1 - Patch from Matt Anderson for a MLS constraint exemption on a
2 file that can be written to from a subject whose range is
3 within the object's range.
4 - Enhanced setransd support from Darrel Goeddel.
5 - Patches from Dan Walsh:
10 * Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
11 - Patch from Russell Coker Thu, 5 Oct 2006
12 - Move range transitions to modules.
13 - Make number of MLS sensitivities, and number of MLS and MCS
14 categories configurable as build options.
15 - Add role infrastructure.
16 - Debian updates from Erich Schubert.
17 - Add nscd_socket_use() to auth_use_nsswitch().
18 - Remove old selopt rules.
19 - Full support for netfilter_contexts.
20 - MRTG patch for daemon operation from Stefan.
21 - Add authlogin interface to abstract common access for login programs.
22 - Remove setbool auditallow, except for RHEL4.
23 - Change eventpollfs to task SID labeling.
24 - Add key support from Michael LeMay.
25 - Add ftpdctl domain to ftp, from Paul Howarth.
26 - Fix build system to not move type declarations out of optionals.
27 - Add gcc-config domain to portage.
28 - Add packet object class and support in corenetwork.
29 - Add a copy of genhomedircon for monolithic policy building, so that a
30 policycoreutils package update is not required for RHEL4 systems.
31 - Add appletalk sockets for use in cups.
32 - Add Make target to validate module linking.
33 - Make duplicate template and interface declarations a fatal error.
34 - Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
35 - Move xconsole_device_t from devices to xserver since it is
36 not actually a device, it is a named pipe.
37 - Handle nonexistant .fc and .if files in devel Makefile by
38 automatically creating empty files.
39 - Remove unused devfs_control_t.
40 - Add rhel4 distro, which also implies redhat distro.
41 - Remove unneeded range_transition for su_exec_t and move the
42 type declaration back to the su module.
43 - Constrain transitions in MCS so unconfined_t cannot have
44 arbitrary category sets.
45 - Change reiserfs from xattr filesystem to genfscon as it's xattrs
46 are currently nonfunctional.
47 - Change files and filesystem modules to use their own interfaces.
48 - Add user fonts to xserver.
49 - Additional interfaces in corecommands, miscfiles, and userdomain
51 - Miscellaneous fixes from Thomas Bleher.
52 - Deprecate module name as first parameter of optional_policy()
53 now that optionals are allowed everywhere.
54 - Enable optional blocks in base module and monolithic policy.
55 This requires checkpolicy 1.30.1.
56 - Fix vpn module declaration.
57 - Numerous fixes from Dan Walsh.
58 - Change build order to preserve m4 line number information so policy
59 compile errors are useful again.
60 - Additional MLS interfaces from Chad Hanson.
61 - Move some rules out of domain_type() and domain_base_type()
62 to the TE file, to use the domain attribute to take advantage
63 of space savings from attribute use.
64 - Add global stack smashing protector rule for urandom access from
66 - Fix temporary rules at the bottom of portmap.
67 - Updated comments in mls file from Chad Hanson.
68 - Patches from Dan Walsh:
91 amavis (Erich Schubert)
99 clamav (Erich Schubert)
100 clockspeed (Petre Rodan)
105 dpkg (Erich Schubert)
122 netlabel (Paul Moore)
129 openvpn (Petre Rodan)
156 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
157 - Make all interface parameters required.
158 - Move boot_t, system_map_t, and modules_object_t to files module,
159 and move bootloader to admin layer.
160 - Add semanage policy for semodule from Dan Walsh.
161 - Remove allow_execmem from targeted policy domain_base_type().
162 - Add users_extra and seusers support.
163 - Postfix fixes from Serge Hallyn.
164 - Run python and shell directly to interpret scripts so policy
165 sources need not be executable.
166 - Add desc tag XML to booleans and tunables, and add summary
167 to param XML tag, to make future translations possible.
168 - Remove unused lvm_vg_t.
169 - Many interface renames to improve naming consistency.
170 - Merge xdm into xserver.
171 - Remove kernel module reversed interfaces.
172 - Add filename attribute to module XML tag and lineno attribute to
174 - Changed QUIET build option to a yes or no option.
175 - Add a Makefile used for compiling loadable modules in a
176 user's development environment, building against policy headers.
177 - Add Make target for installing policy headers.
178 - Separate per-userdomain template expansion from the userdomain
179 module and add infrastructure to expand templates in the modules
180 that own the template.
181 - Enable secadm only for MLS policies.
182 - Remove role change rules in su and sudo since this functionality has been
183 removed from these programs.
184 - Add ctags Make target from Thomas Bleher.
185 - Collapse commands with grep piped to sed into one sed command.
186 - Fix type_change bug in term_user_pty().
187 - Move ice_tmp_t from miscfiles to xserver.
188 - Login fixes from Serge Hallyn.
189 - Move xserver_log_t from xdm to xserver.
190 - Add lpr per-userdomain policy to lpd.
191 - Miscellaneous fixes from Dan Walsh.
192 - Change initrc_var_run_t interface noun from script_pid to utmp,
205 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
206 - Adds support for generating corenetwork interfaces based on attributes
207 in addition to types.
208 - Permits the listing of multiple nodes in a network_node() that will be
210 - Add two new permission sets for stream sockets.
211 - Rename file type transition interfaces verb from create to
212 filetrans to differentiate it from create interfaces without
214 - Fix expansion of interfaces from disabled modules.
215 - Rsync can be long running from init,
216 added rules to allow this.
217 - Add polyinstantiation build option.
218 - Add setcontext to the association object class.
219 - Add apache relay and db connect tunables.
220 - Rename texrel_shlib_t to textrel_shlib_t.
221 - Add swat to samba module.
222 - Numerous miscellaneous fixes from Dan Walsh.
227 daemontools (Petre Rodan)
237 publicfile (Petre Rodan)
245 ucspitcp (Petre Rodan)
249 * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
250 - Add unlabeled IPSEC association rule to domains with
251 networking permissions.
252 - Merge systemuser back in to users, as these files
253 do not need to be split.
254 - Add check for duplicate interface/template definitions.
255 - Move domain, files, and corecommands modules to kernel
256 layer to resolve some layering inconsistencies.
257 - Move policy build options out of Makefile into build.conf.
258 - Add yppasswd to nis module.
259 - Change optional_policy() to refer to the module name
260 rather than modulename.te.
261 - Fix labeling targets to use installed file_contexts rather
262 than partial file_contexts in the policy source directory.
263 - Fix build process to use make's internal vpath functions
264 to detect modules rather than using subshells and find.
265 - Add install target for modular policy.
266 - Add load target for modular policy.
267 - Add appconfig dependency to the load target.
268 - Miscellaneous fixes from Dan Walsh.
269 - Fix corenetwork gen_context()'s to expand during the policy
270 build phase instead of during the generation phase.
294 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
295 - Many fixes to make loadable modules build.
296 - Add targets for sechecker.
297 - Updated to sedoctool to read bool files and tunable
299 - Changed the xml tag of <boolean> to <bool> to be consistent
301 - Modified the implementation of segenxml to use regular
303 - Rename context_template() to gen_context() to clarify
304 that its not a Reference Policy template, but a support
306 - Add disable_*_trans bool support for targeted policy.
307 - Add MLS module to handle MLS constraint exceptions,
308 such as reading up and writing down.
309 - Fix errors uncovered by sediff.
326 * Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
327 - Make logrotate, sendmail, sshd, and rpm policies
328 unconfined in the targeted policy so no special
329 modules.conf is required.
330 - Add experimental MCS support.
331 - Add appconfig for MLS.
332 - Add equivalents for old can_resolve(), can_ldap(), and
333 can_portmap() to sysnetwork.
334 - Fix base module compile issues.
351 * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
352 - Fix errors uncovered by sediff.
353 - Doc tool will explicitly say a module does not have interfaces
354 or templates on the module page.
365 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
366 - Add Makefile support for building loadable modules.
367 - Add genclassperms.py tool to add require blocks
368 for loadable modules.
369 - Change sedoctool to make required modules part of base
370 by default, otherwise make as modules, in modules.conf.
371 - Fix segenxml to handle modules with no interfaces.
372 - Rename ipsec connect interface for consistency.
373 - Add missing parts of unix stream socket connect interface
375 - Rename inetd connect interface for consistency.
376 - Rename interface for purging contents of tmp, for clarity,
377 since it allows deletion of classes other than file.
398 * Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
399 - Fix comparison bug in fc_sort.
400 - Fix handling of ordered and unordered HTML lists.
401 - Corenetwork now supports multiple network interfaces having the
403 - Doc tool now creates pages for global Booleans and global tunables.
404 - Doc tool now links directly to the interface/template in the
405 module page when it is selected in the interface/template index.
406 - Added support for layer summaries.
413 * Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
414 - Changed xml to have modules encapsulated by layer tags, rather
415 than putting layer="foo" in the module tags. Also in the future
416 we can put a summary and description for each layer.
417 - Added tool to infer interface, module, and layer tags. This will
418 now list all interfaces, even if they are missing xml docs.
419 - Shortened xml tag names.
420 - Added macros to declare interfaces and templates.
421 - Added interface call trace.
422 - Updated all xml documentation for shorter and inferred tags.
423 - Doc tool now displays templates in the web pages.
424 - Doc tool retains the user's settings in modules.conf and
425 tunables.conf if the files already exist.
426 - Modules.conf behavior has been changed to be a list of all
427 available modules, and the user can specify if the module is
428 built as a loadable module, included in the monolithic policy,
431 fstools (fsck, mkfs, swapon, etc. tools)
435 nis (ypbind and ypserv)
436 ssh (server, client, and agent)
438 - Added infrastructure for targeted policy support, only missing
439 transition boolean support.
441 * Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615