1 - Two patches from Paul Moore to for ipsec to remove redundant rules and
2 have setkey read the config file.
3 - Move booleans and tunables to modules when it is only used in a single
5 - Add support for tunables and booleans local to a module.
6 - Merge sbin_t and ls_exec_t into bin_t.
7 - Remove disable_trans booleans.
8 - Output different header sets for kernel and userland from flask headers.
9 - Marked the pax class as deprecated, changed it to userland so
10 it will be removed from the kernel.
11 - Stop including netfilter contexts by default.
12 - Add dontaudits for init fds and console to init_daemon_domain().
13 - Patch to allow gpg to create user keys dir.
14 - Patch to support kvmfs from Dan Walsh.
15 - Patch for misc fixes in sudo from Dan Walsh.
16 - Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
17 - Patch for handling restart of nscd when ran from useradd, groupadd, and
18 admin passwd, from Dan Walsh.
19 - Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
20 - Patch for setroubleshoot for validating file contexts from Dan Walsh.
21 - Patch for gssd fixes from Dan Walsh.
22 - Patch for lvm fixes from Dan Walsh.
23 - Patch for ricci fixes from Dan Walsh.
24 - Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
25 - Patch for kerberized telnet fixes from Dan Walsh.
26 - Patch for kerberized ftp and other ftp fixes from Dan Walsh.
27 - Patch for an additional wine executable from Dan Walsh.
28 - Eight patches for file contexts in games, wine, networkmanager, miscfiles,
29 corecommands, devices, and java from Dan Walsh.
30 - Add support for libselinux 2.0.5 init_selinuxmnt() changes.
31 - Patch for misc fixes to bluetooth from Dan Walsh.
32 - Patch for misc fixes to kerberos from Dan Walsh.
33 - Patch to start deprecating usercanread attribute from Ryan Bradetich.
34 - Add dccp_socket object class which was added in kernel 2.6.20.
35 - Patch for prelink relabefrom it's temp files from Dan Walsh.
36 - Patch for capability fix for auditd and networking fix for syslogd from
38 - Patch to remove redundant mls_trusted_object() call from Dan Walsh.
39 - Patch for misc fixes to nis ypxfr policy from Dan Walsh.
40 - Patch to allow apmd to telinit from Dan Walsh.
41 - Patch for additional labeling of samba files from Stefan Schulze
43 - Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
44 - Fix ptys and ttys to be device nodes.
45 - Fix explicit use of httpd_t in openca_domtrans().
46 - Clean up file context regexes in apache and java, from Eamon Walsh.
47 - Patches from Dan Walsh:
50 consolekit (Dan Walsh)
53 * Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
54 - Add policy patterns support macros. This changes the behavior of
55 the create_dir_perms and create_file_perms permission sets.
56 - Association polmatch MLS constraint making unlabeled_t an exception
57 is no longer needed, patch from Venkat Yekkirala.
58 - Context contains checking for PAM and cron from James Antill.
59 - Add a reload target to Modules.devel and change the load
60 target to only insert modules that were changed.
61 - Allow semanage to read from /root on strict non-MLS for
63 - Gentoo init script fixes for udev.
64 - Allow udev to read kernel modules.inputmap.
65 - Dnsmasq fixes from testing.
66 - Allow kernel NFS server to getattr filesystems so df can work
68 - Patch from Matt Anderson for a MLS constraint exemption on a
69 file that can be written to from a subject whose range is
70 within the object's range.
71 - Enhanced setransd support from Darrel Goeddel.
72 - Patches from Dan Walsh:
81 * Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
82 - Patch from Russell Coker Thu, 5 Oct 2006
83 - Move range transitions to modules.
84 - Make number of MLS sensitivities, and number of MLS and MCS
85 categories configurable as build options.
86 - Add role infrastructure.
87 - Debian updates from Erich Schubert.
88 - Add nscd_socket_use() to auth_use_nsswitch().
89 - Remove old selopt rules.
90 - Full support for netfilter_contexts.
91 - MRTG patch for daemon operation from Stefan.
92 - Add authlogin interface to abstract common access for login programs.
93 - Remove setbool auditallow, except for RHEL4.
94 - Change eventpollfs to task SID labeling.
95 - Add key support from Michael LeMay.
96 - Add ftpdctl domain to ftp, from Paul Howarth.
97 - Fix build system to not move type declarations out of optionals.
98 - Add gcc-config domain to portage.
99 - Add packet object class and support in corenetwork.
100 - Add a copy of genhomedircon for monolithic policy building, so that a
101 policycoreutils package update is not required for RHEL4 systems.
102 - Add appletalk sockets for use in cups.
103 - Add Make target to validate module linking.
104 - Make duplicate template and interface declarations a fatal error.
105 - Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
106 - Move xconsole_device_t from devices to xserver since it is
107 not actually a device, it is a named pipe.
108 - Handle nonexistant .fc and .if files in devel Makefile by
109 automatically creating empty files.
110 - Remove unused devfs_control_t.
111 - Add rhel4 distro, which also implies redhat distro.
112 - Remove unneeded range_transition for su_exec_t and move the
113 type declaration back to the su module.
114 - Constrain transitions in MCS so unconfined_t cannot have
115 arbitrary category sets.
116 - Change reiserfs from xattr filesystem to genfscon as it's xattrs
117 are currently nonfunctional.
118 - Change files and filesystem modules to use their own interfaces.
119 - Add user fonts to xserver.
120 - Additional interfaces in corecommands, miscfiles, and userdomain
122 - Miscellaneous fixes from Thomas Bleher.
123 - Deprecate module name as first parameter of optional_policy()
124 now that optionals are allowed everywhere.
125 - Enable optional blocks in base module and monolithic policy.
126 This requires checkpolicy 1.30.1.
127 - Fix vpn module declaration.
128 - Numerous fixes from Dan Walsh.
129 - Change build order to preserve m4 line number information so policy
130 compile errors are useful again.
131 - Additional MLS interfaces from Chad Hanson.
132 - Move some rules out of domain_type() and domain_base_type()
133 to the TE file, to use the domain attribute to take advantage
134 of space savings from attribute use.
135 - Add global stack smashing protector rule for urandom access from
137 - Fix temporary rules at the bottom of portmap.
138 - Updated comments in mls file from Chad Hanson.
139 - Patches from Dan Walsh:
162 amavis (Erich Schubert)
170 clamav (Erich Schubert)
171 clockspeed (Petre Rodan)
176 dpkg (Erich Schubert)
193 netlabel (Paul Moore)
200 openvpn (Petre Rodan)
227 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
228 - Make all interface parameters required.
229 - Move boot_t, system_map_t, and modules_object_t to files module,
230 and move bootloader to admin layer.
231 - Add semanage policy for semodule from Dan Walsh.
232 - Remove allow_execmem from targeted policy domain_base_type().
233 - Add users_extra and seusers support.
234 - Postfix fixes from Serge Hallyn.
235 - Run python and shell directly to interpret scripts so policy
236 sources need not be executable.
237 - Add desc tag XML to booleans and tunables, and add summary
238 to param XML tag, to make future translations possible.
239 - Remove unused lvm_vg_t.
240 - Many interface renames to improve naming consistency.
241 - Merge xdm into xserver.
242 - Remove kernel module reversed interfaces.
243 - Add filename attribute to module XML tag and lineno attribute to
245 - Changed QUIET build option to a yes or no option.
246 - Add a Makefile used for compiling loadable modules in a
247 user's development environment, building against policy headers.
248 - Add Make target for installing policy headers.
249 - Separate per-userdomain template expansion from the userdomain
250 module and add infrastructure to expand templates in the modules
251 that own the template.
252 - Enable secadm only for MLS policies.
253 - Remove role change rules in su and sudo since this functionality has been
254 removed from these programs.
255 - Add ctags Make target from Thomas Bleher.
256 - Collapse commands with grep piped to sed into one sed command.
257 - Fix type_change bug in term_user_pty().
258 - Move ice_tmp_t from miscfiles to xserver.
259 - Login fixes from Serge Hallyn.
260 - Move xserver_log_t from xdm to xserver.
261 - Add lpr per-userdomain policy to lpd.
262 - Miscellaneous fixes from Dan Walsh.
263 - Change initrc_var_run_t interface noun from script_pid to utmp,
276 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
277 - Adds support for generating corenetwork interfaces based on attributes
278 in addition to types.
279 - Permits the listing of multiple nodes in a network_node() that will be
281 - Add two new permission sets for stream sockets.
282 - Rename file type transition interfaces verb from create to
283 filetrans to differentiate it from create interfaces without
285 - Fix expansion of interfaces from disabled modules.
286 - Rsync can be long running from init,
287 added rules to allow this.
288 - Add polyinstantiation build option.
289 - Add setcontext to the association object class.
290 - Add apache relay and db connect tunables.
291 - Rename texrel_shlib_t to textrel_shlib_t.
292 - Add swat to samba module.
293 - Numerous miscellaneous fixes from Dan Walsh.
298 daemontools (Petre Rodan)
308 publicfile (Petre Rodan)
316 ucspitcp (Petre Rodan)
320 * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
321 - Add unlabeled IPSEC association rule to domains with
322 networking permissions.
323 - Merge systemuser back in to users, as these files
324 do not need to be split.
325 - Add check for duplicate interface/template definitions.
326 - Move domain, files, and corecommands modules to kernel
327 layer to resolve some layering inconsistencies.
328 - Move policy build options out of Makefile into build.conf.
329 - Add yppasswd to nis module.
330 - Change optional_policy() to refer to the module name
331 rather than modulename.te.
332 - Fix labeling targets to use installed file_contexts rather
333 than partial file_contexts in the policy source directory.
334 - Fix build process to use make's internal vpath functions
335 to detect modules rather than using subshells and find.
336 - Add install target for modular policy.
337 - Add load target for modular policy.
338 - Add appconfig dependency to the load target.
339 - Miscellaneous fixes from Dan Walsh.
340 - Fix corenetwork gen_context()'s to expand during the policy
341 build phase instead of during the generation phase.
365 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
366 - Many fixes to make loadable modules build.
367 - Add targets for sechecker.
368 - Updated to sedoctool to read bool files and tunable
370 - Changed the xml tag of <boolean> to <bool> to be consistent
372 - Modified the implementation of segenxml to use regular
374 - Rename context_template() to gen_context() to clarify
375 that its not a Reference Policy template, but a support
377 - Add disable_*_trans bool support for targeted policy.
378 - Add MLS module to handle MLS constraint exceptions,
379 such as reading up and writing down.
380 - Fix errors uncovered by sediff.
397 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
398 - Make logrotate, sendmail, sshd, and rpm policies
399 unconfined in the targeted policy so no special
400 modules.conf is required.
401 - Add experimental MCS support.
402 - Add appconfig for MLS.
403 - Add equivalents for old can_resolve(), can_ldap(), and
404 can_portmap() to sysnetwork.
405 - Fix base module compile issues.
422 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
423 - Fix errors uncovered by sediff.
424 - Doc tool will explicitly say a module does not have interfaces
425 or templates on the module page.
436 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
437 - Add Makefile support for building loadable modules.
438 - Add genclassperms.py tool to add require blocks
439 for loadable modules.
440 - Change sedoctool to make required modules part of base
441 by default, otherwise make as modules, in modules.conf.
442 - Fix segenxml to handle modules with no interfaces.
443 - Rename ipsec connect interface for consistency.
444 - Add missing parts of unix stream socket connect interface
446 - Rename inetd connect interface for consistency.
447 - Rename interface for purging contents of tmp, for clarity,
448 since it allows deletion of classes other than file.
469 * Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
470 - Fix comparison bug in fc_sort.
471 - Fix handling of ordered and unordered HTML lists.
472 - Corenetwork now supports multiple network interfaces having the
474 - Doc tool now creates pages for global Booleans and global tunables.
475 - Doc tool now links directly to the interface/template in the
476 module page when it is selected in the interface/template index.
477 - Added support for layer summaries.
484 * Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
485 - Changed xml to have modules encapsulated by layer tags, rather
486 than putting layer="foo" in the module tags. Also in the future
487 we can put a summary and description for each layer.
488 - Added tool to infer interface, module, and layer tags. This will
489 now list all interfaces, even if they are missing xml docs.
490 - Shortened xml tag names.
491 - Added macros to declare interfaces and templates.
492 - Added interface call trace.
493 - Updated all xml documentation for shorter and inferred tags.
494 - Doc tool now displays templates in the web pages.
495 - Doc tool retains the user's settings in modules.conf and
496 tunables.conf if the files already exist.
497 - Modules.conf behavior has been changed to be a list of all
498 available modules, and the user can specify if the module is
499 built as a loadable module, included in the monolithic policy,
502 fstools (fsck, mkfs, swapon, etc. tools)
506 nis (ypbind and ypserv)
507 ssh (server, client, and agent)
509 - Added infrastructure for targeted policy support, only missing
510 transition boolean support.
512 * Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615