Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:36:12AM -0400, Stephen Smalley wrote: > On 05/04/2018 09:26 AM, Dominick Grift wrote: > > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: > >> On 05/04/2018 03:55 AM, Jason Zaman wrote: > >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > Hi, > > If you have encountered any unreported problems with the 2.8-rcX > releases or have any > pending patches you believe should be included in the 2.8 release, > please post them soon. > >>> > >>> the rc2 release has been fine for me for several days now. And I havent > >>> heard any issues from any gentoo users either so we're probably good to > >>> go. -rc1 failed to boot properly for me because some important things in > >>> /run or /dev didnt get labeled but that was fixed in rc2. > >> > >> Hmm...I'd like to understand that better. The change was verifying > >> file_contexts when using restorecon, > >> which was reverted in -rc2. But the fact that it prevented labeling files > >> in -rc1 means that either > >> you have a bug in your file_contexts configuration or there is some other > >> bug there. > > > > If it cannot validate_context then it will be unhappy: > > > > [root@julius ~]# dnf history info last > > Transaction ID : 364 > > Begin time : Fri 04 May 2018 01:12:36 PM CEST > > Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 > > End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) > > End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** > > User : kcinimod > > Return-Code: Success > > Command Line : update --exclude efi-filesystem > > Transaction performed with: > > Installed dnf-2.7.5-12.fc29.noarch @rawhide > > Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide > > Packages Altered: > > Upgraded cockpit-166-1.fc29.x86_64 @rawhide > > ... snip ... > > Scriptlet output: > >1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 2 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 3 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 4 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > >5 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > So, just to be clear: these contexts are in fact valid but the lack of > permission to use the /sys/fs/selinux/context interface (for > security_check_context) causes it to think the context is invalid and > therefore fails? If so, then > that makes sense and would be another reason for reverting that change. In > any case, -rc2 should have the fix. Yes contexts are valid but since validate_context was blocked this happened. By allowing validate_context this works fine -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:36:12AM -0400, Stephen Smalley wrote: > On 05/04/2018 09:26 AM, Dominick Grift wrote: > > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: > >> On 05/04/2018 03:55 AM, Jason Zaman wrote: > >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > Hi, > > If you have encountered any unreported problems with the 2.8-rcX > releases or have any > pending patches you believe should be included in the 2.8 release, > please post them soon. > >>> > >>> the rc2 release has been fine for me for several days now. And I havent > >>> heard any issues from any gentoo users either so we're probably good to > >>> go. -rc1 failed to boot properly for me because some important things in > >>> /run or /dev didnt get labeled but that was fixed in rc2. > >> > >> Hmm...I'd like to understand that better. The change was verifying > >> file_contexts when using restorecon, > >> which was reverted in -rc2. But the fact that it prevented labeling files > >> in -rc1 means that either > >> you have a bug in your file_contexts configuration or there is some other > >> bug there. > > > > If it cannot validate_context then it will be unhappy: > > > > [root@julius ~]# dnf history info last > > Transaction ID : 364 > > Begin time : Fri 04 May 2018 01:12:36 PM CEST > > Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 > > End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) > > End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** > > User : kcinimod > > Return-Code: Success > > Command Line : update --exclude efi-filesystem > > Transaction performed with: > > Installed dnf-2.7.5-12.fc29.noarch @rawhide > > Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide > > Packages Altered: > > Upgraded cockpit-166-1.fc29.x86_64 @rawhide > > ... snip ... > > Scriptlet output: > >1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 2 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 3 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > 4 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > >5 restorecon: > > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid > > context sys.id:sys.role:files.generic_boot.boot_file:s0 > > So, just to be clear: these contexts are in fact valid but the lack of > permission to use the /sys/fs/selinux/context interface (for > security_check_context) causes it to think the context is invalid and > therefore fails? If so, then > that makes sense and would be another reason for reverting that change. In > any case, -rc2 should have the fix. Yeah im pretty sure this is what happened. The issues off the top of my head were some relabelling very early on in boot of /dev/ and /run so those ended up with completely wrong contexts so nothing afterwards worked either. There wasnt much output cuz /dev/console was mislabelled. Dbus and Udev stuff in /run was wrong too so X kind of started but I had no keyboard or mouse and everything using dbus died too. It apeared to mostly work if i booted in permissive and then force relabelled a bunch of stuff then switched to enforcing. I only bumped to -rc1 a day before -rc2 came out so I pretty much just updated again immediately as soon as I saw the validation issues and everything was fine again. I could try out -rc1 in a VM again if you want to be certain but pretty sure this is it. -- Jason
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 03:16:43PM +0200, Dominick Grift wrote: > On Fri, May 04, 2018 at 09:09:20AM -0400, Stephen Smalley wrote: > > On 05/04/2018 08:19 AM, Dominick Grift wrote: > > > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > > >> Hi, > > >> > > >> If you have encountered any unreported problems with the 2.8-rcX > > >> releases or have any > > >> pending patches you believe should be included in the 2.8 release, > > >> please post them soon. > > >> Also, let us know of any additions or changes that should be made to the > > >> release notes; > > >> the current draft is as follows. > > >> > > >> User-visible changes: > > > > > > One might see processes "validate_context" where they didnt before > > > > > > Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, > > > various systemd components etc) > > > > That should no longer be true as of -rc2 since I reverted the libselinux: > > verify file_contexts when using restorecon change. > > Oh thanks, yes fedora is still on RC1. I've just built the following packages in Rawhide: libselinux-2.8-0.rc2.1.fc29 - https://koji.fedoraproject.org/koji/taskinfo?taskID=26767629 libsemanage-2.8-0.rc2.1.fc29 - https://koji.fedoraproject.org/koji/taskinfo?taskID=26767782 policycoreutils-2.8-0.rc2.1.fc29 - https://koji.fedoraproject.org/koji/taskinfo?taskID=26767903 > > > > > > > >> > > >> * semanage fcontext -l now also lists home directory entries from > > >> file_contexts.homedirs. > > >> > > >> * semodule can now enable or disable multiple modules in the same > > >> operation by specifying a list of modules after -e or -d, making them > > >> consistent with the -i/u/r/E options. > > >> > > >> * CIL now supports multiple declarations of types, attributes, and > > >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m > > >> or --multiple-decls option to secilc. > > >> > > >> * libsemanage no longer deletes the tmp directory if there is an error > > >> while committing the policy transaction, so that any temporary files > > >> can be further inspected for debugging purposes (e.g. to examine a > > >> particular line of the generated CIL module). The tmp directory will > > >> be deleted upon the next transaction, so no manual removal is needed. > > >> > > >> * Support was added for SCTP portcon statements. The corresponding > > >> kernel support was introduced in Linux 4.17, and is only active if the > > >> extended_socket_class policy capability is enabled in the policy. > > >> > > >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol > > >> interface, initially for use by setools4. > > >> > > >> * semodule_deps was removed since it has long been broken and is not > > >> useful > > >> for CIL modules. > > >> > > >> Packaging-relevant changes: > > >> > > >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., > > >> DESTDIR has to be removed from the definition. For example on Arch > > >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". > > >> > > >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is > > >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in > > >> Makefiles). > > >> > > >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). > > >> > > >> * selinux-gui (i.e. system-config-selinux GUI application) is now > > >> compatible with Python 3. Doing this required migrating away from > > >> PyGTK to the supported PyGI library. This means that selinux-gui now > > >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer > > >> requires PyGtk or Python 2. > > > > > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 > Dominick Grift signature.asc Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On 05/04/2018 09:26 AM, Dominick Grift wrote: > On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: >> On 05/04/2018 03:55 AM, Jason Zaman wrote: >>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: Hi, If you have encountered any unreported problems with the 2.8-rcX releases or have any pending patches you believe should be included in the 2.8 release, please post them soon. >>> >>> the rc2 release has been fine for me for several days now. And I havent >>> heard any issues from any gentoo users either so we're probably good to >>> go. -rc1 failed to boot properly for me because some important things in >>> /run or /dev didnt get labeled but that was fixed in rc2. >> >> Hmm...I'd like to understand that better. The change was verifying >> file_contexts when using restorecon, >> which was reverted in -rc2. But the fact that it prevented labeling files >> in -rc1 means that either >> you have a bug in your file_contexts configuration or there is some other >> bug there. > > If it cannot validate_context then it will be unhappy: > > [root@julius ~]# dnf history info last > Transaction ID : 364 > Begin time : Fri 04 May 2018 01:12:36 PM CEST > Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 > End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) > End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** > User : kcinimod > Return-Code: Success > Command Line : update --exclude efi-filesystem > Transaction performed with: > Installed dnf-2.7.5-12.fc29.noarch @rawhide > Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide > Packages Altered: > Upgraded cockpit-166-1.fc29.x86_64 @rawhide > ... snip ... > Scriptlet output: >1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > 2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: > has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > 3 restorecon: > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context > sys.id:sys.role:files.generic_boot.boot_file:s0 > 4 restorecon: > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context > sys.id:sys.role:files.generic_boot.boot_file:s0 > 5 restorecon: > /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context > sys.id:sys.role:files.generic_boot.boot_file:s0 So, just to be clear: these contexts are in fact valid but the lack of permission to use the /sys/fs/selinux/context interface (for security_check_context) causes it to think the context is invalid and therefore fails? If so, then that makes sense and would be another reason for reverting that change. In any case, -rc2 should have the fix.
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote: > On 05/04/2018 03:55 AM, Jason Zaman wrote: > > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > >> Hi, > >> > >> If you have encountered any unreported problems with the 2.8-rcX releases > >> or have any > >> pending patches you believe should be included in the 2.8 release, please > >> post them soon. > > > > the rc2 release has been fine for me for several days now. And I havent > > heard any issues from any gentoo users either so we're probably good to > > go. -rc1 failed to boot properly for me because some important things in > > /run or /dev didnt get labeled but that was fixed in rc2. > > Hmm...I'd like to understand that better. The change was verifying > file_contexts when using restorecon, > which was reverted in -rc2. But the fact that it prevented labeling files in > -rc1 means that either > you have a bug in your file_contexts configuration or there is some other bug > there. If it cannot validate_context then it will be unhappy: [root@julius ~]# dnf history info last Transaction ID : 364 Begin time : Fri 04 May 2018 01:12:36 PM CEST Begin rpmdb: 1404:e739a03c49fec80ed41a1ea4c599d8f877b01d76 End time : Fri 04 May 2018 01:14:01 PM CEST (85 seconds) End rpmdb : 1404:27bd40dce7edbf226ffad80f482cd75231f1b6ab ** User : kcinimod Return-Code: Success Command Line : update --exclude efi-filesystem Transaction performed with: Installed dnf-2.7.5-12.fc29.noarch @rawhide Installed rpm-4.14.1-8.fc28.x86_64 @tmp-rawhide Packages Altered: Upgraded cockpit-166-1.fc29.x86_64 @rawhide ... snip ... Scriptlet output: 1 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 2 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 3 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 4 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 5 restorecon: /etc/selinux/dssp2-standard/contexts/files/file_contexts: has invalid context sys.id:sys.role:files.generic_boot.boot_file:s0 > > > > >> Also, let us know of any additions or changes that should be made to the > >> release notes; > >> the current draft is as follows. > >> > >> User-visible changes: > >> > >> * semanage fcontext -l now also lists home directory entries from > >> file_contexts.homedirs. > >> > >> * semodule can now enable or disable multiple modules in the same > >> operation by specifying a list of modules after -e or -d, making them > >> consistent with the -i/u/r/E options. > >> > >> * CIL now supports multiple declarations of types, attributes, and > >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m > >> or --multiple-decls option to secilc. > >> > >> * libsemanage no longer deletes the tmp directory if there is an error > >> while committing the policy transaction, so that any temporary files > >> can be further inspected for debugging purposes (e.g. to examine a > >> particular line of the generated CIL module). The tmp directory will > >> be deleted upon the next transaction, so no manual removal is needed. > >> > >> * Support was added for SCTP portcon statements. The corresponding > >> kernel support was introduced in Linux 4.17, and is only active if the > >> extended_socket_class policy capability is enabled in the policy. > > > > Perhaps also note that the sctp stuff is in refpolicy and this 2.8 > > release is required to compile it. > > > > I tried doing a release of the gentoo policy (we merge from HEAD fairly > > frequently not only the big releases) and it fails to compile. I will > > add the sctp stuff back into gentoo's policy later then make the > > policies require >=2.8. > > > > -- Jason > > > >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol > >> interface, initially for use by setools4. > >> > >> * semodule_deps was removed since it has long been broken and is not useful > >> for CIL modules. > >> > >> Packaging-relevant changes: > >> > >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., > >> DESTDIR has to be removed from the definition. For example on Arch > >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". > >> > >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is > >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in > >> Makefiles). > >> > >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). > >> > >> * selinux-gui (i.e. system-config-selinux GUI application) is now > >> compatible with Python
Re: Last call for selinux userspace 2.8 release
On Fri, May 04, 2018 at 09:09:20AM -0400, Stephen Smalley wrote: > On 05/04/2018 08:19 AM, Dominick Grift wrote: > > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > >> Hi, > >> > >> If you have encountered any unreported problems with the 2.8-rcX releases > >> or have any > >> pending patches you believe should be included in the 2.8 release, please > >> post them soon. > >> Also, let us know of any additions or changes that should be made to the > >> release notes; > >> the current draft is as follows. > >> > >> User-visible changes: > > > > One might see processes "validate_context" where they didnt before > > > > Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, > > various systemd components etc) > > That should no longer be true as of -rc2 since I reverted the libselinux: > verify file_contexts when using restorecon change. Oh thanks, yes fedora is still on RC1. > > > > >> > >> * semanage fcontext -l now also lists home directory entries from > >> file_contexts.homedirs. > >> > >> * semodule can now enable or disable multiple modules in the same > >> operation by specifying a list of modules after -e or -d, making them > >> consistent with the -i/u/r/E options. > >> > >> * CIL now supports multiple declarations of types, attributes, and > >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m > >> or --multiple-decls option to secilc. > >> > >> * libsemanage no longer deletes the tmp directory if there is an error > >> while committing the policy transaction, so that any temporary files > >> can be further inspected for debugging purposes (e.g. to examine a > >> particular line of the generated CIL module). The tmp directory will > >> be deleted upon the next transaction, so no manual removal is needed. > >> > >> * Support was added for SCTP portcon statements. The corresponding > >> kernel support was introduced in Linux 4.17, and is only active if the > >> extended_socket_class policy capability is enabled in the policy. > >> > >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol > >> interface, initially for use by setools4. > >> > >> * semodule_deps was removed since it has long been broken and is not useful > >> for CIL modules. > >> > >> Packaging-relevant changes: > >> > >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., > >> DESTDIR has to be removed from the definition. For example on Arch > >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". > >> > >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is > >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in > >> Makefiles). > >> > >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). > >> > >> * selinux-gui (i.e. system-config-selinux GUI application) is now > >> compatible with Python 3. Doing this required migrating away from > >> PyGTK to the supported PyGI library. This means that selinux-gui now > >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer > >> requires PyGtk or Python 2. > > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On 05/04/2018 08:19 AM, Dominick Grift wrote: > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: >> Hi, >> >> If you have encountered any unreported problems with the 2.8-rcX releases or >> have any >> pending patches you believe should be included in the 2.8 release, please >> post them soon. >> Also, let us know of any additions or changes that should be made to the >> release notes; >> the current draft is as follows. >> >> User-visible changes: > > One might see processes "validate_context" where they didnt before > > Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, > various systemd components etc) That should no longer be true as of -rc2 since I reverted the libselinux: verify file_contexts when using restorecon change. > >> >> * semanage fcontext -l now also lists home directory entries from >> file_contexts.homedirs. >> >> * semodule can now enable or disable multiple modules in the same >> operation by specifying a list of modules after -e or -d, making them >> consistent with the -i/u/r/E options. >> >> * CIL now supports multiple declarations of types, attributes, and >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m >> or --multiple-decls option to secilc. >> >> * libsemanage no longer deletes the tmp directory if there is an error >> while committing the policy transaction, so that any temporary files >> can be further inspected for debugging purposes (e.g. to examine a >> particular line of the generated CIL module). The tmp directory will >> be deleted upon the next transaction, so no manual removal is needed. >> >> * Support was added for SCTP portcon statements. The corresponding >> kernel support was introduced in Linux 4.17, and is only active if the >> extended_socket_class policy capability is enabled in the policy. >> >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol >> interface, initially for use by setools4. >> >> * semodule_deps was removed since it has long been broken and is not useful >> for CIL modules. >> >> Packaging-relevant changes: >> >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., >> DESTDIR has to be removed from the definition. For example on Arch >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". >> >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in >> Makefiles). >> >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). >> >> * selinux-gui (i.e. system-config-selinux GUI application) is now >> compatible with Python 3. Doing this required migrating away from >> PyGTK to the supported PyGI library. This means that selinux-gui now >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer >> requires PyGtk or Python 2. >
Re: Last call for selinux userspace 2.8 release
On 05/04/2018 03:55 AM, Jason Zaman wrote: > On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: >> Hi, >> >> If you have encountered any unreported problems with the 2.8-rcX releases or >> have any >> pending patches you believe should be included in the 2.8 release, please >> post them soon. > > the rc2 release has been fine for me for several days now. And I havent > heard any issues from any gentoo users either so we're probably good to > go. -rc1 failed to boot properly for me because some important things in > /run or /dev didnt get labeled but that was fixed in rc2. Hmm...I'd like to understand that better. The change was verifying file_contexts when using restorecon, which was reverted in -rc2. But the fact that it prevented labeling files in -rc1 means that either you have a bug in your file_contexts configuration or there is some other bug there. > >> Also, let us know of any additions or changes that should be made to the >> release notes; >> the current draft is as follows. >> >> User-visible changes: >> >> * semanage fcontext -l now also lists home directory entries from >> file_contexts.homedirs. >> >> * semodule can now enable or disable multiple modules in the same >> operation by specifying a list of modules after -e or -d, making them >> consistent with the -i/u/r/E options. >> >> * CIL now supports multiple declarations of types, attributes, and >> (non-conflicting) object contexts (e.g. genfscon), enabled via the -m >> or --multiple-decls option to secilc. >> >> * libsemanage no longer deletes the tmp directory if there is an error >> while committing the policy transaction, so that any temporary files >> can be further inspected for debugging purposes (e.g. to examine a >> particular line of the generated CIL module). The tmp directory will >> be deleted upon the next transaction, so no manual removal is needed. >> >> * Support was added for SCTP portcon statements. The corresponding >> kernel support was introduced in Linux 4.17, and is only active if the >> extended_socket_class policy capability is enabled in the policy. > > Perhaps also note that the sctp stuff is in refpolicy and this 2.8 > release is required to compile it. > > I tried doing a release of the gentoo policy (we merge from HEAD fairly > frequently not only the big releases) and it fails to compile. I will > add the sctp stuff back into gentoo's policy later then make the > policies require >=2.8. > > -- Jason > >> * sepol_polcap_getnum/name() were exported as part of the shared libsepol >> interface, initially for use by setools4. >> >> * semodule_deps was removed since it has long been broken and is not useful >> for CIL modules. >> >> Packaging-relevant changes: >> >> * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., >> DESTDIR has to be removed from the definition. For example on Arch >> Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". >> >> * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is >> no longer mandatory (thanks to the switch to "-l:libsepol.a" in >> Makefiles). >> >> * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). >> >> * selinux-gui (i.e. system-config-selinux GUI application) is now >> compatible with Python 3. Doing this required migrating away from >> PyGTK to the supported PyGI library. This means that selinux-gui now >> depends on python-gobject, Gtk+ 3 and selinux-python. It no longer >> requires PyGtk or Python 2. >
Re: Last call for selinux userspace 2.8 release
On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > Hi, > > If you have encountered any unreported problems with the 2.8-rcX releases or > have any > pending patches you believe should be included in the 2.8 release, please > post them soon. > Also, let us know of any additions or changes that should be made to the > release notes; > the current draft is as follows. > > User-visible changes: One might see processes "validate_context" where they didnt before Generally processes that use lgetfilecon/lsetfilecon i suspect (like lvm, various systemd components etc) > > * semanage fcontext -l now also lists home directory entries from > file_contexts.homedirs. > > * semodule can now enable or disable multiple modules in the same > operation by specifying a list of modules after -e or -d, making them > consistent with the -i/u/r/E options. > > * CIL now supports multiple declarations of types, attributes, and > (non-conflicting) object contexts (e.g. genfscon), enabled via the -m > or --multiple-decls option to secilc. > > * libsemanage no longer deletes the tmp directory if there is an error > while committing the policy transaction, so that any temporary files > can be further inspected for debugging purposes (e.g. to examine a > particular line of the generated CIL module). The tmp directory will > be deleted upon the next transaction, so no manual removal is needed. > > * Support was added for SCTP portcon statements. The corresponding > kernel support was introduced in Linux 4.17, and is only active if the > extended_socket_class policy capability is enabled in the policy. > > * sepol_polcap_getnum/name() were exported as part of the shared libsepol > interface, initially for use by setools4. > > * semodule_deps was removed since it has long been broken and is not useful > for CIL modules. > > Packaging-relevant changes: > > * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., > DESTDIR has to be removed from the definition. For example on Arch > Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". > > * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is > no longer mandatory (thanks to the switch to "-l:libsepol.a" in > Makefiles). > > * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). > > * selinux-gui (i.e. system-config-selinux GUI application) is now > compatible with Python 3. Doing this required migrating away from > PyGTK to the supported PyGI library. This means that selinux-gui now > depends on python-gobject, Gtk+ 3 and selinux-python. It no longer > requires PyGtk or Python 2. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: Last call for selinux userspace 2.8 release
On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote: > Hi, > > If you have encountered any unreported problems with the 2.8-rcX releases or > have any > pending patches you believe should be included in the 2.8 release, please > post them soon. the rc2 release has been fine for me for several days now. And I havent heard any issues from any gentoo users either so we're probably good to go. -rc1 failed to boot properly for me because some important things in /run or /dev didnt get labeled but that was fixed in rc2. > Also, let us know of any additions or changes that should be made to the > release notes; > the current draft is as follows. > > User-visible changes: > > * semanage fcontext -l now also lists home directory entries from > file_contexts.homedirs. > > * semodule can now enable or disable multiple modules in the same > operation by specifying a list of modules after -e or -d, making them > consistent with the -i/u/r/E options. > > * CIL now supports multiple declarations of types, attributes, and > (non-conflicting) object contexts (e.g. genfscon), enabled via the -m > or --multiple-decls option to secilc. > > * libsemanage no longer deletes the tmp directory if there is an error > while committing the policy transaction, so that any temporary files > can be further inspected for debugging purposes (e.g. to examine a > particular line of the generated CIL module). The tmp directory will > be deleted upon the next transaction, so no manual removal is needed. > > * Support was added for SCTP portcon statements. The corresponding > kernel support was introduced in Linux 4.17, and is only active if the > extended_socket_class policy capability is enabled in the policy. Perhaps also note that the sctp stuff is in refpolicy and this 2.8 release is required to compile it. I tried doing a release of the gentoo policy (we merge from HEAD fairly frequently not only the big releases) and it fails to compile. I will add the sctp stuff back into gentoo's policy later then make the policies require >=2.8. -- Jason > * sepol_polcap_getnum/name() were exported as part of the shared libsepol > interface, initially for use by setools4. > > * semodule_deps was removed since it has long been broken and is not useful > for CIL modules. > > Packaging-relevant changes: > > * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., > DESTDIR has to be removed from the definition. For example on Arch > Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". > > * Defining variable LIBSEPOLA (to /usr/lib/libsepol.a, for example) is > no longer mandatory (thanks to the switch to "-l:libsepol.a" in > Makefiles). > > * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). > > * selinux-gui (i.e. system-config-selinux GUI application) is now > compatible with Python 3. Doing this required migrating away from > PyGTK to the supported PyGI library. This means that selinux-gui now > depends on python-gobject, Gtk+ 3 and selinux-python. It no longer > requires PyGtk or Python 2.