1 - Add role infrastructure.
2 - Debian updates from Erich Schubert.
3 - Add nscd_socket_use() to auth_use_nsswitch().
4 - Remove old selopt rules.
5 - Full support for netfilter_contexts.
6 - MRTG patch for daemon operation from Stefan.
7 - Add authlogin interface to abstract common access for login programs.
8 - Remove setbool auditallow, except for RHEL4.
9 - Change eventpollfs to task SID labeling.
10 - Add key support from Michael LeMay.
11 - Add ftpdctl domain to ftp, from Paul Howarth.
12 - Fix build system to not move type declarations out of optionals.
13 - Add gcc-config domain to portage.
14 - Add packet object class and support in corenetwork.
15 - Add a copy of genhomedircon for monolithic policy building, so that a
16 policycoreutils package update is not required for RHEL4 systems.
17 - Add appletalk sockets for use in cups.
18 - Add Make target to validate module linking.
19 - Make duplicate template and interface declarations a fatal error.
20 - Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
21 - Move xconsole_device_t from devices to xserver since it is
22 not actually a device, it is a named pipe.
23 - Handle nonexistant .fc and .if files in devel Makefile by
24 automatically creating empty files.
25 - Remove unused devfs_control_t.
26 - Add rhel4 distro, which also implies redhat distro.
27 - Remove unneeded range_transition for su_exec_t and move the
28 type declaration back to the su module.
29 - Constrain transitions in MCS so unconfined_t cannot have
30 arbitrary category sets.
31 - Change reiserfs from xattr filesystem to genfscon as it's xattrs
32 are currently nonfunctional.
33 - Change files and filesystem modules to use their own interfaces.
34 - Add user fonts to xserver.
35 - Additional interfaces in corecommands, miscfiles, and userdomain
37 - Miscellaneous fixes from Thomas Bleher.
38 - Deprecate module name as first parameter of optional_policy()
39 now that optionals are allowed everywhere.
40 - Enable optional blocks in base module and monolithic policy.
41 This requires checkpolicy 1.30.1.
42 - Fix vpn module declaration.
43 - Numerous fixes from Dan Walsh.
44 - Change build order to preserve m4 line number information so policy
45 compile errors are useful again.
46 - Additional MLS interfaces from Chad Hanson.
47 - Move some rules out of domain_type() and domain_base_type()
48 to the TE file, to use the domain attribute to take advantage
49 of space savings from attribute use.
50 - Add global stack smashing protector rule for urandom access from
52 - Fix temporary rules at the bottom of portmap.
53 - Updated comments in mls file from Chad Hanson.
54 - Patches from Dan Walsh:
75 amavis (Erich Schubert)
83 clamav (Erich Schubert)
84 clockspeed (Petre Rodan)
110 openvpn (Petre Rodan)
137 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
138 - Make all interface parameters required.
139 - Move boot_t, system_map_t, and modules_object_t to files module,
140 and move bootloader to admin layer.
141 - Add semanage policy for semodule from Dan Walsh.
142 - Remove allow_execmem from targeted policy domain_base_type().
143 - Add users_extra and seusers support.
144 - Postfix fixes from Serge Hallyn.
145 - Run python and shell directly to interpret scripts so policy
146 sources need not be executable.
147 - Add desc tag XML to booleans and tunables, and add summary
148 to param XML tag, to make future translations possible.
149 - Remove unused lvm_vg_t.
150 - Many interface renames to improve naming consistency.
151 - Merge xdm into xserver.
152 - Remove kernel module reversed interfaces.
153 - Add filename attribute to module XML tag and lineno attribute to
155 - Changed QUIET build option to a yes or no option.
156 - Add a Makefile used for compiling loadable modules in a
157 user's development environment, building against policy headers.
158 - Add Make target for installing policy headers.
159 - Separate per-userdomain template expansion from the userdomain
160 module and add infrastructure to expand templates in the modules
161 that own the template.
162 - Enable secadm only for MLS policies.
163 - Remove role change rules in su and sudo since this functionality has been
164 removed from these programs.
165 - Add ctags Make target from Thomas Bleher.
166 - Collapse commands with grep piped to sed into one sed command.
167 - Fix type_change bug in term_user_pty().
168 - Move ice_tmp_t from miscfiles to xserver.
169 - Login fixes from Serge Hallyn.
170 - Move xserver_log_t from xdm to xserver.
171 - Add lpr per-userdomain policy to lpd.
172 - Miscellaneous fixes from Dan Walsh.
173 - Change initrc_var_run_t interface noun from script_pid to utmp,
186 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
187 - Adds support for generating corenetwork interfaces based on attributes
188 in addition to types.
189 - Permits the listing of multiple nodes in a network_node() that will be
191 - Add two new permission sets for stream sockets.
192 - Rename file type transition interfaces verb from create to
193 filetrans to differentiate it from create interfaces without
195 - Fix expansion of interfaces from disabled modules.
196 - Rsync can be long running from init,
197 added rules to allow this.
198 - Add polyinstantiation build option.
199 - Add setcontext to the association object class.
200 - Add apache relay and db connect tunables.
201 - Rename texrel_shlib_t to textrel_shlib_t.
202 - Add swat to samba module.
203 - Numerous miscellaneous fixes from Dan Walsh.
208 daemontools (Petre Rodan)
218 publicfile (Petre Rodan)
226 ucspitcp (Petre Rodan)
230 * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
231 - Add unlabeled IPSEC association rule to domains with
232 networking permissions.
233 - Merge systemuser back in to users, as these files
234 do not need to be split.
235 - Add check for duplicate interface/template definitions.
236 - Move domain, files, and corecommands modules to kernel
237 layer to resolve some layering inconsistencies.
238 - Move policy build options out of Makefile into build.conf.
239 - Add yppasswd to nis module.
240 - Change optional_policy() to refer to the module name
241 rather than modulename.te.
242 - Fix labeling targets to use installed file_contexts rather
243 than partial file_contexts in the policy source directory.
244 - Fix build process to use make's internal vpath functions
245 to detect modules rather than using subshells and find.
246 - Add install target for modular policy.
247 - Add load target for modular policy.
248 - Add appconfig dependency to the load target.
249 - Miscellaneous fixes from Dan Walsh.
250 - Fix corenetwork gen_context()'s to expand during the policy
251 build phase instead of during the generation phase.
275 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
276 - Many fixes to make loadable modules build.
277 - Add targets for sechecker.
278 - Updated to sedoctool to read bool files and tunable
280 - Changed the xml tag of <boolean> to <bool> to be consistent
282 - Modified the implementation of segenxml to use regular
284 - Rename context_template() to gen_context() to clarify
285 that its not a Reference Policy template, but a support
287 - Add disable_*_trans bool support for targeted policy.
288 - Add MLS module to handle MLS constraint exceptions,
289 such as reading up and writing down.
290 - Fix errors uncovered by sediff.
307 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
308 - Make logrotate, sendmail, sshd, and rpm policies
309 unconfined in the targeted policy so no special
310 modules.conf is required.
311 - Add experimental MCS support.
312 - Add appconfig for MLS.
313 - Add equivalents for old can_resolve(), can_ldap(), and
314 can_portmap() to sysnetwork.
315 - Fix base module compile issues.
332 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
333 - Fix errors uncovered by sediff.
334 - Doc tool will explicitly say a module does not have interfaces
335 or templates on the module page.
346 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
347 - Add Makefile support for building loadable modules.
348 - Add genclassperms.py tool to add require blocks
349 for loadable modules.
350 - Change sedoctool to make required modules part of base
351 by default, otherwise make as modules, in modules.conf.
352 - Fix segenxml to handle modules with no interfaces.
353 - Rename ipsec connect interface for consistency.
354 - Add missing parts of unix stream socket connect interface
356 - Rename inetd connect interface for consistency.
357 - Rename interface for purging contents of tmp, for clarity,
358 since it allows deletion of classes other than file.
379 * Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
380 - Fix comparison bug in fc_sort.
381 - Fix handling of ordered and unordered HTML lists.
382 - Corenetwork now supports multiple network interfaces having the
384 - Doc tool now creates pages for global Booleans and global tunables.
385 - Doc tool now links directly to the interface/template in the
386 module page when it is selected in the interface/template index.
387 - Added support for layer summaries.
394 * Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
395 - Changed xml to have modules encapsulated by layer tags, rather
396 than putting layer="foo" in the module tags. Also in the future
397 we can put a summary and description for each layer.
398 - Added tool to infer interface, module, and layer tags. This will
399 now list all interfaces, even if they are missing xml docs.
400 - Shortened xml tag names.
401 - Added macros to declare interfaces and templates.
402 - Added interface call trace.
403 - Updated all xml documentation for shorter and inferred tags.
404 - Doc tool now displays templates in the web pages.
405 - Doc tool retains the user's settings in modules.conf and
406 tunables.conf if the files already exist.
407 - Modules.conf behavior has been changed to be a list of all
408 available modules, and the user can specify if the module is
409 built as a loadable module, included in the monolithic policy,
412 fstools (fsck, mkfs, swapon, etc. tools)
416 nis (ypbind and ypserv)
417 ssh (server, client, and agent)
419 - Added infrastructure for targeted policy support, only missing
420 transition boolean support.
422 * Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615