1 - Fix explicit use of httpd_t in openca_domtrans().
2 - Clean up file context regexes in apache and java, from Eamon Walsh.
4 * Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
5 - Add policy patterns support macros. This changes the behavior of
6 the create_dir_perms and create_file_perms permission sets.
7 - Association polmatch MLS constraint making unlabeled_t an exception
8 is no longer needed, patch from Venkat Yekkirala.
9 - Context contains checking for PAM and cron from James Antill.
10 - Add a reload target to Modules.devel and change the load
11 target to only insert modules that were changed.
12 - Allow semanage to read from /root on strict non-MLS for
14 - Gentoo init script fixes for udev.
15 - Allow udev to read kernel modules.inputmap.
16 - Dnsmasq fixes from testing.
17 - Allow kernel NFS server to getattr filesystems so df can work
19 - Patch from Matt Anderson for a MLS constraint exemption on a
20 file that can be written to from a subject whose range is
21 within the object's range.
22 - Enhanced setransd support from Darrel Goeddel.
23 - Patches from Dan Walsh:
32 * Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
33 - Patch from Russell Coker Thu, 5 Oct 2006
34 - Move range transitions to modules.
35 - Make number of MLS sensitivities, and number of MLS and MCS
36 categories configurable as build options.
37 - Add role infrastructure.
38 - Debian updates from Erich Schubert.
39 - Add nscd_socket_use() to auth_use_nsswitch().
40 - Remove old selopt rules.
41 - Full support for netfilter_contexts.
42 - MRTG patch for daemon operation from Stefan.
43 - Add authlogin interface to abstract common access for login programs.
44 - Remove setbool auditallow, except for RHEL4.
45 - Change eventpollfs to task SID labeling.
46 - Add key support from Michael LeMay.
47 - Add ftpdctl domain to ftp, from Paul Howarth.
48 - Fix build system to not move type declarations out of optionals.
49 - Add gcc-config domain to portage.
50 - Add packet object class and support in corenetwork.
51 - Add a copy of genhomedircon for monolithic policy building, so that a
52 policycoreutils package update is not required for RHEL4 systems.
53 - Add appletalk sockets for use in cups.
54 - Add Make target to validate module linking.
55 - Make duplicate template and interface declarations a fatal error.
56 - Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
57 - Move xconsole_device_t from devices to xserver since it is
58 not actually a device, it is a named pipe.
59 - Handle nonexistant .fc and .if files in devel Makefile by
60 automatically creating empty files.
61 - Remove unused devfs_control_t.
62 - Add rhel4 distro, which also implies redhat distro.
63 - Remove unneeded range_transition for su_exec_t and move the
64 type declaration back to the su module.
65 - Constrain transitions in MCS so unconfined_t cannot have
66 arbitrary category sets.
67 - Change reiserfs from xattr filesystem to genfscon as it's xattrs
68 are currently nonfunctional.
69 - Change files and filesystem modules to use their own interfaces.
70 - Add user fonts to xserver.
71 - Additional interfaces in corecommands, miscfiles, and userdomain
73 - Miscellaneous fixes from Thomas Bleher.
74 - Deprecate module name as first parameter of optional_policy()
75 now that optionals are allowed everywhere.
76 - Enable optional blocks in base module and monolithic policy.
77 This requires checkpolicy 1.30.1.
78 - Fix vpn module declaration.
79 - Numerous fixes from Dan Walsh.
80 - Change build order to preserve m4 line number information so policy
81 compile errors are useful again.
82 - Additional MLS interfaces from Chad Hanson.
83 - Move some rules out of domain_type() and domain_base_type()
84 to the TE file, to use the domain attribute to take advantage
85 of space savings from attribute use.
86 - Add global stack smashing protector rule for urandom access from
88 - Fix temporary rules at the bottom of portmap.
89 - Updated comments in mls file from Chad Hanson.
90 - Patches from Dan Walsh:
113 amavis (Erich Schubert)
121 clamav (Erich Schubert)
122 clockspeed (Petre Rodan)
127 dpkg (Erich Schubert)
144 netlabel (Paul Moore)
151 openvpn (Petre Rodan)
178 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
179 - Make all interface parameters required.
180 - Move boot_t, system_map_t, and modules_object_t to files module,
181 and move bootloader to admin layer.
182 - Add semanage policy for semodule from Dan Walsh.
183 - Remove allow_execmem from targeted policy domain_base_type().
184 - Add users_extra and seusers support.
185 - Postfix fixes from Serge Hallyn.
186 - Run python and shell directly to interpret scripts so policy
187 sources need not be executable.
188 - Add desc tag XML to booleans and tunables, and add summary
189 to param XML tag, to make future translations possible.
190 - Remove unused lvm_vg_t.
191 - Many interface renames to improve naming consistency.
192 - Merge xdm into xserver.
193 - Remove kernel module reversed interfaces.
194 - Add filename attribute to module XML tag and lineno attribute to
196 - Changed QUIET build option to a yes or no option.
197 - Add a Makefile used for compiling loadable modules in a
198 user's development environment, building against policy headers.
199 - Add Make target for installing policy headers.
200 - Separate per-userdomain template expansion from the userdomain
201 module and add infrastructure to expand templates in the modules
202 that own the template.
203 - Enable secadm only for MLS policies.
204 - Remove role change rules in su and sudo since this functionality has been
205 removed from these programs.
206 - Add ctags Make target from Thomas Bleher.
207 - Collapse commands with grep piped to sed into one sed command.
208 - Fix type_change bug in term_user_pty().
209 - Move ice_tmp_t from miscfiles to xserver.
210 - Login fixes from Serge Hallyn.
211 - Move xserver_log_t from xdm to xserver.
212 - Add lpr per-userdomain policy to lpd.
213 - Miscellaneous fixes from Dan Walsh.
214 - Change initrc_var_run_t interface noun from script_pid to utmp,
227 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
228 - Adds support for generating corenetwork interfaces based on attributes
229 in addition to types.
230 - Permits the listing of multiple nodes in a network_node() that will be
232 - Add two new permission sets for stream sockets.
233 - Rename file type transition interfaces verb from create to
234 filetrans to differentiate it from create interfaces without
236 - Fix expansion of interfaces from disabled modules.
237 - Rsync can be long running from init,
238 added rules to allow this.
239 - Add polyinstantiation build option.
240 - Add setcontext to the association object class.
241 - Add apache relay and db connect tunables.
242 - Rename texrel_shlib_t to textrel_shlib_t.
243 - Add swat to samba module.
244 - Numerous miscellaneous fixes from Dan Walsh.
249 daemontools (Petre Rodan)
259 publicfile (Petre Rodan)
267 ucspitcp (Petre Rodan)
271 * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
272 - Add unlabeled IPSEC association rule to domains with
273 networking permissions.
274 - Merge systemuser back in to users, as these files
275 do not need to be split.
276 - Add check for duplicate interface/template definitions.
277 - Move domain, files, and corecommands modules to kernel
278 layer to resolve some layering inconsistencies.
279 - Move policy build options out of Makefile into build.conf.
280 - Add yppasswd to nis module.
281 - Change optional_policy() to refer to the module name
282 rather than modulename.te.
283 - Fix labeling targets to use installed file_contexts rather
284 than partial file_contexts in the policy source directory.
285 - Fix build process to use make's internal vpath functions
286 to detect modules rather than using subshells and find.
287 - Add install target for modular policy.
288 - Add load target for modular policy.
289 - Add appconfig dependency to the load target.
290 - Miscellaneous fixes from Dan Walsh.
291 - Fix corenetwork gen_context()'s to expand during the policy
292 build phase instead of during the generation phase.
316 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
317 - Many fixes to make loadable modules build.
318 - Add targets for sechecker.
319 - Updated to sedoctool to read bool files and tunable
321 - Changed the xml tag of <boolean> to <bool> to be consistent
323 - Modified the implementation of segenxml to use regular
325 - Rename context_template() to gen_context() to clarify
326 that its not a Reference Policy template, but a support
328 - Add disable_*_trans bool support for targeted policy.
329 - Add MLS module to handle MLS constraint exceptions,
330 such as reading up and writing down.
331 - Fix errors uncovered by sediff.
348 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
349 - Make logrotate, sendmail, sshd, and rpm policies
350 unconfined in the targeted policy so no special
351 modules.conf is required.
352 - Add experimental MCS support.
353 - Add appconfig for MLS.
354 - Add equivalents for old can_resolve(), can_ldap(), and
355 can_portmap() to sysnetwork.
356 - Fix base module compile issues.
373 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
374 - Fix errors uncovered by sediff.
375 - Doc tool will explicitly say a module does not have interfaces
376 or templates on the module page.
387 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
388 - Add Makefile support for building loadable modules.
389 - Add genclassperms.py tool to add require blocks
390 for loadable modules.
391 - Change sedoctool to make required modules part of base
392 by default, otherwise make as modules, in modules.conf.
393 - Fix segenxml to handle modules with no interfaces.
394 - Rename ipsec connect interface for consistency.
395 - Add missing parts of unix stream socket connect interface
397 - Rename inetd connect interface for consistency.
398 - Rename interface for purging contents of tmp, for clarity,
399 since it allows deletion of classes other than file.
420 * Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
421 - Fix comparison bug in fc_sort.
422 - Fix handling of ordered and unordered HTML lists.
423 - Corenetwork now supports multiple network interfaces having the
425 - Doc tool now creates pages for global Booleans and global tunables.
426 - Doc tool now links directly to the interface/template in the
427 module page when it is selected in the interface/template index.
428 - Added support for layer summaries.
435 * Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
436 - Changed xml to have modules encapsulated by layer tags, rather
437 than putting layer="foo" in the module tags. Also in the future
438 we can put a summary and description for each layer.
439 - Added tool to infer interface, module, and layer tags. This will
440 now list all interfaces, even if they are missing xml docs.
441 - Shortened xml tag names.
442 - Added macros to declare interfaces and templates.
443 - Added interface call trace.
444 - Updated all xml documentation for shorter and inferred tags.
445 - Doc tool now displays templates in the web pages.
446 - Doc tool retains the user's settings in modules.conf and
447 tunables.conf if the files already exist.
448 - Modules.conf behavior has been changed to be a list of all
449 available modules, and the user can specify if the module is
450 built as a loadable module, included in the monolithic policy,
453 fstools (fsck, mkfs, swapon, etc. tools)
457 nis (ypbind and ypserv)
458 ssh (server, client, and agent)
460 - Added infrastructure for targeted policy support, only missing
461 transition boolean support.
463 * Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615