The SELinux userspace libraries and programs recently released version 2.6. I bumped them in Gentoo a couple days ago. They add a ton of new features, here are a few of the main points:
I finally got semanage and sepolicy updated to use setools4. Setools4 replaces
setools3 which has been unmaintained for quite a long time and had issues with
the new policy versions. If you previously had
policy-version = 29 in your
/etc/selinux/semanage.conf, you can comment it out after updating to
genhomedircon has a ton of updates. I added new templating patterns that are
expanded for usernames and ids. I added support for
to expand in fcontexts. This was primarily for
genhomedircon finally has support for %group syntax in the list of users. You can now do:
semanage login --add -s staff_u -r 's0-s0:c0.c1023' '%wheel'
Instead of having to hardcode all the admins usernames. This is something I'd wanted for ages but didn't get around to, so thanks a ton to Gary for this. Once this has all gone stable I'll look into adding this automatically to seusers.
genhomedircon now replaces the whole context instead of only the user part. This means genhomedircon can support RBACSEP now. This is role-based separation instead of UBAC like we currently have in gentoo. UBAC has some limitations about switching users that RBACSEP can would be able to fix. Because of this, entries mapped to the default user and system_u are no longer special-cased. This fixes an issue if a user had a homedir that was not in /home the fcontexts would be missing. There is another side effect of this fix, there is now a warning printed:
libsemanage.add_user: user system_u not in password file
This is caused by:
# semanage login -l system_u system_u s0-s0:c0.c1023 *
The warning is non-fatal and doesn't actually cause any problems. It is because system_u is not a valid Linux user so the line is nonsense. I will remove this line from seusers in the policy when I add %wheel. If you want to make the warning go away now, you can run:
semanage login --delete system_u
There is also a pcre2 USE-flag for using libpcre2 instead of libcpre. The default is still pcre1 because pcre2 takes up more disk space in the file_contexts.bin files.
The full announcement email is here