make .te and .fc files optional by touching them if they are missing.

[people/stevee/selinux-policy.git] / refpolicy / Changelog

- Handle nonexistant .fc and .if files in devel Makefile by
  automatically creating empty files.
- Remove unused devfs_control_t.
- Add rhel4 distro, which also implies redhat distro.
- Remove unneeded range_transition for su_exec_t and move the
  type declaration back to the su module.
- Constrain transitions in MCS so unconfined_t cannot have
  arbitrary category sets.
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
  are currently nonfunctional.
- Change files and filesystem modules to use their own interfaces.
- Add user fonts to xserver.
- Additional interfaces in corecommands, miscfiles, and userdomain
  from Joy Latten.
- Miscellaneous fixes from Thomas Bleher.
- Deprecate module name as first parameter of optional_policy()
  now that optionals are allowed everywhere.
- Enable optional blocks in base module and monolithic policy.
  This requires checkpolicy 1.30.1.
- Fix vpn module declaration.
- Numerous fixes from Dan Walsh.
- Change build order to preserve m4 line number information so policy
  compile errors are useful again.
- Additional MLS interfaces from Chad Hanson.
- Move some rules out of domain_type() and domain_base_type()
  to the TE file, to use the domain attribute to take advantage
  of space savings from attribute use.
- Add global stack smashing protector rule for urandom access from
  Petre Rodan.
- Fix temporary rules at the bottom of portmap.
- Updated comments in mls file from Chad Hanson.
- Added modules:
	amavis (Erich Schubert)
	apt (Erich Schubert)
	audioentropy
	calamaris
	cipe
	clamav (Erich Schubert)
	dante
	dpkg (Erich Schubert)
	ethereal
	evolution
	games
	mozilla
	mplayer
	nagios
	nessus
	postgrey
	pxe
	qmail (Petre Rodan)
	rhgb
	snort
	thunderbird
	tor (Erich Schubert)
	xen (Dan Walsh)

* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
- Make all interface parameters required.
- Move boot_t, system_map_t, and modules_object_t to files module,
  and move bootloader to admin layer.
- Add semanage policy for semodule from Dan Walsh.
- Remove allow_execmem from targeted policy domain_base_type().
- Add users_extra and seusers support.
- Postfix fixes from Serge Hallyn.
- Run python and shell directly to interpret scripts so policy
  sources need not be executable.
- Add desc tag XML to booleans and tunables, and add summary
  to param XML tag, to make future translations possible.
- Remove unused lvm_vg_t.
- Many interface renames to improve naming consistency.
- Merge xdm into xserver.
- Remove kernel module reversed interfaces.
- Add filename attribute to module XML tag and lineno attribute to
  interface XML tag.
- Changed QUIET build option to a yes or no option.
- Add a Makefile used for compiling loadable modules in a
  user's development environment, building against policy headers.
- Add Make target for installing policy headers.
- Separate per-userdomain template expansion from the userdomain
  module and add infrastructure to expand templates in the modules
  that own the template.
- Enable secadm only for MLS policies.
- Remove role change rules in su and sudo since this functionality has been
  removed from these programs.
- Add ctags Make target from Thomas Bleher.
- Collapse commands with grep piped to sed into one sed command.
- Fix type_change bug in term_user_pty().
- Move ice_tmp_t from miscfiles to xserver.
- Login fixes from Serge Hallyn.
- Move xserver_log_t from xdm to xserver.
- Add lpr per-userdomain policy to lpd.
- Miscellaneous fixes from Dan Walsh.
- Change initrc_var_run_t interface noun from script_pid to utmp,
  for greater clarity.
- Added modules:
	certwatch
	mono (Dan Walsh)
	mrtg
	portage
	tvtime
	userhelper
	usernetctl
	wine (Dan Walsh)
	xserver

* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
- Adds support for generating corenetwork interfaces based on attributes 
  in addition to types.
- Permits the listing of multiple nodes in a network_node() that will be
  given the same type.
- Add two new permission sets for stream sockets.
- Rename file type transition interfaces verb from create to
  filetrans to differentiate it from create interfaces without
  type transitions.
- Fix expansion of interfaces from disabled modules.
- Rsync can be long running from init,
  added rules to allow this.
- Add polyinstantiation build option.
- Add setcontext to the association object class.
- Add apache relay and db connect tunables.
- Rename texrel_shlib_t to textrel_shlib_t.
- Add swat to samba module.
- Numerous miscellaneous fixes from Dan Walsh.
- Added modules:
	alsa
	automount
	cdrecord
	daemontools (Petre Rodan)
	ddcprobe
	djbdns (Petre Rodan)
	fetchmail
	irc
	java
	lockdev
	logwatch (Dan Walsh)
	openct
	prelink (Dan Walsh)
	publicfile (Petre Rodan)
	readahead
	roundup
	screen
	slocate (Dan Walsh)
	slrnpull
	smartmon
	sysstat
	ucspitcp (Petre Rodan)
	usbmodules
	vbetool (Dan Walsh)

* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
- Add unlabeled IPSEC association rule to domains with
  networking permissions.
- Merge systemuser back in to users, as these files
  do not need to be split.
- Add check for duplicate interface/template definitions.
- Move domain, files, and corecommands modules to kernel
  layer to resolve some layering inconsistencies.
- Move policy build options out of Makefile into build.conf.
- Add yppasswd to nis module.
- Change optional_policy() to refer to the module name
  rather than modulename.te.
- Fix labeling targets to use installed file_contexts rather
  than partial file_contexts in the policy source directory.
- Fix build process to use make's internal vpath functions
  to detect modules rather than using subshells and find.
- Add install target for modular policy.
- Add load target for modular policy.
- Add appconfig dependency to the load target.
- Miscellaneous fixes from Dan Walsh.
- Fix corenetwork gen_context()'s to expand during the policy
  build phase instead of during the generation phase.  
- Added policies:
	amanda
	avahi
	canna
	cyrus
	dbskk
	dovecot
	distcc
	i18n_input
	irqbalance
	lpd
	networkmanager
	pegasus
	postfix
	procmail
	radius
	rdisc
	rpc
	spamassassin
	timidity
	xdm
	xfs

* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
- Many fixes to make loadable modules build.
- Add targets for sechecker.
- Updated to sedoctool to read bool files and tunable
  files separately.
- Changed the xml tag of <boolean> to <bool> to be consistent
  with gen_bool().
- Modified the implementation of segenxml to use regular
  expressions.
- Rename context_template() to gen_context() to clarify
  that its not a Reference Policy template, but a support
  macro.
- Add disable_*_trans bool support for targeted policy.
- Add MLS module to handle MLS constraint exceptions,
  such as reading up and writing down.
- Fix errors uncovered by sediff.
- Added policies:
	anaconda
	apache
	apm
	arpwatch
	bluetooth
	dmidecode
	finger
	ftp
	kudzu
	mailman
	ppp
	radvd
	sasl
	webalizer

* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
- Make logrotate, sendmail, sshd, and rpm policies
  unconfined in the targeted policy so no special
  modules.conf is required.
- Add experimental MCS support.
- Add appconfig for MLS.
- Add equivalents for old can_resolve(), can_ldap(), and
  can_portmap() to sysnetwork.
- Fix base module compile issues.
- Added policies:
	cpucontrol
	cvs
	ktalk
	portmap
	postgresql
	rlogin
	samba
	snmp
	stunnel
	telnet
	tftp
	uucp
	vpn
	zebra

* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
- Fix errors uncovered by sediff.
- Doc tool will explicitly say a module does not have interfaces
  or templates on the module page.
- Added policies:
	comsat
	dbus
	dhcp
	dictd
	hal
	inn
	ntp
	squid

* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
- Add Makefile support for building loadable modules.
- Add genclassperms.py tool to add require blocks
  for loadable modules.
- Change sedoctool to make required modules part of base
  by default, otherwise make as modules, in modules.conf.
- Fix segenxml to handle modules with no interfaces.
- Rename ipsec connect interface for consistency.
- Add missing parts of unix stream socket connect interface
  of ipsec.
- Rename inetd connect interface for consistency.
- Rename interface for purging contents of tmp, for clarity,
  since it allows deletion of classes other than file.
- Misc. cleanups.
- Added policies:
	acct
	bind
	firstboot
	gpm
	howl
	ldap
	loadkeys
	mysql
	privoxy
	quota
	rshd
	rsync
	su
	sudo
	tcpd
	tmpreaper
	updfstab

* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
- Fix comparison bug in fc_sort.
- Fix handling of ordered and unordered HTML lists.
- Corenetwork now supports multiple network interfaces having the
  same type.
- Doc tool now creates pages for global Booleans and global tunables.
- Doc tool now links directly to the interface/template in the
  module page when it is selected in the interface/template index.
- Added support for layer summaries.
- Added policies:
	ipsec
	nscd
	pcmcia
	raid

* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
- Changed xml to have modules encapsulated by layer tags, rather
  than putting layer="foo" in the module tags.  Also in the future
  we can put a summary and description for each layer.
- Added tool to infer interface, module, and layer tags.  This will
  now list all interfaces, even if they are missing xml docs.
- Shortened xml tag names.
- Added macros to declare interfaces and templates.
- Added interface call trace.
- Updated all xml documentation for shorter and inferred tags.
- Doc tool now displays templates in the web pages.
- Doc tool retains the user's settings in modules.conf and
  tunables.conf if the files already exist.
- Modules.conf behavior has been changed to be a list of all
  available modules, and the user can specify if the module is
  built as a loadable module, included in the monolithic policy,
  or excluded.
- Added policies:
	fstools (fsck, mkfs, swapon, etc. tools)
	logrotate
	inetd
	kerberos
	nis (ypbind and ypserv)
	ssh (server, client, and agent)
	unconfined
- Added infrastructure for targeted policy support, only missing
	transition boolean support.

* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
	- Initial release