefore fails? If so, then > that makes sense and would be another reason for reverting that change. In > any case, -rc2 should have the fix. Yes contexts are valid but since validate_context was blocked this happened. By allowing validate_context this works fine -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:36:12AM -0400, Stephen Smalley wrote: > On 05/04/2018 09:26 AM, Dominick Grift wrote: > > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: > >> On 05/04/2018 03:55 AM, Jason Zaman wrote: > >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > Hi, > > If you have encountered any unreported problems with the 2.8-rcX > releases or have any > pending patches you believe should be included in the 2.8 release, > please post them soon. > >>> > >>> the rc2 release has been fine for me for several days now. And I havent > >>> heard any issues from any gentoo users either so we're probably good to > >>> go. -rc1 failed to boot properly for me because some important things in > >>> /run or /dev didnt get labeled but that was fixed in rc2. > >> > >> Hmm...I'd like to understand that better. The change was verifying > >> file_contexts when using restorecon, > >> which was reverted in -rc2. But the fact that it prevented labeling files > >> in -rc1 means that either > >> you have a bug in your file_contexts configuration or there is some other > >> bug there. > > > > If it cannot validate_context then it will be unhappy: > > > > [root@julius ~]# dnf history info last > > Transaction ID : 364 > > Begin time : Fri 04 May 2018 01:12:36 PM CEST > > Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 > > End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) > > End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** > > User : kcinimod > > Return-Code: Success > > Command Line : update --exclude efi-filesystem > > Transaction performed with: > > Installed dnf-2.7.5-12.fc29.noarch @rawhide > > Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide > > Packages Altered: > > Upgraded cockpit-166-1.fc29.x86_64 @rawhide > > ... snip ... > > Scriptlet output: > >1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 2 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 3 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 4 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > >5 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > So, just to be clear: these contexts are in fact valid but the lack of > permission to use the /sys/fs/selinux/context interface (for > security_check_context) causes it to think the context is invalid and > therefore fails? If so, then > that makes sense and would be another reason for reverting that change. In > any case, -rc2 should have the fix. Yeah im pretty sure this is what happened. The issues off the top of my head were some relabelling very early on in boot of /dev/ and /run so those ended up with completely wrong contexts so nothing afterwards worked either. There wasnt much output cuz /dev/console was mislabelled. Dbus and Udev stuff in /run was wrong too so X kind of started but I had no keyboard or mouse and everything using dbus died too. It apeared to mostly work if i booted in permissive and then force relabelled a bunch of stuff then switched to enforcing. I only bumped to -rc1 a day before -rc2 came out so I pretty much just updated again immediately as soon as I saw the validation issues and everything was fine again. I could try out -rc1 in a VM again if you want to be certain but pretty sure this is it. -- Jason
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 03:16:43PM +0200, Dominick Grift wrote:
> On Fri, May 04, 2018 at 09:09:20AM -0400, Stephen Smalley wrote:
> > On 05/04/2018 08:19 AM, Dominick Grift wrote:
> > > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> > >> Hi,
> > >>
> > >> If you have encountered any unreported problems with the 2.8-rcX
> > >> releases or have any
> > >> pending patches you believe should be included in the 2.8 release,
> > >> please post them soon.
> > >> Also, let us know of any additions or changes that should be made to the
> > >> release notes;
> > >> the current draft is as follows.
> > >>
> > >> User-visible changes:
> > >
> > > One might see processes "validate_context" where they didnt before
> > >
> > > Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm,
> > > various systemd components etc)
> >
> > That should no longer be true as of -rc2 since I reverted the libselinux:
> > verify file_contexts when using restorecon change.
>
> Oh thanks, yes fedora is still on RC1.
I've just built the following packages in Rawhide:
libselinux-2.8-0.rc2.1.fc29 -
https://koji.fedoraproject.org/koji/taskinfo?taskID=26767629
libsemanage-2.8-0.rc2.1.fc29 -
https://koji.fedoraproject.org/koji/taskinfo?taskID=26767782
policycoreutils-2.8-0.rc2.1.fc29 -
https://koji.fedoraproject.org/koji/taskinfo?taskID=26767903
> >
> > >
> > >>
> > >> * semanage fcontext -l now also lists home directory entries from
> > >> file_contexts.homedirs.
> > >>
> > >> * semodule can now enable or disable multiple modules in the same
> > >> operation by specifying a list of modules after -e or -d, making them
> > >> consistent with the -i/u/r/E options.
> > >>
> > >> * CIL now supports multiple declarations of types, attributes, and
> > >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
> > >> or --multiple-decls option to secilc.
> > >>
> > >> * libsemanage no longer deletes the tmp directory if there is an error
> > >> while committing the policy transaction, so that any temporary files
> > >> can be further inspected for debugging purposes (e.g. to examine a
> > >> particular line of the generated CIL module). The tmp directory will
> > >> be deleted upon the next transaction, so no manual removal is needed.
> > >>
> > >> * Support was added for SCTP portcon statements. The corresponding
> > >> kernel support was introduced in Linux 4.17, and is only active if the
> > >> extended_socket_class policy capability is enabled in the policy.
> > >>
> > >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
> > >> interface, initially for use by setools4.
> > >>
> > >> * semodule_deps was removed since it has long been broken and is not
> > >> useful
> > >> for CIL modules.
> > >>
> > >> Packaging-relevant changes:
> > >>
> > >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
> > >> DESTDIR has to be removed from the definition. For example on Arch
> > >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
> > >>
> > >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> > >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> > >> Makefiles).
> > >>
> > >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
> > >>
> > >> * selinux-gui (i.e. system-config-selinux GUI application) is now
> > >> compatible with Python 3. Doing this required migrating away from
> > >> PyGTK to the supported PyGI library. This means that selinux-gui now
> > >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
> > >> requires PyGtk or Python 2.
> > >
> >
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
> Dominick Grift
signature.asc
Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On 05/04/2018 09:26 AM, Dominick Grift wrote: > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: >> On 05/04/2018 03:55 AM, Jason Zaman wrote: >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: Hi, If you have encountered any unreported problems with the 2.8-rcX releases or have any pending patches you believe should be included in the 2.8 release, please post them soon. >>> >>> the rc2 release has been fine for me for several days now. And I havent >>> heard any issues from any gentoo users either so we're probably good to >>> go. -rc1 failed to boot properly for me because some important things in >>> /run or /dev didnt get labeled but that was fixed in rc2. >> >> Hmm...I'd like to understand that better. The change was verifying >> file_contexts when using restorecon, >> which was reverted in -rc2. But the fact that it prevented labeling files >> in -rc1 means that either >> you have a bug in your file_contexts configuration or there is some other >> bug there. > > If it cannot validate_context then it will be unhappy: > > [root@julius ~]# dnf history info last > Transaction ID : 364 > Begin time : Fri 04 May 2018 01:12:36 PM CEST > Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 > End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) > End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** > User : kcinimod > Return-Code: Success > Command Line : update --exclude efi-filesystem > Transaction performed with: > Installed dnf-2.7.5-12.fc29.noarch @rawhide > Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide > Packages Altered: > Upgraded cockpit-166-1.fc29.x86_64 @rawhide > ... snip ... > Scriptlet output: >1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > 2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > 3 restorecon: > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context > sys.id:sys.role:files.generic_boot.boot_file:s0 > 4 restorecon: > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context > sys.id:sys.role:files.generic_boot.boot_file:s0 > 5 restorecon: > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context > sys.id:sys.role:files.generic_boot.boot_file:s0 So, just to be clear: these contexts are in fact valid but the lack of permission to use the /sys/fs/selinux/context interface (for security_check_context) causes it to think the context is invalid and therefore fails? If so, then that makes sense and would be another reason for reverting that change. In any case, -rc2 should have the fix.
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote:
> On 05/04/2018 03:55 AM, Jason Zaman wrote:
> > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> >> Hi,
> >>
> >> If you have encountered any unreported problems with the 2.8-rcX releases
> >> or have any
> >> pending patches you believe should be included in the 2.8 release, please
> >> post them soon.
> >
> > the rc2 release has been fine for me for several days now. And I havent
> > heard any issues from any gentoo users either so we're probably good to
> > go. -rc1 failed to boot properly for me because some important things in
> > /run or /dev didnt get labeled but that was fixed in rc2.
>
> Hmm...I'd like to understand that better. The change was verifying
> file_contexts when using restorecon,
> which was reverted in -rc2. But the fact that it prevented labeling files in
> -rc1 means that either
> you have a bug in your file_contexts configuration or there is some other bug
> there.
If it cannot validate_context then it will be unhappy:
[root@julius ~]# dnf history info last
Transaction ID : 364
Begin time : Fri 04 May 2018 01:12:36 PM CEST
Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76
End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds)
End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab **
User : kcinimod
Return-Code: Success
Command Line : update --exclude efi-filesystem
Transaction performed with:
Installed dnf-2.7.5-12.fc29.noarch @rawhide
Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide
Packages Altered:
Upgraded cockpit-166-1.fc29.x86_64 @rawhide
... snip ...
Scriptlet output:
1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has
invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts:
has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0
3 restorecon:
/etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context
sys.id:sys.role:files.generic_boot.boot_file:s0
4 restorecon:
/etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context
sys.id:sys.role:files.generic_boot.boot_file:s0
5 restorecon:
/etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context
sys.id:sys.role:files.generic_boot.boot_file:s0
>
> >
> >> Also, let us know of any additions or changes that should be made to the
> >> release notes;
> >> the current draft is as follows.
> >>
> >> User-visible changes:
> >>
> >> * semanage fcontext -l now also lists home directory entries from
> >> file_contexts.homedirs.
> >>
> >> * semodule can now enable or disable multiple modules in the same
> >> operation by specifying a list of modules after -e or -d, making them
> >> consistent with the -i/u/r/E options.
> >>
> >> * CIL now supports multiple declarations of types, attributes, and
> >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
> >> or --multiple-decls option to secilc.
> >>
> >> * libsemanage no longer deletes the tmp directory if there is an error
> >> while committing the policy transaction, so that any temporary files
> >> can be further inspected for debugging purposes (e.g. to examine a
> >> particular line of the generated CIL module). The tmp directory will
> >> be deleted upon the next transaction, so no manual removal is needed.
> >>
> >> * Support was added for SCTP portcon statements. The corresponding
> >> kernel support was introduced in Linux 4.17, and is only active if the
> >> extended_socket_class policy capability is enabled in the policy.
> >
> > Perhaps also note that the sctp stuff is in refpolicy and this 2.8
> > release is required to compile it.
> >
> > I tried doing a release of the gentoo policy (we merge from HEAD fairly
> > frequently not only the big releases) and it fails to compile. I will
> > add the sctp stuff back into gentoo's policy later then make the
> > policies require >=2.8.
> >
> > -- Jason
> >
> >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
> >> interface, initially for use by setools4.
> >>
> >> * semodule_deps was removed since it has long been broken and is not useful
> >> for CIL modules.
> >>
> >> Packaging-relevant changes:
> >>
> >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
> >> DESTDIR has to be removed from the definition. For example on Arch
> >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
> >>
> >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> >> Makefiles).
> >>
> >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
> >>
> >> * selinux-gui (i.e. system-config-selinux GUI application) is now
> >> compatible with Python
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:09:20AM -0400, Stephen Smalley wrote:
> On 05/04/2018 08:19 AM, Dominick Grift wrote:
> > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> >> Hi,
> >>
> >> If you have encountered any unreported problems with the 2.8-rcX releases
> >> or have any
> >> pending patches you believe should be included in the 2.8 release, please
> >> post them soon.
> >> Also, let us know of any additions or changes that should be made to the
> >> release notes;
> >> the current draft is as follows.
> >>
> >> User-visible changes:
> >
> > One might see processes "validate_context" where they didnt before
> >
> > Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm,
> > various systemd components etc)
>
> That should no longer be true as of -rc2 since I reverted the libselinux:
> verify file_contexts when using restorecon change.
Oh thanks, yes fedora is still on RC1.
>
> >
> >>
> >> * semanage fcontext -l now also lists home directory entries from
> >> file_contexts.homedirs.
> >>
> >> * semodule can now enable or disable multiple modules in the same
> >> operation by specifying a list of modules after -e or -d, making them
> >> consistent with the -i/u/r/E options.
> >>
> >> * CIL now supports multiple declarations of types, attributes, and
> >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
> >> or --multiple-decls option to secilc.
> >>
> >> * libsemanage no longer deletes the tmp directory if there is an error
> >> while committing the policy transaction, so that any temporary files
> >> can be further inspected for debugging purposes (e.g. to examine a
> >> particular line of the generated CIL module). The tmp directory will
> >> be deleted upon the next transaction, so no manual removal is needed.
> >>
> >> * Support was added for SCTP portcon statements. The corresponding
> >> kernel support was introduced in Linux 4.17, and is only active if the
> >> extended_socket_class policy capability is enabled in the policy.
> >>
> >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
> >> interface, initially for use by setools4.
> >>
> >> * semodule_deps was removed since it has long been broken and is not useful
> >> for CIL modules.
> >>
> >> Packaging-relevant changes:
> >>
> >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
> >> DESTDIR has to be removed from the definition. For example on Arch
> >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
> >>
> >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> >> Makefiles).
> >>
> >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
> >>
> >> * selinux-gui (i.e. system-config-selinux GUI application) is now
> >> compatible with Python 3. Doing this required migrating away from
> >> PyGTK to the supported PyGI library. This means that selinux-gui now
> >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
> >> requires PyGtk or Python 2.
> >
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On 05/04/2018 08:19 AM, Dominick Grift wrote:
> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
>> Hi,
>>
>> If you have encountered any unreported problems with the 2.8-rcX releases or
>> have any
>> pending patches you believe should be included in the 2.8 release, please
>> post them soon.
>> Also, let us know of any additions or changes that should be made to the
>> release notes;
>> the current draft is as follows.
>>
>> User-visible changes:
>
> One might see processes "validate_context" where they didnt before
>
> Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm,
> various systemd components etc)
That should no longer be true as of -rc2 since I reverted the libselinux:
verify file_contexts when using restorecon change.
>
>>
>> * semanage fcontext -l now also lists home directory entries from
>> file_contexts.homedirs.
>>
>> * semodule can now enable or disable multiple modules in the same
>> operation by specifying a list of modules after -e or -d, making them
>> consistent with the -i/u/r/E options.
>>
>> * CIL now supports multiple declarations of types, attributes, and
>> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
>> or --multiple-decls option to secilc.
>>
>> * libsemanage no longer deletes the tmp directory if there is an error
>> while committing the policy transaction, so that any temporary files
>> can be further inspected for debugging purposes (e.g. to examine a
>> particular line of the generated CIL module). The tmp directory will
>> be deleted upon the next transaction, so no manual removal is needed.
>>
>> * Support was added for SCTP portcon statements. The corresponding
>> kernel support was introduced in Linux 4.17, and is only active if the
>> extended_socket_class policy capability is enabled in the policy.
>>
>> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
>> interface, initially for use by setools4.
>>
>> * semodule_deps was removed since it has long been broken and is not useful
>> for CIL modules.
>>
>> Packaging-relevant changes:
>>
>> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
>> DESTDIR has to be removed from the definition. For example on Arch
>> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
>>
>> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
>> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
>> Makefiles).
>>
>> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
>>
>> * selinux-gui (i.e. system-config-selinux GUI application) is now
>> compatible with Python 3. Doing this required migrating away from
>> PyGTK to the supported PyGI library. This means that selinux-gui now
>> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
>> requires PyGtk or Python 2.
>
Re: Last call for selinux userspace 2.8 release
On 05/04/2018 03:55 AM, Jason Zaman wrote:
> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
>> Hi,
>>
>> If you have encountered any unreported problems with the 2.8-rcX releases or
>> have any
>> pending patches you believe should be included in the 2.8 release, please
>> post them soon.
>
> the rc2 release has been fine for me for several days now. And I havent
> heard any issues from any gentoo users either so we're probably good to
> go. -rc1 failed to boot properly for me because some important things in
> /run or /dev didnt get labeled but that was fixed in rc2.
Hmm...I'd like to understand that better. The change was verifying
file_contexts when using restorecon,
which was reverted in -rc2. But the fact that it prevented labeling files in
-rc1 means that either
you have a bug in your file_contexts configuration or there is some other bug
there.
>
>> Also, let us know of any additions or changes that should be made to the
>> release notes;
>> the current draft is as follows.
>>
>> User-visible changes:
>>
>> * semanage fcontext -l now also lists home directory entries from
>> file_contexts.homedirs.
>>
>> * semodule can now enable or disable multiple modules in the same
>> operation by specifying a list of modules after -e or -d, making them
>> consistent with the -i/u/r/E options.
>>
>> * CIL now supports multiple declarations of types, attributes, and
>> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
>> or --multiple-decls option to secilc.
>>
>> * libsemanage no longer deletes the tmp directory if there is an error
>> while committing the policy transaction, so that any temporary files
>> can be further inspected for debugging purposes (e.g. to examine a
>> particular line of the generated CIL module). The tmp directory will
>> be deleted upon the next transaction, so no manual removal is needed.
>>
>> * Support was added for SCTP portcon statements. The corresponding
>> kernel support was introduced in Linux 4.17, and is only active if the
>> extended_socket_class policy capability is enabled in the policy.
>
> Perhaps also note that the sctp stuff is in refpolicy and this 2.8
> release is required to compile it.
>
> I tried doing a release of the gentoo policy (we merge from HEAD fairly
> frequently not only the big releases) and it fails to compile. I will
> add the sctp stuff back into gentoo's policy later then make the
> policies require >=2.8.
>
> -- Jason
>
>> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
>> interface, initially for use by setools4.
>>
>> * semodule_deps was removed since it has long been broken and is not useful
>> for CIL modules.
>>
>> Packaging-relevant changes:
>>
>> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
>> DESTDIR has to be removed from the definition. For example on Arch
>> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
>>
>> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
>> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
>> Makefiles).
>>
>> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
>>
>> * selinux-gui (i.e. system-config-selinux GUI application) is now
>> compatible with Python 3. Doing this required migrating away from
>> PyGTK to the supported PyGI library. This means that selinux-gui now
>> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
>> requires PyGtk or Python 2.
>
Re: Last call for selinux userspace 2.8 release
On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> Hi,
>
> If you have encountered any unreported problems with the 2.8-rcX releases or
> have any
> pending patches you believe should be included in the 2.8 release, please
> post them soon.
> Also, let us know of any additions or changes that should be made to the
> release notes;
> the current draft is as follows.
>
> User-visible changes:
One might see processes "validate_context" where they didnt before
Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm,
various systemd components etc)
>
> * semanage fcontext -l now also lists home directory entries from
> file_contexts.homedirs.
>
> * semodule can now enable or disable multiple modules in the same
> operation by specifying a list of modules after -e or -d, making them
> consistent with the -i/u/r/E options.
>
> * CIL now supports multiple declarations of types, attributes, and
> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
> or --multiple-decls option to secilc.
>
> * libsemanage no longer deletes the tmp directory if there is an error
> while committing the policy transaction, so that any temporary files
> can be further inspected for debugging purposes (e.g. to examine a
> particular line of the generated CIL module). The tmp directory will
> be deleted upon the next transaction, so no manual removal is needed.
>
> * Support was added for SCTP portcon statements. The corresponding
> kernel support was introduced in Linux 4.17, and is only active if the
> extended_socket_class policy capability is enabled in the policy.
>
> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
> interface, initially for use by setools4.
>
> * semodule_deps was removed since it has long been broken and is not useful
> for CIL modules.
>
> Packaging-relevant changes:
>
> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
> DESTDIR has to be removed from the definition. For example on Arch
> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
>
> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> Makefiles).
>
> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
>
> * selinux-gui (i.e. system-config-selinux GUI application) is now
> compatible with Python 3. Doing this required migrating away from
> PyGTK to the supported PyGI library. This means that selinux-gui now
> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
> requires PyGtk or Python 2.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
> Hi,
>
> If you have encountered any unreported problems with the 2.8-rcX releases or
> have any
> pending patches you believe should be included in the 2.8 release, please
> post them soon.
the rc2 release has been fine for me for several days now. And I havent
heard any issues from any gentoo users either so we're probably good to
go. -rc1 failed to boot properly for me because some important things in
/run or /dev didnt get labeled but that was fixed in rc2.
> Also, let us know of any additions or changes that should be made to the
> release notes;
> the current draft is as follows.
>
> User-visible changes:
>
> * semanage fcontext -l now also lists home directory entries from
> file_contexts.homedirs.
>
> * semodule can now enable or disable multiple modules in the same
> operation by specifying a list of modules after -e or -d, making them
> consistent with the -i/u/r/E options.
>
> * CIL now supports multiple declarations of types, attributes, and
> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m
> or --multiple-decls option to secilc.
>
> * libsemanage no longer deletes the tmp directory if there is an error
> while committing the policy transaction, so that any temporary files
> can be further inspected for debugging purposes (e.g. to examine a
> particular line of the generated CIL module). The tmp directory will
> be deleted upon the next transaction, so no manual removal is needed.
>
> * Support was added for SCTP portcon statements. The corresponding
> kernel support was introduced in Linux 4.17, and is only active if the
> extended_socket_class policy capability is enabled in the policy.
Perhaps also note that the sctp stuff is in refpolicy and this 2.8
release is required to compile it.
I tried doing a release of the gentoo policy (we merge from HEAD fairly
frequently not only the big releases) and it fails to compile. I will
add the sctp stuff back into gentoo's policy later then make the
policies require >=2.8.
-- Jason
> * sepol_polcap_getnum/name() were exported as part of the shared libsepol
> interface, initially for use by setools4.
>
> * semodule_deps was removed since it has long been broken and is not useful
> for CIL modules.
>
> Packaging-relevant changes:
>
> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc.,
> DESTDIR has to be removed from the definition. For example on Arch
> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin".
>
> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is
> no longer mandatory (thanks to the switch to "-l:libsepol.a" in
> Makefiles).
>
> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed).
>
> * selinux-gui (i.e. system-config-selinux GUI application) is now
> compatible with Python 3. Doing this required migrating away from
> PyGTK to the supported PyGI library. This means that selinux-gui now
> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer
> requires PyGtk or Python 2.
