libsepol/libsepol.changes

-------------------------------------------------------------------
Mon Jul  1 08:01:08 UTC 2024 - Cathy Hu <cathy.hu@suse.com>

- Update to version 3.7
  https://github.com/SELinuxProject/selinux/releases/tag/3.7
  * User-visible changes:
    * libsepol: improve policy lookup failure message
    * libsepol: include prefix for module policy versions
    * libsepol: validate type-attribute-map for old policies
    * libsepol: only exempt gaps checking for kernel policies
  * Bugfixes:
    * libsepol/src/Makefile: fix reallocarray detection
    * libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
    * libsepol: ensure transitivity in compare functions
  * oss-fuzz fixes:
    * libsepol: check scope permissions refer to valid class
    * libsepol: validate attribute-type maps
    * libsepol: reject self flag in type rules in old policies
    * libsepol: validate class permissions
    * libsepol: validate access vector permissions
    * libsepol: reject MLS support in pre-MLS policies
    * libsepol: Fix buffer overflow when using sepol_av_to_string()
    * libsepol: Use a dynamic buffer in sepol_av_to_string()

-------------------------------------------------------------------
Tue Dec 19 09:20:58 UTC 2023 - Cathy Hu <cathy.hu@suse.com>

- Update to version 3.6
  https://github.com/SELinuxProject/selinux/releases/tag/3.6
  * struct cond_expr_t bool renamed to boolean
    The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro 
  * Add notself support for neverallow rules
  * Improve man pages
  * man pages: Remove the Russian translations
  * Add notself and other support to CIL
  * Add support for deny rules
  * Translations updated from
    https://translate.fedoraproject.org/projects/selinux/
  * Bug fixes
- Remove keys from keyring since they expired:
  - E853C1848B0185CF42864DF363A8AD4B982C4373
    Petr Lautrbach <plautrba@redhat.com>
  - 63191CE94183098689CAB8DB7EF137EC935B0EAF
    Jason Zaman <jasonzaman@gmail.com>
- Add key to keyring: 
  - B8682847764DF60DF52D992CBC3905F235179CF1 
    Petr Lautrbach <lautrbach@redhat.com> 

-------------------------------------------------------------------
Thu Mar 23 16:06:02 UTC 2023 - Martin Liška <mliska@suse.cz>

- Enable LTO now (boo#1138813).

-------------------------------------------------------------------
Fri Feb 24 07:50:14 UTC 2023 - Johannes Segitz <jsegitz@suse.com>

- Update to version 3.5
  * Stricter policy validation
  * do not write empty class definitions to allow simpler round-trip tests
  * reject attributes in type av rules for kernel policies
- Added additional developer key (Jason Zaman)

-------------------------------------------------------------------
Mon May  9 10:27:53 UTC 2022 - Johannes Segitz <jsegitz@suse.com>

- Update to version 3.4
  * Add 'ioctl_skip_cloexec' policy capability
  * Add sepol_av_perm_to_string
  * Add policy utilities
  * Support IPv4/IPv6 address embedding
  * Hardened/added many validations
  * Add support for file types in writing out policy.conf
  * Allow optional file type in genfscon rules

-------------------------------------------------------------------
Thu Nov 11 13:28:14 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

- Update to version 3.3
  * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch
    are all included
  * Lot of smaller fixes identified by fuzzing

-------------------------------------------------------------------
Wed Jul 21 13:16:54 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928.
  Added CVE-2021-36087.patch

-------------------------------------------------------------------
Mon Jul  5 11:31:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
  Added CVE-2021-36085.patch
- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
  Added CVE-2021-36086.patch

-------------------------------------------------------------------
Tue Mar  9 09:11:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

- Update to version 3.2
  * more space-efficient form of storing filename transitions in the binary
    policy and reduced the size of the binary policy
  * dropped old and deprecated symbols and functions. Version was bumped to
    libsepol.so.2

-------------------------------------------------------------------
Thu Oct 29 10:40:16 UTC 2020 - Ludwig Nussel <lnussel@suse.de>

- install to /usr (boo#1029961)

-------------------------------------------------------------------
Tue Jul 14 08:39:58 UTC 2020 - Johannes Segitz <jsegitz@suse.com>

- Update to version 3.1
  * Add support for new polcap genfs_seclabel_symlinks
  * Initialize the multiple_decls field of the cil db
  * Return error when identifier declared as both type and attribute
  * Write CIL default MLS rules on separate lines
  * Sort portcon rules consistently
  * Remove leftovers of cil_mem_error_handler
  * Drop remove_cil_mem_error_handler.patch, is included

-------------------------------------------------------------------
Mon Apr 27 19:35:18 UTC 2020 - Martin Liška <mliska@suse.cz>

- Enable -fcommon in order to fix boo#1160874.

-------------------------------------------------------------------
Tue Mar  3 12:17:04 UTC 2020 - Johannes Segitz <jsegitz@suse.de>

- Update to version 3.0
  * cil: Allow validatetrans rules to be resolved
  * cil: Report disabling an optional block only at high verbose levels
  * cil: do not dereference perm_value_to_cil when it has not been allocated
  * cil: fix mlsconstrain segfault
  * Further improve binary policy optimization
  * Make an unknown permission an error in CIL
  * Remove cil_mem_error_handler() function pointer
  * Use LIBSEPOL_3.0 and fix sepol_policydb_optimize symbol mapping
  * Add a function to optimize kernel policy
  * Add ebitmap_for_each_set_bit macro

  Dropped fnocommon.patch as it's included upstream

-------------------------------------------------------------------
Thu Jan 30 14:11:56 UTC 2020 - Johannes Segitz <jsegitz@suse.de>

- Add fnocommon.patch to prevent build failures on gcc10 and
  remove_cil_mem_error_handler.patch to prevent build failures due to 
  leftovers from the removal of cil_mem_error_handler (bsc#1160874)

-------------------------------------------------------------------
Thu Jun 20 10:25:00 UTC 2019 - Martin Liška <mliska@suse.cz>

- Disable LTO due to symbol versioning (boo#1138813).

-------------------------------------------------------------------
Wed Mar 20 15:12:34 UTC 2019 - jsegitz@suse.com

- Update to version 2.9
  * Add two new Xen initial SIDs
  * Check that initial sid indexes are within the valid range
  * Create policydb_sort_ocontexts()
  * Eliminate initial sid string definitions in module_to_cil.c
  * Rename kernel_to_common.c stack functions
  * add missing ibendport port validity check
  * destroy the copied va_list
  * do not call malloc with 0 byte
  * do not leak memory if list_prepend fails
  * do not use uninitialized value for low_value
  * fix endianity in ibpkey range checks
  * ibpkeys.c: fix printf format string specifiers for subnet_prefix
  * mark permissive types when loading a binary policy

-------------------------------------------------------------------
Thu Nov  8 09:34:54 UTC 2018 - Jan Engelhardt <jengelh@inai.de>

- Use more %make_install.

-------------------------------------------------------------------
Thu Nov  8 07:19:24 UTC 2018 - jsegitz@suse.com

- Adjusted source urls (bsc#1115052)

-------------------------------------------------------------------
Wed Oct 17 11:54:52 UTC 2018 - jsegitz@suse.com

- Update to version 2.8 (bsc#1111732)
  For changes please see
  https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt

-------------------------------------------------------------------
Wed May 16 07:13:18 UTC 2018 - mcepl@suse.com

- Rebase to 2.7
  For changes please see
  https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt

-------------------------------------------------------------------
Fri Nov 24 09:16:47 UTC 2017 - jsegitz@suse.com

- Update to version 2.6. Notable changes:
  * Add support for converting extended permissions to CIL
  * Create user and role caches when building binary policy
  * Check for too many permissions in classes and commons in CIL
  * Fix xperm mapping between avrule and avtab
  * Produce more meaningful error messages for conflicting type rules in CIL
  * Change which attributes CIL keeps in the binary policy
  * Warn instead of fail if permission is not resolved
  * Ignore object_r when adding userrole mappings to policydb
  * Correctly detect unknown classes in sepol_string_to_security_class
  * Fix neverallowxperm checking on attributes
  * Only apply bounds checking to source types in rules
  * Fix CIL and not add an attribute as a type in the attr_type_map
  * Fix extended permissions neverallow checking
  * Fix CIL neverallow and bounds checking
  * Add support for portcon dccp protocol

-------------------------------------------------------------------
Fri Jul 15 14:29:28 UTC 2016 - jengelh@inai.de

- Update RPM groups, trim description and combine filelist entries.

-------------------------------------------------------------------
Thu Jul 14 14:38:09 UTC 2016 - mpluskal@suse.com

- Cleanup spec file with spec-cleaner
- Make spec file a bit more easy
- Ship new supbackage (-tools)

-------------------------------------------------------------------
Thu Jul 14 14:21:46 UTC 2016 - jsegitz@novell.com

- Without bug number no submit to SLE 12 SP2 is possible, so to make
  sle-changelog-checker happy: bsc#988977

-------------------------------------------------------------------
Thu Jul 14 07:57:35 UTC 2016 - jsegitz@novell.com

- Adjusted source link

-------------------------------------------------------------------
Tue Jul  5 17:11:44 UTC 2016 - i@marguerite.su

- update version 2.5
  * Fix unused variable annotations
  * Fix uninitialized variable in CIL
  * Validate extended avrules and permissionxs in CIL
  * Add support in CIL for neverallowx
  * Fully expand neverallowxperm rules
  * Add support for unordered classes to CIL
  * Add neverallow support for ioctl extended permissions
  * Improve CIL block and macro call recursion detection
  * Fix CIL uninitialized false positive in cil_binary
  * Provide error in CIL if classperms are empty
  * Add userattribute{set} functionality to CIL
  * fix CIL blockinherit copying segfault and add macro restrictions
  * fix CIL NULL pointer dereference when copying classpermission/set
  * Add CIL support for ioctl whitelists
  * Fix memory leak when destroying avtab
  * Replace sscanf in module_to_cil
  * Improve CIL resolution error messages
  * Fix policydb_read for policy versions < 24
  * Added CIL bounds checking and refactored CIL Neverallow checking
  * Refactored libsepol Neverallow and bounds (hierarchy) checking
  * Treat types like an attribute in the attr_type_map
  * Add new ebitmap function named ebitmap_match_any()
  * switch operations to extended perms
  * Write auditadm_r and secadm_r roles to base module when writing CIL
  * Fix module to CIL to only associate declared roleattributes with in-scope types
  * Don't allow categories/sensitivities inside blocks in CIL
  * Replace fmemopen() with internal function in libsepol
  * Verify users prior to evaluating users in cil
  * Binary modules do not support ioctl rules
  * Add support for ioctl command whitelisting
  * Don't use symbol versioning for static object files
  * Add sepol_module_policydb_to_cil(), sepol_module_package_to_cil(), 
    and sepol_ppfile_to_module_package()
  * Move secilc out of libsepol
  * fix building Xen policy with devicetreecon, and add devicetreecon
    CIL documentation
  * bool_copy_callback set state on creation
  * Add device tree ocontext nodes to Xen policy
  * Widen Xen IOMEM context entries
  * Fix error path in mls_semantic_level_expand()
  * Update to latest CIL, includes new name resolution and fixes ordering
    issues with blockinherit statements, and bug fixes
- changes in 2.4
  * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
  * Fix bugs found by hardened gcc flags
  * Build CIL into libsepol. libsepol can be built without CIL by setting the
    DISABLE_CIL flag to 'y'
  * Add an API function to set target_platform
  * Report all neverallow violations
  * Improve check_assertions performance
  * Allow libsepol C++ static library on device

-------------------------------------------------------------------
Fri May 16 13:06:12 UTC 2014 - vcizek@suse.com

- update to 2.3
  * Improve error message for name-based transition conflicts.
  * Revert libsepol: filename_trans: use some better sorting to compare and merge.
  * Report source file and line information for neverallow failures.
  * Fix valgrind errors in constraint_expr_eval_reason from Richard Haines.
  * Add sepol_validate_transition_reason_buffer function from Richard Haines.
- dropped libsepol-2.1.4-role_fix_callback.patch (upstream)

-------------------------------------------------------------------
Thu Oct 31 13:36:48 UTC 2013 - p.drouand@gmail.com

- Update to version 2.2
  * Allow constraint denial cause to be determined
	  - Add kernel policy version 29.
	  - Add modular policy version 17.
	  - Add sepol_compute_av_reason_buffer(), sepol_string_to_security
       _class(), sepol_string_to_av_perm().
  * Support overriding Makefile RANLIB
  * Fix man pages
- Remove libsepol-rhat.patch; merged on upstream

-------------------------------------------------------------------
Thu Jun 27 14:37:12 UTC 2013 - vcizek@suse.com

- change the source url to the official 2.1.9 release tarball

-------------------------------------------------------------------
Sat Jun 22 01:40:19 UTC 2013 - crrodriguez@opensuse.org

- Build with LFS_CFLAGS for 32 bit archs 

-------------------------------------------------------------------
Fri Apr  5 15:31:13 UTC 2013 - vcizek@suse.com

- remove a debugging artifact in spec

-------------------------------------------------------------------
Thu Apr  4 19:26:35 UTC 2013 - vcizek@suse.com

- fixed source url

-------------------------------------------------------------------
Wed Feb 13 14:34:39 UTC 2013 - vcizek@suse.com

- update to 2.1.9
  * filename_trans: use some better sorting to compare and merge
  * coverity fixes
  * implement default type policy syntax
  * Fix memory leak issues found by Klocwork
- added libsepol-rhat.patch

-------------------------------------------------------------------
Mon Jan  7 22:46:48 UTC 2013 - jengelh@inai.de

- Remove obsolete defines/sections

-------------------------------------------------------------------
Mon Dec 10 17:34:14 UTC 2012 - p.drouand@gmail.com

- Update to 2.1.8 version:
  * fix neverallow checking on attributes
  * Move context_copy() after switch block in ocontext_copy_*().
  * check for missing initial SID labeling statement.
  * Add always_check_network policy capability
  * role_fix_callback skips out-of-scope roles during expansion.

-------------------------------------------------------------------
Thu Oct 25 10:47:00 UTC 2012 - vcizek@suse.com

- skip roles which are out of scope when expanding attributes
- needed for building selinux-policy

-------------------------------------------------------------------
Wed Jul 25 11:16:59 UTC 2012 - meissner@suse.com

- updated to 2.1.4
  - lots of updates

-------------------------------------------------------------------
Wed Oct  5 15:11:06 UTC 2011 - uli@suse.com

- cross-build fix: use %__cc macro

-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de

- use %_smp_mflags

-------------------------------------------------------------------
Sat Apr 24 11:38:22 UTC 2010 - coolo@novell.com

- buildrequire pkg-config to fix provides

-------------------------------------------------------------------
Thu Feb 25 15:00:29 UTC 2010 - prusnak@suse.cz

- updated to 2.0.41
  * changes too numerous to list

-------------------------------------------------------------------
Sun Dec 13 01:35:55 CET 2009 - jengelh@medozas.de

- add baselibs.conf as a source

-------------------------------------------------------------------
Wed Nov 11 18:18:22 UTC 2009 - crrodriguez@opensuse.org

- libsepol-devel Requires glibc-devel

-------------------------------------------------------------------
Fri Jun 19 13:26:45 CEST 2009 - prusnak@suse.cz

- put static library in libsepol-devel-static

-------------------------------------------------------------------
Wed May 27 13:56:59 CEST 2009 - prusnak@suse.cz

- updated to 2.0.36
  * fix alias field in module format, caused by boundary format
    change from Caleb Case
  * fix boolean state smashing from Joshua Brindle

-------------------------------------------------------------------
Mon Dec  1 11:37:58 CET 2008 - prusnak@suse.cz

- updated to 2.0.34
  * add bounds support
  * fix invalid aliases bug

-------------------------------------------------------------------
Wed Oct 22 16:17:24 CEST 2008 - mrueckert@suse.de

- fix debug_packages_requires define

-------------------------------------------------------------------
Tue Sep 23 12:53:01 CEST 2008 - prusnak@suse.cz

- require only version, not release [bnc#429053]

-------------------------------------------------------------------
Fri Aug 22 14:45:33 CEST 2008 - prusnak@suse.cz

- added baselibs.conf file

-------------------------------------------------------------------
Fri Aug  1 17:32:23 CEST 2008 - ro@suse.de

- fix requires for debuginfo package

-------------------------------------------------------------------
Tue Jul 15 15:35:54 CEST 2008 - prusnak@suse.cz

- initial version 2.0.32
  * based on Fedora package by Dan Walsh <dwalsh@redhat.com>