- Upgrade to latest from NSA
Updated version for release.
Altered rpm_execcon fallback logic for permissive mode to also handle case
where /selinux/enforce is not available.
- corrected use of getline
- further calls to __fsetlocking for local files
- use of strdupa and asprintf
- proper handling of dirent in booleans code
- use of -z relro
- several other optimizations
Merged getpidcon python wrapper from Dan Walsh (Red Hat).
Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and modified
matchpathcon implementation to make context validation/
canonicalization optional at matchpathcon_init time, deferring it to a
successful matchpathcon by default unless the new flag is set by the
caller.
Added matchpathcon_init_prefix() interface, and reworked matchpathcon
implementation to support selective loading of file contexts entries
based on prefix matching between the pathname regex stems and the
specified path prefix (stem must be a prefix of the specified path
prefix).
Added -f file_contexts option to matchpathcon util. Fixed warning message
in matchpathcon_init().
Merged Makefile python definitions patch from Dan Walsh.
Added security_canonicalize_context() interface and
set_matchpathcon_canoncon() interface for obtaining canonical contexts.
Changed matchpathcon internals to obtain canonical contexts by default.
Provided fallback for kernels that lack extended selinuxfs context
interface.
- Patch to not translate mls when calling setfiles
Merged seusers parser changes from Ivan Gyurdiev.
Merged setsebool to libsemanage patch from Ivan Gyurdiev.
Changed seusers parser to reject empty fields.
Merged get_default_context_with_rolelevel and man pages from Dan Walsh (Red
Hat).
Updated call to sepol_policydb_to_image for sepol changes.
Changed getseuserbyname to ignore empty lines and to handle no matching
entry in the same manner as no seusers file.
Changed selinux_mkload_policy to try downgrading the latest policy version
available to the kernel-supported version.
Changed selinux_mkload_policy to fall back to the maximum policy version
supported by libsepol if the kernel policy version falls outside of the
supported range.
Changed getseuserbyname to fall back to the Linux username and NULL level
if seusers config file doesn't exist unless REQUIRESEUSERS=1 is set in
/etc/selinux/config.
Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
Added selinux_init_load_policy() function as an even higher level interface
for the initial policy load by /sbin/init. This obsoletes the
load_policy() function in the sysvinit-selinux.patch.
Added selinux_mkload_policy() function as a higher level interface for
loading policy than the security_load_policy() interface.
Merged fix for matchpathcon (regcomp error checking) from Johan Fischer.
Also added use of regerror to obtain the error string for inclusion in
the error message.
Merged modified form of patch to avoid dlopen/dlclose by the static
libselinux from Dan Walsh. Users of the static libselinux will not have
any context translation by default.
Merged modified form of patch to avoid dlopen/dlclose by the static
libselinux from Dan Walsh. Users of the static libselinux will not have
any context translation by default.
Hid translation-related symbols entirely and ensured that raw functions
have hidden definitions for internal use.
Allowed setting NULL via context_set* functions.
Allowed whitespace in MLS component of context.
Changed rpm_execcon to use translated functions to workaround lack of MLS
level on upgraded systems.
Merged several fixes for error handling paths in the AVC sidtab,
matchpathcon, booleans, context, and get_context_list code from Serge
Hallyn (IBM). Bugs found by Coverity.
Removed setupns; migrated to pam.
Merged patches to rename checkPasswdAccess() from Joshua Brindle. Original
symbol is temporarily retained for compatibility until all callers are
updated.
Merged avcstat and selinux man page from Dan Walsh.
Changed security_load_booleans to process booleans.local even if booleans
file doesn't exist.
Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
- Fix avcstat to clear totals
Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
Rewrote get_ordered_context_list and helpers, including changing logic to
allow variable MLS fields.
Added set_matchpathcon_flags() function for setting flags controlling
operation of matchpathcon. MATCHPATHCON_BASEONLY means only process the
base file_contexts file, not file_contexts.homedirs or
file_contexts.local, and is for use by setfiles -c.
Updated matchpathcon.3 man page.