1 - Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
2 - Fix ptys and ttys to be device nodes.
3 - Fix explicit use of httpd_t in openca_domtrans().
4 - Clean up file context regexes in apache and java, from Eamon Walsh.
5 - Patches from Dan Walsh:
8 * Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
9 - Add policy patterns support macros. This changes the behavior of
10 the create_dir_perms and create_file_perms permission sets.
11 - Association polmatch MLS constraint making unlabeled_t an exception
12 is no longer needed, patch from Venkat Yekkirala.
13 - Context contains checking for PAM and cron from James Antill.
14 - Add a reload target to Modules.devel and change the load
15 target to only insert modules that were changed.
16 - Allow semanage to read from /root on strict non-MLS for
18 - Gentoo init script fixes for udev.
19 - Allow udev to read kernel modules.inputmap.
20 - Dnsmasq fixes from testing.
21 - Allow kernel NFS server to getattr filesystems so df can work
23 - Patch from Matt Anderson for a MLS constraint exemption on a
24 file that can be written to from a subject whose range is
25 within the object's range.
26 - Enhanced setransd support from Darrel Goeddel.
27 - Patches from Dan Walsh:
36 * Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
37 - Patch from Russell Coker Thu, 5 Oct 2006
38 - Move range transitions to modules.
39 - Make number of MLS sensitivities, and number of MLS and MCS
40 categories configurable as build options.
41 - Add role infrastructure.
42 - Debian updates from Erich Schubert.
43 - Add nscd_socket_use() to auth_use_nsswitch().
44 - Remove old selopt rules.
45 - Full support for netfilter_contexts.
46 - MRTG patch for daemon operation from Stefan.
47 - Add authlogin interface to abstract common access for login programs.
48 - Remove setbool auditallow, except for RHEL4.
49 - Change eventpollfs to task SID labeling.
50 - Add key support from Michael LeMay.
51 - Add ftpdctl domain to ftp, from Paul Howarth.
52 - Fix build system to not move type declarations out of optionals.
53 - Add gcc-config domain to portage.
54 - Add packet object class and support in corenetwork.
55 - Add a copy of genhomedircon for monolithic policy building, so that a
56 policycoreutils package update is not required for RHEL4 systems.
57 - Add appletalk sockets for use in cups.
58 - Add Make target to validate module linking.
59 - Make duplicate template and interface declarations a fatal error.
60 - Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
61 - Move xconsole_device_t from devices to xserver since it is
62 not actually a device, it is a named pipe.
63 - Handle nonexistant .fc and .if files in devel Makefile by
64 automatically creating empty files.
65 - Remove unused devfs_control_t.
66 - Add rhel4 distro, which also implies redhat distro.
67 - Remove unneeded range_transition for su_exec_t and move the
68 type declaration back to the su module.
69 - Constrain transitions in MCS so unconfined_t cannot have
70 arbitrary category sets.
71 - Change reiserfs from xattr filesystem to genfscon as it's xattrs
72 are currently nonfunctional.
73 - Change files and filesystem modules to use their own interfaces.
74 - Add user fonts to xserver.
75 - Additional interfaces in corecommands, miscfiles, and userdomain
77 - Miscellaneous fixes from Thomas Bleher.
78 - Deprecate module name as first parameter of optional_policy()
79 now that optionals are allowed everywhere.
80 - Enable optional blocks in base module and monolithic policy.
81 This requires checkpolicy 1.30.1.
82 - Fix vpn module declaration.
83 - Numerous fixes from Dan Walsh.
84 - Change build order to preserve m4 line number information so policy
85 compile errors are useful again.
86 - Additional MLS interfaces from Chad Hanson.
87 - Move some rules out of domain_type() and domain_base_type()
88 to the TE file, to use the domain attribute to take advantage
89 of space savings from attribute use.
90 - Add global stack smashing protector rule for urandom access from
92 - Fix temporary rules at the bottom of portmap.
93 - Updated comments in mls file from Chad Hanson.
94 - Patches from Dan Walsh:
117 amavis (Erich Schubert)
125 clamav (Erich Schubert)
126 clockspeed (Petre Rodan)
131 dpkg (Erich Schubert)
148 netlabel (Paul Moore)
155 openvpn (Petre Rodan)
182 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
183 - Make all interface parameters required.
184 - Move boot_t, system_map_t, and modules_object_t to files module,
185 and move bootloader to admin layer.
186 - Add semanage policy for semodule from Dan Walsh.
187 - Remove allow_execmem from targeted policy domain_base_type().
188 - Add users_extra and seusers support.
189 - Postfix fixes from Serge Hallyn.
190 - Run python and shell directly to interpret scripts so policy
191 sources need not be executable.
192 - Add desc tag XML to booleans and tunables, and add summary
193 to param XML tag, to make future translations possible.
194 - Remove unused lvm_vg_t.
195 - Many interface renames to improve naming consistency.
196 - Merge xdm into xserver.
197 - Remove kernel module reversed interfaces.
198 - Add filename attribute to module XML tag and lineno attribute to
200 - Changed QUIET build option to a yes or no option.
201 - Add a Makefile used for compiling loadable modules in a
202 user's development environment, building against policy headers.
203 - Add Make target for installing policy headers.
204 - Separate per-userdomain template expansion from the userdomain
205 module and add infrastructure to expand templates in the modules
206 that own the template.
207 - Enable secadm only for MLS policies.
208 - Remove role change rules in su and sudo since this functionality has been
209 removed from these programs.
210 - Add ctags Make target from Thomas Bleher.
211 - Collapse commands with grep piped to sed into one sed command.
212 - Fix type_change bug in term_user_pty().
213 - Move ice_tmp_t from miscfiles to xserver.
214 - Login fixes from Serge Hallyn.
215 - Move xserver_log_t from xdm to xserver.
216 - Add lpr per-userdomain policy to lpd.
217 - Miscellaneous fixes from Dan Walsh.
218 - Change initrc_var_run_t interface noun from script_pid to utmp,
231 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
232 - Adds support for generating corenetwork interfaces based on attributes
233 in addition to types.
234 - Permits the listing of multiple nodes in a network_node() that will be
236 - Add two new permission sets for stream sockets.
237 - Rename file type transition interfaces verb from create to
238 filetrans to differentiate it from create interfaces without
240 - Fix expansion of interfaces from disabled modules.
241 - Rsync can be long running from init,
242 added rules to allow this.
243 - Add polyinstantiation build option.
244 - Add setcontext to the association object class.
245 - Add apache relay and db connect tunables.
246 - Rename texrel_shlib_t to textrel_shlib_t.
247 - Add swat to samba module.
248 - Numerous miscellaneous fixes from Dan Walsh.
253 daemontools (Petre Rodan)
263 publicfile (Petre Rodan)
271 ucspitcp (Petre Rodan)
275 * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
276 - Add unlabeled IPSEC association rule to domains with
277 networking permissions.
278 - Merge systemuser back in to users, as these files
279 do not need to be split.
280 - Add check for duplicate interface/template definitions.
281 - Move domain, files, and corecommands modules to kernel
282 layer to resolve some layering inconsistencies.
283 - Move policy build options out of Makefile into build.conf.
284 - Add yppasswd to nis module.
285 - Change optional_policy() to refer to the module name
286 rather than modulename.te.
287 - Fix labeling targets to use installed file_contexts rather
288 than partial file_contexts in the policy source directory.
289 - Fix build process to use make's internal vpath functions
290 to detect modules rather than using subshells and find.
291 - Add install target for modular policy.
292 - Add load target for modular policy.
293 - Add appconfig dependency to the load target.
294 - Miscellaneous fixes from Dan Walsh.
295 - Fix corenetwork gen_context()'s to expand during the policy
296 build phase instead of during the generation phase.
320 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
321 - Many fixes to make loadable modules build.
322 - Add targets for sechecker.
323 - Updated to sedoctool to read bool files and tunable
325 - Changed the xml tag of <boolean> to <bool> to be consistent
327 - Modified the implementation of segenxml to use regular
329 - Rename context_template() to gen_context() to clarify
330 that its not a Reference Policy template, but a support
332 - Add disable_*_trans bool support for targeted policy.
333 - Add MLS module to handle MLS constraint exceptions,
334 such as reading up and writing down.
335 - Fix errors uncovered by sediff.
352 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
353 - Make logrotate, sendmail, sshd, and rpm policies
354 unconfined in the targeted policy so no special
355 modules.conf is required.
356 - Add experimental MCS support.
357 - Add appconfig for MLS.
358 - Add equivalents for old can_resolve(), can_ldap(), and
359 can_portmap() to sysnetwork.
360 - Fix base module compile issues.
377 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
378 - Fix errors uncovered by sediff.
379 - Doc tool will explicitly say a module does not have interfaces
380 or templates on the module page.
391 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
392 - Add Makefile support for building loadable modules.
393 - Add genclassperms.py tool to add require blocks
394 for loadable modules.
395 - Change sedoctool to make required modules part of base
396 by default, otherwise make as modules, in modules.conf.
397 - Fix segenxml to handle modules with no interfaces.
398 - Rename ipsec connect interface for consistency.
399 - Add missing parts of unix stream socket connect interface
401 - Rename inetd connect interface for consistency.
402 - Rename interface for purging contents of tmp, for clarity,
403 since it allows deletion of classes other than file.
424 * Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
425 - Fix comparison bug in fc_sort.
426 - Fix handling of ordered and unordered HTML lists.
427 - Corenetwork now supports multiple network interfaces having the
429 - Doc tool now creates pages for global Booleans and global tunables.
430 - Doc tool now links directly to the interface/template in the
431 module page when it is selected in the interface/template index.
432 - Added support for layer summaries.
439 * Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
440 - Changed xml to have modules encapsulated by layer tags, rather
441 than putting layer="foo" in the module tags. Also in the future
442 we can put a summary and description for each layer.
443 - Added tool to infer interface, module, and layer tags. This will
444 now list all interfaces, even if they are missing xml docs.
445 - Shortened xml tag names.
446 - Added macros to declare interfaces and templates.
447 - Added interface call trace.
448 - Updated all xml documentation for shorter and inferred tags.
449 - Doc tool now displays templates in the web pages.
450 - Doc tool retains the user's settings in modules.conf and
451 tunables.conf if the files already exist.
452 - Modules.conf behavior has been changed to be a list of all
453 available modules, and the user can specify if the module is
454 built as a loadable module, included in the monolithic policy,
457 fstools (fsck, mkfs, swapon, etc. tools)
461 nis (ypbind and ypserv)
462 ssh (server, client, and agent)
464 - Added infrastructure for targeted policy support, only missing
465 transition boolean support.
467 * Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615