RELEASE 20170804 (2.7)

* This is the first release with the split up policycoreutils (see
https://www.mail-archive.com/selinux@tycho.nsa.gov/msg02914.html and
the rest of that thread). Fedora already packages many of these
components separately, although not always with the same organization
and naming scheme.  Note that a number of these components are not
necessary for basic use of SELinux and likely should not be installed
by default, e.g. selinux-dbus, selinux-gui, mcstrans, restorecond,
selinux-sandbox.

* libsepol now has binary module support for ioctl xperms rules
(module version 18), making it possible to use allowxperm rules in
modularly built refpolicy-based policies. Previously, ioctl xperms
rules were only supported in monolithic policy and in CIL modules. 
This change means that refpolicy and/or policies derived from it can
begin to leverage ioctl whitelisting, which has already been leveraged
for some time in Android policies, which do not rely on binary modules.

* This release introduces support for Infiniband object labeling,
including support for kernel policy version 31 and module version 19,
policy.conf and CIL language support, and semanage support.  The
corresponding kernel support was introduced in Linux v4.13.

* This release introduces support for building policies with the
extended_socket_class, cgroup_seclabel, and nnp_nosuid_transition policy
capabilities enabled:

** The extended_socket_class policy capability allows distinctions to
be made in policy among socket address families that were previously
mapped to the generic socket class (e.g. bluetooth, nfc, and many
other socket address families that previously did not have their own
distinct security class) as well as for SCTP and ICMP/ping sockets
that were previously mapped to the rawip_socket class.  This policy
capability is supported by Linux v4.11 and later. Enabling this capability
in policy requires reviewing existing rules on socket and rawip_socket
classes to determine whether they should be duplicated for the new
classes.

** The cgroup_seclabel policy capability allows userspace to set
labels on cgroup/cgroup2 files, enabling fine-grained labeling of
cgroup files by userspace.  This policy capability is also supported
by Linux v4.11 and later. Note that enabling this capability will
break current Android userspace/policy and requires introducing
appropriate file_contexts definitions for cgroup files (or a change to
the Android init program's handling of them) in order to avoid
mislabeling them.

** The nnp_nosuid_transition policy capability enables SELinux domain
transitions to occur under no_new_privs (NNP) or on nosuid mounts if
the corresponding permission (nnp_transition for NNP,
nosuid_transition for nosuid; both in the newly defined process2
security class / access vector) is allowed between the old and new
contexts.  Linux kernel support for this policy capability is expected
to be included in Linux v4.14 and later.  This change was motivated by
the increasing use of NNP by systemd for confining system services and
the desire to be able to leverage NNP/nosuid-provided protections in
combination with SELinux rather than having to make undesirable
tradeoffs in security. With this policy capability enabled and the
corresponding permissions allowed where required, it should be
possible to use upstream systemd unit files without modification on
SELinux-enabled systems.  NB: Allowing nnp_transition between two
contexts opens up the potential for the old context to subvert the new
context by installing seccomp filters before the execve.  Allowing
nosuid_transition between two contexts opens up the potential for a
context transition to occur on a file from an untrusted filesystem
(e.g. removable media or remote filesystem).  Use with care.

* checkpolicy now supports generating CIL or policy.conf from a
kernel binary policy.  Sample usage is checkpolicy -M -C -b policy.N -o
policy.cil and checkpolicy -M -F -b policy.N -o policy.conf.  There is
also now a secil2conf program that can generate policy.conf from CIL,
e.g. secil2conf -o policy.conf policy.cil.

* Attribute generation and expansion has changed in several ways in
order to address kernel runtime performance issues that occur when
types have many attributes assigned to them while ensuring preservation
of attributes where desired.  Binary module to CIL conversion now
ensures that duplicate attributes are not generated for the same type
set. secilc now supports -G and -X options to force expansion of
automatically generated attributes (-G) and/or attributes that have
fewer than a specified number of types (-X number).  secilc will also
now more aggressively expand attributes based on whether they will
actually be used by the kernel, are needed for debugging denials by
audit2allow/why, or are needed for neverallow checking of binary
policies (in Android).  New statements are supported in policy.conf
(expandattribute) and in CIL (expandtypeattribute) to support
specifying in source policy that specific attributes should always be
expanded or never be expanded in order to override the default
behaviors in checkpolicy and secilc.

* checkpolicy/checkmodule now treats it as an error if a type is
declared as an attribute or vice versa in a require block.  Such
mismatches between declarations and require statements are an error in
policy and should be corrected in policy; refpolicy master and
the refpolicy 2.20170805 release should already be fixed.

* A change to libsepol-internal data structures breaks the build of
setools4.  This is fixed by setools4 commit
743d2a0eaaae7d99302dd3099549ca7ad868eab on the master branch, and
included in the setools 4.1.1 release.  The change was to align the
libsepol structures with the kernel in order to allow direct
comparison of libsepol-generated policy files against
/sys/fs/selinux/policy after normalizing them through checkpolicy.

* audit2why now understands type bounds failures and reports them as
such, although it does not yet provide detailed reporting.  Detailed
bounds violation reporting can be obtained already by enabling expand-
check=1 in semanage.conf or by running semodule_expand (without -a) at
policy validation time.

* libsemanage now saves the linked policy and skips re-linking
whenever possible.  This significantly improves the performance and
memory overhead of semanage commands that do not affect policy modules
(setting booleans and adding, deleting, or modifying local context
mappings). Previously, libsemanage only skipped re-linking when setting
booleans as a special case, but this was found to have a bug that could
yield duplicate object context entries (e.g. portcon) in policy.  That
optimization was therefore reverted and replaced with this one, which
both fixes the bug and generalizes the optimization beyond just setting
booleans.  The change does bring an associated storage cost, primarily
storing an extra copy of the kernel policy file (if a concern, this
could be made optional but it seems well worth it). The first semanage
or setsebool -P command run with the new libsemanage will not
demonstrate any improvement due to needing to generate the linked
policy for the first time, but subsequent commands will leverage the
saved linked policy.

* libsemanage no longer depends on ustr.

* libselinux/utils Makefile now uses SBINDIR instead of USRBINDIR.

* mcstrans/utils Makefile now uses SBINDIR instead of BINDIR.

* Some packages (libselinux, checkpolicy, selinux-python,
semodule-utils and mcstrans) require LIBSEPOLA to be set to the
absolute path to libsepol.a when building with DESTDIR set.

* policycoreutils make install no longer creates a symlink from
/usr/sbin/load_policy to /sbin/load_policy.