1 - Association polmatch MLS constraint making unlabeled_t an exception
2 is no longer needed, patch from Venkat Yekkirala.
3 - Context contains checking for PAM and cron from James Antill.
4 - Add a reload target to Modules.devel and change the load
5 target to only insert modules that were changed.
6 - Allow semanage to read from /root on strict non-MLS for
8 - Gentoo init script fixes for udev.
9 - Allow udev to read kernel modules.inputmap.
10 - Dnsmasq fixes from testing.
11 - Allow kernel NFS server to getattr filesystems so df can work
13 - Patch from Matt Anderson for a MLS constraint exemption on a
14 file that can be written to from a subject whose range is
15 within the object's range.
16 - Enhanced setransd support from Darrel Goeddel.
17 - Patches from Dan Walsh:
26 * Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
27 - Patch from Russell Coker Thu, 5 Oct 2006
28 - Move range transitions to modules.
29 - Make number of MLS sensitivities, and number of MLS and MCS
30 categories configurable as build options.
31 - Add role infrastructure.
32 - Debian updates from Erich Schubert.
33 - Add nscd_socket_use() to auth_use_nsswitch().
34 - Remove old selopt rules.
35 - Full support for netfilter_contexts.
36 - MRTG patch for daemon operation from Stefan.
37 - Add authlogin interface to abstract common access for login programs.
38 - Remove setbool auditallow, except for RHEL4.
39 - Change eventpollfs to task SID labeling.
40 - Add key support from Michael LeMay.
41 - Add ftpdctl domain to ftp, from Paul Howarth.
42 - Fix build system to not move type declarations out of optionals.
43 - Add gcc-config domain to portage.
44 - Add packet object class and support in corenetwork.
45 - Add a copy of genhomedircon for monolithic policy building, so that a
46 policycoreutils package update is not required for RHEL4 systems.
47 - Add appletalk sockets for use in cups.
48 - Add Make target to validate module linking.
49 - Make duplicate template and interface declarations a fatal error.
50 - Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
51 - Move xconsole_device_t from devices to xserver since it is
52 not actually a device, it is a named pipe.
53 - Handle nonexistant .fc and .if files in devel Makefile by
54 automatically creating empty files.
55 - Remove unused devfs_control_t.
56 - Add rhel4 distro, which also implies redhat distro.
57 - Remove unneeded range_transition for su_exec_t and move the
58 type declaration back to the su module.
59 - Constrain transitions in MCS so unconfined_t cannot have
60 arbitrary category sets.
61 - Change reiserfs from xattr filesystem to genfscon as it's xattrs
62 are currently nonfunctional.
63 - Change files and filesystem modules to use their own interfaces.
64 - Add user fonts to xserver.
65 - Additional interfaces in corecommands, miscfiles, and userdomain
67 - Miscellaneous fixes from Thomas Bleher.
68 - Deprecate module name as first parameter of optional_policy()
69 now that optionals are allowed everywhere.
70 - Enable optional blocks in base module and monolithic policy.
71 This requires checkpolicy 1.30.1.
72 - Fix vpn module declaration.
73 - Numerous fixes from Dan Walsh.
74 - Change build order to preserve m4 line number information so policy
75 compile errors are useful again.
76 - Additional MLS interfaces from Chad Hanson.
77 - Move some rules out of domain_type() and domain_base_type()
78 to the TE file, to use the domain attribute to take advantage
79 of space savings from attribute use.
80 - Add global stack smashing protector rule for urandom access from
82 - Fix temporary rules at the bottom of portmap.
83 - Updated comments in mls file from Chad Hanson.
84 - Patches from Dan Walsh:
107 amavis (Erich Schubert)
115 clamav (Erich Schubert)
116 clockspeed (Petre Rodan)
121 dpkg (Erich Schubert)
138 netlabel (Paul Moore)
145 openvpn (Petre Rodan)
172 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
173 - Make all interface parameters required.
174 - Move boot_t, system_map_t, and modules_object_t to files module,
175 and move bootloader to admin layer.
176 - Add semanage policy for semodule from Dan Walsh.
177 - Remove allow_execmem from targeted policy domain_base_type().
178 - Add users_extra and seusers support.
179 - Postfix fixes from Serge Hallyn.
180 - Run python and shell directly to interpret scripts so policy
181 sources need not be executable.
182 - Add desc tag XML to booleans and tunables, and add summary
183 to param XML tag, to make future translations possible.
184 - Remove unused lvm_vg_t.
185 - Many interface renames to improve naming consistency.
186 - Merge xdm into xserver.
187 - Remove kernel module reversed interfaces.
188 - Add filename attribute to module XML tag and lineno attribute to
190 - Changed QUIET build option to a yes or no option.
191 - Add a Makefile used for compiling loadable modules in a
192 user's development environment, building against policy headers.
193 - Add Make target for installing policy headers.
194 - Separate per-userdomain template expansion from the userdomain
195 module and add infrastructure to expand templates in the modules
196 that own the template.
197 - Enable secadm only for MLS policies.
198 - Remove role change rules in su and sudo since this functionality has been
199 removed from these programs.
200 - Add ctags Make target from Thomas Bleher.
201 - Collapse commands with grep piped to sed into one sed command.
202 - Fix type_change bug in term_user_pty().
203 - Move ice_tmp_t from miscfiles to xserver.
204 - Login fixes from Serge Hallyn.
205 - Move xserver_log_t from xdm to xserver.
206 - Add lpr per-userdomain policy to lpd.
207 - Miscellaneous fixes from Dan Walsh.
208 - Change initrc_var_run_t interface noun from script_pid to utmp,
221 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
222 - Adds support for generating corenetwork interfaces based on attributes
223 in addition to types.
224 - Permits the listing of multiple nodes in a network_node() that will be
226 - Add two new permission sets for stream sockets.
227 - Rename file type transition interfaces verb from create to
228 filetrans to differentiate it from create interfaces without
230 - Fix expansion of interfaces from disabled modules.
231 - Rsync can be long running from init,
232 added rules to allow this.
233 - Add polyinstantiation build option.
234 - Add setcontext to the association object class.
235 - Add apache relay and db connect tunables.
236 - Rename texrel_shlib_t to textrel_shlib_t.
237 - Add swat to samba module.
238 - Numerous miscellaneous fixes from Dan Walsh.
243 daemontools (Petre Rodan)
253 publicfile (Petre Rodan)
261 ucspitcp (Petre Rodan)
265 * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
266 - Add unlabeled IPSEC association rule to domains with
267 networking permissions.
268 - Merge systemuser back in to users, as these files
269 do not need to be split.
270 - Add check for duplicate interface/template definitions.
271 - Move domain, files, and corecommands modules to kernel
272 layer to resolve some layering inconsistencies.
273 - Move policy build options out of Makefile into build.conf.
274 - Add yppasswd to nis module.
275 - Change optional_policy() to refer to the module name
276 rather than modulename.te.
277 - Fix labeling targets to use installed file_contexts rather
278 than partial file_contexts in the policy source directory.
279 - Fix build process to use make's internal vpath functions
280 to detect modules rather than using subshells and find.
281 - Add install target for modular policy.
282 - Add load target for modular policy.
283 - Add appconfig dependency to the load target.
284 - Miscellaneous fixes from Dan Walsh.
285 - Fix corenetwork gen_context()'s to expand during the policy
286 build phase instead of during the generation phase.
310 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
311 - Many fixes to make loadable modules build.
312 - Add targets for sechecker.
313 - Updated to sedoctool to read bool files and tunable
315 - Changed the xml tag of <boolean> to <bool> to be consistent
317 - Modified the implementation of segenxml to use regular
319 - Rename context_template() to gen_context() to clarify
320 that its not a Reference Policy template, but a support
322 - Add disable_*_trans bool support for targeted policy.
323 - Add MLS module to handle MLS constraint exceptions,
324 such as reading up and writing down.
325 - Fix errors uncovered by sediff.
342 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
343 - Make logrotate, sendmail, sshd, and rpm policies
344 unconfined in the targeted policy so no special
345 modules.conf is required.
346 - Add experimental MCS support.
347 - Add appconfig for MLS.
348 - Add equivalents for old can_resolve(), can_ldap(), and
349 can_portmap() to sysnetwork.
350 - Fix base module compile issues.
367 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
368 - Fix errors uncovered by sediff.
369 - Doc tool will explicitly say a module does not have interfaces
370 or templates on the module page.
381 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
382 - Add Makefile support for building loadable modules.
383 - Add genclassperms.py tool to add require blocks
384 for loadable modules.
385 - Change sedoctool to make required modules part of base
386 by default, otherwise make as modules, in modules.conf.
387 - Fix segenxml to handle modules with no interfaces.
388 - Rename ipsec connect interface for consistency.
389 - Add missing parts of unix stream socket connect interface
391 - Rename inetd connect interface for consistency.
392 - Rename interface for purging contents of tmp, for clarity,
393 since it allows deletion of classes other than file.
414 * Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
415 - Fix comparison bug in fc_sort.
416 - Fix handling of ordered and unordered HTML lists.
417 - Corenetwork now supports multiple network interfaces having the
419 - Doc tool now creates pages for global Booleans and global tunables.
420 - Doc tool now links directly to the interface/template in the
421 module page when it is selected in the interface/template index.
422 - Added support for layer summaries.
429 * Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
430 - Changed xml to have modules encapsulated by layer tags, rather
431 than putting layer="foo" in the module tags. Also in the future
432 we can put a summary and description for each layer.
433 - Added tool to infer interface, module, and layer tags. This will
434 now list all interfaces, even if they are missing xml docs.
435 - Shortened xml tag names.
436 - Added macros to declare interfaces and templates.
437 - Added interface call trace.
438 - Updated all xml documentation for shorter and inferred tags.
439 - Doc tool now displays templates in the web pages.
440 - Doc tool retains the user's settings in modules.conf and
441 tunables.conf if the files already exist.
442 - Modules.conf behavior has been changed to be a list of all
443 available modules, and the user can specify if the module is
444 built as a loadable module, included in the monolithic policy,
447 fstools (fsck, mkfs, swapon, etc. tools)
451 nis (ypbind and ypserv)
452 ssh (server, client, and agent)
454 - Added infrastructure for targeted policy support, only missing
455 transition boolean support.
457 * Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615