* Fri Mar 07 2025 cathy.hu@suse.com
- Update to version 3.8.1
https://github.com/SELinuxProject/selinux/releases/tag/3.8.1
* no source change
* Tue Feb 04 2025 rfrohl@suse.com
- Update to version 3.8
https://github.com/SELinuxProject/selinux/releases/tag/3.8
* libsepol: Support nlmsg extended permissions
* libsepol: Add policy capability netlink_xperm
* libsepol: add support for xperms in conditional policies
* Code improvements and bug fixes
- For a more in depth list of changes see
https://github.com/SELinuxProject/selinux/releases/download/3.8/shortlog-3.8.txt
- keyring: Update Petr Lautrbach <lautrbach@redhat.com>
* removed 0xBC3905F235179CF1 (expired: 2024-10-25)
* added 0xFB4C685B5DC1C13E (expires: 2026-11-04)
* Mon Jul 01 2024 cathy.hu@suse.com
- Update to version 3.7
https://github.com/SELinuxProject/selinux/releases/tag/3.7
* User-visible changes:
* libsepol: improve policy lookup failure message
* libsepol: include prefix for module policy versions
* libsepol: validate type-attribute-map for old policies
* libsepol: only exempt gaps checking for kernel policies
* Bugfixes:
* libsepol/src/Makefile: fix reallocarray detection
* libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
* libsepol: ensure transitivity in compare functions
* oss-fuzz fixes:
* libsepol: check scope permissions refer to valid class
* libsepol: validate attribute-type maps
* libsepol: reject self flag in type rules in old policies
* libsepol: validate class permissions
* libsepol: validate access vector permissions
* libsepol: reject MLS support in pre-MLS policies
* libsepol: Fix buffer overflow when using sepol_av_to_string()
* libsepol: Use a dynamic buffer in sepol_av_to_string()
* Tue Dec 19 2023 cathy.hu@suse.com
- Update to version 3.6
https://github.com/SELinuxProject/selinux/releases/tag/3.6
* struct cond_expr_t bool renamed to boolean
The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro
* Add notself support for neverallow rules
* Improve man pages
* man pages: Remove the Russian translations
* Add notself and other support to CIL
* Add support for deny rules
* Translations updated from
https://translate.fedoraproject.org/projects/selinux/
* Bug fixes
- Remove keys from keyring since they expired:
- E853C1848B0185CF42864DF363A8AD4B982C4373
Petr Lautrbach <plautrba@redhat.com>
- 63191CE94183098689CAB8DB7EF137EC935B0EAF
Jason Zaman <jasonzaman@gmail.com>
- Add key to keyring:
- B8682847764DF60DF52D992CBC3905F235179CF1
Petr Lautrbach <lautrbach@redhat.com>
* Thu Mar 23 2023 mliska@suse.cz
- Enable LTO now (boo#1138813).
* Fri Feb 24 2023 jsegitz@suse.com
- Update to version 3.5
* Stricter policy validation
* do not write empty class definitions to allow simpler round-trip tests
* reject attributes in type av rules for kernel policies
- Added additional developer key (Jason Zaman)
* Mon May 09 2022 jsegitz@suse.com
- Update to version 3.4
* Add 'ioctl_skip_cloexec' policy capability
* Add sepol_av_perm_to_string
* Add policy utilities
* Support IPv4/IPv6 address embedding
* Hardened/added many validations
* Add support for file types in writing out policy.conf
* Allow optional file type in genfscon rules
* Thu Nov 11 2021 jsegitz@suse.com
- Update to version 3.3
* Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch
are all included
* Lot of smaller fixes identified by fuzzing
* Wed Jul 21 2021 jsegitz@suse.com
- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928.
Added CVE-2021-36087.patch
* Mon Jul 05 2021 jsegitz@suse.com
- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
Added CVE-2021-36085.patch
- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
Added CVE-2021-36086.patch