Patch to remove redundant mls_trusted_object() call from Dan Walsh.

[people/stevee/selinux-policy.git] / Changelog

- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
- Patch to allow apmd to telinit from Dan Walsh.
- Patch for additional labeling of samba files from Stefan Schulze
  Frielinghaus.
- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
- Fix ptys and ttys to be device nodes.
- Fix explicit use of httpd_t in openca_domtrans().
- Clean up file context regexes in apache and java, from Eamon Walsh.
- Patches from Dan Walsh:
	Thu, 25 Jan 2007

* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
- Add policy patterns support macros.  This changes the behavior of
  the create_dir_perms and create_file_perms permission sets.
- Association polmatch MLS constraint making unlabeled_t an exception
  is no longer needed, patch from Venkat Yekkirala.
- Context contains checking for PAM and cron from James Antill.
- Add a reload target to Modules.devel and change the load
  target to only insert modules that were changed.
- Allow semanage to read from /root on strict non-MLS for
  local policy modules.
- Gentoo init script fixes for udev.
- Allow udev to read kernel modules.inputmap.
- Dnsmasq fixes from testing.
- Allow kernel NFS server to getattr filesystems so df can work
  on clients.
- Patch from Matt Anderson for a MLS constraint exemption on a
  file that can be written to from a subject whose range is
  within the object's range.
- Enhanced setransd support from Darrel Goeddel.
- Patches from Dan Walsh:
	Tue, 24 Oct 2006
	Wed, 29 Nov 2006
- Added modules:
	aide (Matt Anderson)
	ccs (Dan Walsh)
	iscsi (Dan Walsh)
	ricci (Dan Walsh)

* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
- Patch from Russell Coker Thu, 5 Oct 2006
- Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
- Add role infrastructure.
- Debian updates from Erich Schubert.
- Add nscd_socket_use() to auth_use_nsswitch().
- Remove old selopt rules.
- Full support for netfilter_contexts.
- MRTG patch for daemon operation from Stefan.
- Add authlogin interface to abstract common access for login programs.
- Remove setbool auditallow, except for RHEL4.
- Change eventpollfs to task SID labeling.
- Add key support from Michael LeMay.
- Add ftpdctl domain to ftp, from Paul Howarth.
- Fix build system to not move type declarations out of optionals.
- Add gcc-config domain to portage.
- Add packet object class and support in corenetwork.
- Add a copy of genhomedircon for monolithic policy building, so that a
  policycoreutils package update is not required for RHEL4 systems.
- Add appletalk sockets for use in cups.
- Add Make target to validate module linking.
- Make duplicate template and interface declarations a fatal error.
- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
- Move xconsole_device_t from devices to xserver since it is
  not actually a device, it is a named pipe.
- Handle nonexistant .fc and .if files in devel Makefile by
  automatically creating empty files.
- Remove unused devfs_control_t.
- Add rhel4 distro, which also implies redhat distro.
- Remove unneeded range_transition for su_exec_t and move the
  type declaration back to the su module.
- Constrain transitions in MCS so unconfined_t cannot have
  arbitrary category sets.
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
  are currently nonfunctional.
- Change files and filesystem modules to use their own interfaces.
- Add user fonts to xserver.
- Additional interfaces in corecommands, miscfiles, and userdomain
  from Joy Latten.
- Miscellaneous fixes from Thomas Bleher.
- Deprecate module name as first parameter of optional_policy()
  now that optionals are allowed everywhere.
- Enable optional blocks in base module and monolithic policy.
  This requires checkpolicy 1.30.1.
- Fix vpn module declaration.
- Numerous fixes from Dan Walsh.
- Change build order to preserve m4 line number information so policy
  compile errors are useful again.
- Additional MLS interfaces from Chad Hanson.
- Move some rules out of domain_type() and domain_base_type()
  to the TE file, to use the domain attribute to take advantage
  of space savings from attribute use.
- Add global stack smashing protector rule for urandom access from
  Petre Rodan.
- Fix temporary rules at the bottom of portmap.
- Updated comments in mls file from Chad Hanson.
- Patches from Dan Walsh:
	Fri, 17 Mar 2006
	Wed, 29 Mar 2006
	Tue, 11 Apr 2006
	Fri, 14 Apr 2006
	Tue, 18 Apr 2006
	Thu, 20 Apr 2006
	Tue, 02 May 2006
	Mon, 15 May 2006
	Thu, 18 May 2006
	Tue, 06 Jun 2006
	Mon, 12 Jun 2006
	Tue, 20 Jun 2006
	Wed, 26 Jul 2006
	Wed, 23 Aug 2006
	Thu, 31 Aug 2006
	Fri, 01 Sep 2006
	Tue, 05 Sep 2006
	Wed, 20 Sep 2006
	Fri, 22 Sep 2006
	Mon, 25 Sep 2006
- Added modules:
	afs
	amavis (Erich Schubert)
	apt (Erich Schubert)
	asterisk
	audioentropy
	authbind
	backup
	calamaris
	cipe
	clamav (Erich Schubert)
	clockspeed (Petre Rodan)
	courier
	dante
	dcc
	ddclient
	dpkg (Erich Schubert)
	dnsmasq
	ethereal
	evolution
	games
	gatekeeper
	gift
	gnome (James Carter)
	imaze
	ircd
	jabber
	monop
	mozilla
	mplayer
	munin
	nagios
	nessus
	netlabel (Paul Moore)
	nsd
	ntop
	nx
	oav
	oddjob (Dan Walsh)
	openca
	openvpn (Petre Rodan)
	perdition
	portslave
	postgrey
	pxe
	pyzor (Dan Walsh)
	qmail (Petre Rodan)
	razor
	resmgr
	rhgb
	rssh
	snort
	soundserver
	speedtouch
	sxid
	thunderbird
	tor (Erich Schubert)
	transproxy
	tripwire
	uptime
	uwimap
	vmware
	watchdog
	xen (Dan Walsh)
	xprint
	yam

* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
- Make all interface parameters required.
- Move boot_t, system_map_t, and modules_object_t to files module,
  and move bootloader to admin layer.
- Add semanage policy for semodule from Dan Walsh.
- Remove allow_execmem from targeted policy domain_base_type().
- Add users_extra and seusers support.
- Postfix fixes from Serge Hallyn.
- Run python and shell directly to interpret scripts so policy
  sources need not be executable.
- Add desc tag XML to booleans and tunables, and add summary
  to param XML tag, to make future translations possible.
- Remove unused lvm_vg_t.
- Many interface renames to improve naming consistency.
- Merge xdm into xserver.
- Remove kernel module reversed interfaces.
- Add filename attribute to module XML tag and lineno attribute to
  interface XML tag.
- Changed QUIET build option to a yes or no option.
- Add a Makefile used for compiling loadable modules in a
  user's development environment, building against policy headers.
- Add Make target for installing policy headers.
- Separate per-userdomain template expansion from the userdomain
  module and add infrastructure to expand templates in the modules
  that own the template.
- Enable secadm only for MLS policies.
- Remove role change rules in su and sudo since this functionality has been
  removed from these programs.
- Add ctags Make target from Thomas Bleher.
- Collapse commands with grep piped to sed into one sed command.
- Fix type_change bug in term_user_pty().
- Move ice_tmp_t from miscfiles to xserver.
- Login fixes from Serge Hallyn.
- Move xserver_log_t from xdm to xserver.
- Add lpr per-userdomain policy to lpd.
- Miscellaneous fixes from Dan Walsh.
- Change initrc_var_run_t interface noun from script_pid to utmp,
  for greater clarity.
- Added modules:
	certwatch
	mono (Dan Walsh)
	mrtg
	portage
	tvtime
	userhelper
	usernetctl
	wine (Dan Walsh)
	xserver

* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
- Adds support for generating corenetwork interfaces based on attributes 
  in addition to types.
- Permits the listing of multiple nodes in a network_node() that will be
  given the same type.
- Add two new permission sets for stream sockets.
- Rename file type transition interfaces verb from create to
  filetrans to differentiate it from create interfaces without
  type transitions.
- Fix expansion of interfaces from disabled modules.
- Rsync can be long running from init,
  added rules to allow this.
- Add polyinstantiation build option.
- Add setcontext to the association object class.
- Add apache relay and db connect tunables.
- Rename texrel_shlib_t to textrel_shlib_t.
- Add swat to samba module.
- Numerous miscellaneous fixes from Dan Walsh.
- Added modules:
	alsa
	automount
	cdrecord
	daemontools (Petre Rodan)
	ddcprobe
	djbdns (Petre Rodan)
	fetchmail
	irc
	java
	lockdev
	logwatch (Dan Walsh)
	openct
	prelink (Dan Walsh)
	publicfile (Petre Rodan)
	readahead
	roundup
	screen
	slocate (Dan Walsh)
	slrnpull
	smartmon
	sysstat
	ucspitcp (Petre Rodan)
	usbmodules
	vbetool (Dan Walsh)

* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
- Add unlabeled IPSEC association rule to domains with
  networking permissions.
- Merge systemuser back in to users, as these files
  do not need to be split.
- Add check for duplicate interface/template definitions.
- Move domain, files, and corecommands modules to kernel
  layer to resolve some layering inconsistencies.
- Move policy build options out of Makefile into build.conf.
- Add yppasswd to nis module.
- Change optional_policy() to refer to the module name
  rather than modulename.te.
- Fix labeling targets to use installed file_contexts rather
  than partial file_contexts in the policy source directory.
- Fix build process to use make's internal vpath functions
  to detect modules rather than using subshells and find.
- Add install target for modular policy.
- Add load target for modular policy.
- Add appconfig dependency to the load target.
- Miscellaneous fixes from Dan Walsh.
- Fix corenetwork gen_context()'s to expand during the policy
  build phase instead of during the generation phase.  
- Added policies:
	amanda
	avahi
	canna
	cyrus
	dbskk
	dovecot
	distcc
	i18n_input
	irqbalance
	lpd
	networkmanager
	pegasus
	postfix
	procmail
	radius
	rdisc
	rpc
	spamassassin
	timidity
	xdm
	xfs

* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
- Many fixes to make loadable modules build.
- Add targets for sechecker.
- Updated to sedoctool to read bool files and tunable
  files separately.
- Changed the xml tag of <boolean> to <bool> to be consistent
  with gen_bool().
- Modified the implementation of segenxml to use regular
  expressions.
- Rename context_template() to gen_context() to clarify
  that its not a Reference Policy template, but a support
  macro.
- Add disable_*_trans bool support for targeted policy.
- Add MLS module to handle MLS constraint exceptions,
  such as reading up and writing down.
- Fix errors uncovered by sediff.
- Added policies:
	anaconda
	apache
	apm
	arpwatch
	bluetooth
	dmidecode
	finger
	ftp
	kudzu
	mailman
	ppp
	radvd
	sasl
	webalizer

* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
- Make logrotate, sendmail, sshd, and rpm policies
  unconfined in the targeted policy so no special
  modules.conf is required.
- Add experimental MCS support.
- Add appconfig for MLS.
- Add equivalents for old can_resolve(), can_ldap(), and
  can_portmap() to sysnetwork.
- Fix base module compile issues.
- Added policies:
	cpucontrol
	cvs
	ktalk
	portmap
	postgresql
	rlogin
	samba
	snmp
	stunnel
	telnet
	tftp
	uucp
	vpn
	zebra

* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
- Fix errors uncovered by sediff.
- Doc tool will explicitly say a module does not have interfaces
  or templates on the module page.
- Added policies:
	comsat
	dbus
	dhcp
	dictd
	hal
	inn
	ntp
	squid

* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
- Add Makefile support for building loadable modules.
- Add genclassperms.py tool to add require blocks
  for loadable modules.
- Change sedoctool to make required modules part of base
  by default, otherwise make as modules, in modules.conf.
- Fix segenxml to handle modules with no interfaces.
- Rename ipsec connect interface for consistency.
- Add missing parts of unix stream socket connect interface
  of ipsec.
- Rename inetd connect interface for consistency.
- Rename interface for purging contents of tmp, for clarity,
  since it allows deletion of classes other than file.
- Misc. cleanups.
- Added policies:
	acct
	bind
	firstboot
	gpm
	howl
	ldap
	loadkeys
	mysql
	privoxy
	quota
	rshd
	rsync
	su
	sudo
	tcpd
	tmpreaper
	updfstab

* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
- Fix comparison bug in fc_sort.
- Fix handling of ordered and unordered HTML lists.
- Corenetwork now supports multiple network interfaces having the
  same type.
- Doc tool now creates pages for global Booleans and global tunables.
- Doc tool now links directly to the interface/template in the
  module page when it is selected in the interface/template index.
- Added support for layer summaries.
- Added policies:
	ipsec
	nscd
	pcmcia
	raid

* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
- Changed xml to have modules encapsulated by layer tags, rather
  than putting layer="foo" in the module tags.  Also in the future
  we can put a summary and description for each layer.
- Added tool to infer interface, module, and layer tags.  This will
  now list all interfaces, even if they are missing xml docs.
- Shortened xml tag names.
- Added macros to declare interfaces and templates.
- Added interface call trace.
- Updated all xml documentation for shorter and inferred tags.
- Doc tool now displays templates in the web pages.
- Doc tool retains the user's settings in modules.conf and
  tunables.conf if the files already exist.
- Modules.conf behavior has been changed to be a list of all
  available modules, and the user can specify if the module is
  built as a loadable module, included in the monolithic policy,
  or excluded.
- Added policies:
	fstools (fsck, mkfs, swapon, etc. tools)
	logrotate
	inetd
	kerberos
	nis (ypbind and ypserv)
	ssh (server, client, and agent)
	unconfined
- Added infrastructure for targeted policy support, only missing
	transition boolean support.

* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
	- Initial release