1 |
commit: f71f05b9435fb78d1b6929d2d146e8381d8f4da6 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed May 1 18:15:23 2013 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed May 1 18:15:23 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f71f05b9 |
7 |
|
8 |
Archive old Changelog for log format change |
9 |
|
10 |
--- |
11 |
Changelog | 1162 ++++++++------------------------------------ |
12 |
Changelog => Changelog.old | 4 + |
13 |
2 files changed, 219 insertions(+), 947 deletions(-) |
14 |
|
15 |
diff --git a/Changelog b/Changelog |
16 |
index 0090893..5fcca55 100644 |
17 |
--- a/Changelog |
18 |
+++ b/Changelog |
19 |
@@ -1,948 +1,216 @@ |
20 |
-* Wed Jul 25 2012 Chris PeBenito <selinux@××××××.com> - 2.20120725 |
21 |
-- Rename epollwakeup capability2 permission to block_suspend to match the |
22 |
- corresponding kernel capability rename. |
23 |
-- Udev and init changes to support /run, from Sven Vermeulen. |
24 |
-- auth_use_nsswitch updates from Miroslav Grepl. |
25 |
-- Mount runtime files fix from Guido Trentalancia. |
26 |
-- Update Python scripts to support Python 3, from Sven Vermeulen. |
27 |
-- Update capability2 object class for new wake_alarm and epollwakeup |
28 |
- capabilities. |
29 |
-- SEPostgresql updates from Kohei KaiGai. |
30 |
-- Simplify file contexts based on file context path substitutions, from Sven |
31 |
- Vermeulen. |
32 |
-- Add optional name for kernel and system filetrans interfaces. |
33 |
-- Non-auth file attribute to eliminate set expressions, from James Carter. |
34 |
-- Virt updates from Sven Vermeulen. |
35 |
-- Various dontaudits from Sven Vermeulen. |
36 |
-- Fix base module and monolithic role declaration ordering issue now that |
37 |
- role declarations must be explicit, from Harry Ciao. |
38 |
-- Added contrib modules: |
39 |
- bacula (Stan Sander/Sven Vermeulen) |
40 |
- bcfg2 (Miroslav Grepl) |
41 |
- blueman (Miroslav Grepl) |
42 |
+* Wed Apr 24 2013 Chris PeBenito <selinux@××××××.com> - 2.20130424 |
43 |
+Chris PeBenito (78): |
44 |
+ Mcelog update from Guido Trentalancia. |
45 |
+ Add bird contrib module from Dominick Grift. |
46 |
+ Minor whitespace fix in udev.fc |
47 |
+ Module version bump for udev binary location update from Sven Vermeulen. |
48 |
+ clarify the file_contexts.subs_dist configuration file usage from Guido |
49 |
+ Trentalancia |
50 |
+ Update contrib. |
51 |
+ Remove trailing / from paths |
52 |
+ Module version bump for fc substitutions optimizations from Sven |
53 |
+ Vermeulen. |
54 |
+ Update contrib. |
55 |
+ Module version bump for /run/dhcpc directory creation by dhcp from Sven |
56 |
+ Vermeulen. |
57 |
+ Module version bump for fc fixes in devices module from Dominick Grift. |
58 |
+ Update contrib. |
59 |
+ Module version bump for /dev/mei type and label from Dominick Grift. |
60 |
+ Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. |
61 |
+ Module version bump for lost+found labeling in /var/log from Guido |
62 |
+ Trentalancia. |
63 |
+ Module version bump for loop-control patch. |
64 |
+ Turn off all tunables by default, from Guido Trentalancia. |
65 |
+ Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH. |
66 |
+ Module version bump for various changes from Sven Vermeulen. |
67 |
+ Module version bump for ports update from Dominick Grift. |
68 |
+ Module version bump for Debian file context updates from Laurent |
69 |
+ Bigonville. |
70 |
+ Update contrib. |
71 |
+ Update contrib. |
72 |
+ split kmod fc into two lines. |
73 |
+ Module version bump for kmod fc from Laurent Bigonville. |
74 |
+ Module version bump for cfengine fc change from Dominick Grift. |
75 |
+ Module verision bump for Debian cert file fc update from Laurent |
76 |
+ Bigonville. |
77 |
+ Module version bump for ipsec net sysctls reading from Miroslav Grepl. |
78 |
+ Module version bump for srvloc port definition from Dominick Grift. |
79 |
+ Rename cachefiles_dev_t to cachefiles_device_t. |
80 |
+ Module version bump for cachefiles core support. |
81 |
+ Module version bump for changes from Dominick Grift and Sven Vermeulen. |
82 |
+ Module version bump for modutils patch from Dominick Grift. |
83 |
+ Module version bump for dhcp6 ports, from Russell Coker. |
84 |
+ Rearrange new xserver interfaces. |
85 |
+ Rename new xserver interfaces. |
86 |
+ Module version bump for xserver interfaces from Dominick Grift. |
87 |
+ Move kernel_stream_connect() declaration. |
88 |
+ Module version bump for kernel_stream_connect() from Dominick Grift. |
89 |
+ Rename logging_search_all_log_dirs to logging_search_all_logs |
90 |
+ Module version bump for minor logging and sysnet changes from Sven |
91 |
+ Vermeulen. |
92 |
+ Module version bump for dovecot libs from Mika Pflueger. |
93 |
+ Rearrange interfaces in files, clock, and udev. |
94 |
+ Module version bump for interfaces used by virt from Dominick Grift. |
95 |
+ Module version bump for arping setcap from Dominick Grift. |
96 |
+ Rearrange devices interfaces. |
97 |
+ Module version bump/contrib sync. |
98 |
+ Rearrange lines. |
99 |
+ Module version bump for user home content fixes from Dominick Grift. |
100 |
+ Rearrange files interfaces. |
101 |
+ Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen. |
102 |
+ Update contrib. |
103 |
+ Whitespace fix in miscfiles.fc. |
104 |
+ Adjust man cache interface names. |
105 |
+ Module version bump for man cache from Dominick Grift. |
106 |
+ Module version bump for Debian ssh-keysign location from Laurent |
107 |
+ Bigonville. |
108 |
+ Module version bump for userdomain portion of XDG updates from Dominick |
109 |
+ Grift. |
110 |
+ Module version bump for iptables fc entry from Sven Vermeulen and inn log |
111 |
+ from Dominick Grift. |
112 |
+ Module version bump for logging and tcpdump fixes from Sven Vermeulen. |
113 |
+ Move mcs_constrained() impementation. |
114 |
+ Module version bump for mcs_constrained from Dominick Grift. |
115 |
+ Update contrib. |
116 |
+ Module version bump from Debian changes from Laurent Bigonville. |
117 |
+ Module version bump for zfs labeling from Matthew Thode. |
118 |
+ Module version bump for misc updates from Sven Vermeulen. |
119 |
+ Update contrib. |
120 |
+ Module version bump for fixes from Dominick Grift. |
121 |
+ Module version bump for Debian updates from Laurent Bigonville. |
122 |
+ Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai. |
123 |
+ Update contrib |
124 |
+ Fix fc_sort.c warning uncovered by recent gcc |
125 |
+ Module version bump for chfn fixes from Sven Vermeulen. |
126 |
+ Add swapoff fc entry. |
127 |
+ Add conntrack fc entry. |
128 |
+ Update contrib. |
129 |
+ Update contrib |
130 |
+ Archive old Changelog for log format change. |
131 |
+ Bump module versions for release. |
132 |
+ |
133 |
+Dominick Grift (40): |
134 |
+ There can be more than a single watchdog interface |
135 |
+ Fix a suspected typo |
136 |
+ Intel® Active Management Technology |
137 |
+ Declare a loop control device node type and label /dev/loop-control |
138 |
+ accordingly |
139 |
+ Declare port types for ports used by Fedora but use /etc/services for port |
140 |
+ names rather than using fedora port names. If /etc/services does not |
141 |
+ have a port name for a port used by Fedora, skip for now. |
142 |
+ Remove var_log_t file context spec |
143 |
+ svrloc port type declaration from slpd policy module |
144 |
+ Declare a cachfiles device node type |
145 |
+ Implement files_create_all_files_as() for cachefilesd |
146 |
+ Restricted Xwindows user domains run windows managers in the windows |
147 |
+ managers domain |
148 |
+ Declare a cslistener port type for phpfpm |
149 |
+ Changes to the sysnetwork policy module |
150 |
+ Changes to the userdomain policy module |
151 |
+ Changes to the bootloader policy module |
152 |
+ Changes to the modutils policy module |
153 |
+ Changes to the xserver policy module |
154 |
+ Changes to various policy modules |
155 |
+ Changes to the kernel policy module |
156 |
+ For svirt_lxc_domain |
157 |
+ For svirt_lxc_domain |
158 |
+ For svirt_lxc_domain |
159 |
+ For virtd lxc |
160 |
+ For virtd_lxc |
161 |
+ For virtd_lxc |
162 |
+ For virtd lxc |
163 |
+ For virtd lxc |
164 |
+ For virtd |
165 |
+ Arping needs setcap to cap_set_proc |
166 |
+ For virtd |
167 |
+ Changes to the user domain policy module |
168 |
+ Samhain_admin() now requires a role for the role_transition from $1 to |
169 |
+ initrc_t via samhain_initrc_exec_t |
170 |
+ Changes to the user domain policy module |
171 |
+ Label /var/cache/man with a private man cache type for mandb |
172 |
+ Create a attribute user_home_content_type and assign it to all types that |
173 |
+ are classified userdom_user_home_content() |
174 |
+ These two attribute are unused |
175 |
+ System logger creates innd log files with a named file transition |
176 |
+ Implement mcs_constrained_type |
177 |
+ Changes to the init policy module |
178 |
+ Changes to the userdomain policy module |
179 |
+ NSCD related changes in various policy modules |
180 |
+ |
181 |
+Guido Trentalancia (1): |
182 |
+ add lost+found filesystem labels to support NSA security guidelines |
183 |
+ |
184 |
+Laurent Bigonville (21): |
185 |
+ Add Debian locations for GDM 3 |
186 |
+ Add Debian location for udisks helpers |
187 |
+ Add insmod_exec_t label for kmod executable |
188 |
+ Add Debian location for PKI files |
189 |
+ Add Debian location for ssh-keysign |
190 |
+ Properly label all the ssh host keys |
191 |
+ Allow udev_t domain to read files labeled as consolekit_var_run_t |
192 |
+ authlogin.if: Add auth_create_pam_console_data_dirs and |
193 |
+ auth_pid_filetrans_pam_var_console interfaces |
194 |
+ Label /etc/rc.d/init.d/x11-common as xdm_exec_t |
195 |
+ Drop /etc/rc.d/init.d/xfree86-common filecontext definition |
196 |
+ Label /var/run/shm as tmpfs_t for Debian |
197 |
+ Label /var/run/motd.dynamic as initrc_var_run_t |
198 |
+ Label /var/run/initctl as initctl_t |
199 |
+ udev.if: Call files_search_pid instead of files_search_var_lib in |
200 |
+ udev_manage_pid_files |
201 |
+ Label executables in /usr/lib/NetworkManager/ as bin_t |
202 |
+ Add support for rsyslog |
203 |
+ Label var_lock_t as a mountpoint |
204 |
+ Add mount_var_run_t type and allow mount_t domain to manage the files and |
205 |
+ directories |
206 |
+ Add initrc_t to use block_suspend capability |
207 |
+ Label executables under /usr/lib/gnome-settings-daemon/ as bin_t |
208 |
+ Label nut drivers that are installed in /lib/nut on Debian as bin_t |
209 |
+ |
210 |
+Matthew Thode (1): |
211 |
+ Implement zfs support |
212 |
+ |
213 |
+Mika Pflüger (2): |
214 |
+ Debian locations of gvfs and kde4 libexec binaries in /usr/lib |
215 |
+ Explicitly label dovecot libraries lib_t for debian |
216 |
+ |
217 |
+Miroslav Grepl (1): |
218 |
+ Allow ipsec to read kernel sysctl |
219 |
+ |
220 |
+Paul Moore (1): |
221 |
+ flask: add the attach_queue permission to the tun_socket object class |
222 |
+ |
223 |
+Russell Coker (1): |
224 |
+ Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for |
225 |
+ client control |
226 |
+ |
227 |
+Sven Vermeulen (27): |
228 |
+ New location for udevd binary |
229 |
+ Use substititions for /usr/local/lib and /etc/init.d |
230 |
+ DHCP client's hooks create /run/dhcpc directory |
231 |
+ Introduce init_daemon_run_dir transformation |
232 |
+ Use the init_daemon_run_dir interface for udev |
233 |
+ Allow initrc_t to create run dirs for core modules |
234 |
+ Puppet uses mount output for verification |
235 |
+ Allow syslogd to create /var/lib/syslog and |
236 |
+ /var/lib/misc/syslog-ng.persist |
237 |
+ Gentoo's openrc does not require initrc_exec_t for runscripts anymore |
238 |
+ Allow init scripts to read courier configuration |
239 |
+ Allow search within postgresql var directory for the stream connect |
240 |
+ interface |
241 |
+ Introduce logging_getattr_all_logs interface |
242 |
+ Introduce logging_search_all_log_dirs interface |
243 |
+ Support flushing routing cache |
244 |
+ Allow init to set attributes on device_t |
245 |
+ Introduce files_manage_all_pids interface |
246 |
+ Gentoo openrc migrates /var/run and /var/lock data to /run(/lock) |
247 |
+ Update files_manage_generic_locks with directory permissions |
248 |
+ Run ipset in iptables domain |
249 |
+ tcpdump chroots into /var/lib/tcpdump |
250 |
+ Remove generic log label for cron location |
251 |
+ Postgresql 9.2 connects to its unix stream socket |
252 |
+ lvscan creates the /run/lock/lvm directory if nonexisting (v2) |
253 |
+ Allow syslogger to manage cron log files (v2) |
254 |
+ Allow initrc_t to read stunnel configuration |
255 |
+ Introduce exec-check interfaces for passwd binaries and useradd binaries |
256 |
+ chfn_t reads in file context information and executes nscd |
257 |
|
258 |
-* Wed Feb 15 2012 Chris PeBenito <selinux@××××××.com> - 2.20120215 |
259 |
-- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen. |
260 |
-- Add slim and lxdm file contexts to xserver, from Sven Vermeulen. |
261 |
-- Add userdom interfaces for user application domains, user tmp files, |
262 |
- and user tmpfs files. |
263 |
-- Asterisk administration fixes from Sven Vermeulen. |
264 |
-- Fix makefiles to install files with the correct DAC permissions if the |
265 |
- umask is not 022. |
266 |
-- Remove deprecated support macros. |
267 |
-- Remove rolemap and per-role template support. |
268 |
-- Change corenetwork port declaration to apply the reserved port type |
269 |
- attribute only, when the type has ports above and below 1024. |
270 |
-- Change secure_mode_policyload to disable only toggling of this Boolean |
271 |
- rather than disabling all Boolean toggling permissions. |
272 |
-- Use role attributes to assist with domain transitions in interactive |
273 |
- programs. |
274 |
-- Milter ports patch from Paul Howarth. |
275 |
-- Separate portage fetch rules out of portage_run() and portage_domtrans() |
276 |
- from Sven Vermeulen. |
277 |
-- Enhance corenetwork network_port() macro to support ports that do not have |
278 |
- a well defined port number, such as stunnel. |
279 |
-- Opendkim support in dkim module from Paul Howarth. |
280 |
-- Wireshark updates from Sven Vermeulen. |
281 |
-- Change secure_mode_insmod to control sys_module capability rather than |
282 |
- controlling domain transitions to insmod. |
283 |
-- Openrc and portage updates from Sven Vermeulen. |
284 |
-- Allow user and role changes on dynamic transitions with the same |
285 |
- constraints as regular transitions. |
286 |
-- New git service features from Dominick Grift. |
287 |
-- Corenetwork policy size optimization from Dan Walsh. |
288 |
-- Silence spurious udp_socket listen denials. |
289 |
-- Fix unexpanded MLS/MCS fields in monolithic seusers file. |
290 |
-- Type transition fix in Postgresql database objects from KaiGai Kohei. |
291 |
-- Support for file context path substitutions (file_contexts.subs). |
292 |
-- Added contrib modules: |
293 |
- glance (Dan Walsh) |
294 |
- rhsmcertd (Dan Walsh) |
295 |
- sanlock (Dan Walsh) |
296 |
- sblim (Dan Walsh) |
297 |
- uuidd (Dan Walsh) |
298 |
- vdagent (Dan Walsh) |
299 |
- |
300 |
-* Tue Jul 26 2011 Chris PeBenito <selinux@××××××.com> - 2.20110726 |
301 |
-- Fix role declarations to handle role attribute compilers. |
302 |
-- Rename audioentropy module to entropyd due to haveged support. |
303 |
-- Add haveged support from Sven Vermeulen. |
304 |
-- Authentication file patch from Matthew Ife. |
305 |
-- Add agent support to zabbix from Sven Vermeulen. |
306 |
-- Cyrus file context update for Gentoo from Corentin Labbe. |
307 |
-- Portage updates from Sven Vermeulen. |
308 |
-- Fix init_system_domain() description, pointed out by Elia Pinto. |
309 |
-- Postgresql selabel_lookup update from KaiGai Kohei. |
310 |
-- Dovecot managesieve support from Mika Pfluger. |
311 |
-- Semicolon after interface/template calls cleanup from Elia Pinto. |
312 |
-- Gentoo courier updates from Sven Vermeulen. |
313 |
-- Amavis patch for connecting to nslcd from Miroslav Grepl. |
314 |
-- Shorewall patch from Miroslav Grepl. |
315 |
-- Cpufreqselector dbus patch from Guido Trentalancia. |
316 |
-- Cron pam_namespace and pam_loginuid support from Harry Ciao. |
317 |
-- Xserver update for startx from Sven Vermeulen. |
318 |
-- Fix MLS constraint for contains permission from Harry Ciao. |
319 |
-- Apache user webpages fix from Dominick Grift. |
320 |
-- Change default build.conf to modular policy from Stephen Smalley. |
321 |
-- Xen refinement patch from Stephen Smalley. |
322 |
-- Sudo timestamp file location update from Sven Vermeulen. |
323 |
-- XServer keyboard event patch from Sven Vermeulen. |
324 |
-- RAID uevent patch from Sven Vermeulen. |
325 |
-- Gentoo ALSA init script usage patch from Sven Vermeulen. |
326 |
-- LVM semaphore usage patch from Sven Vermeulen. |
327 |
-- Module load request patch for insmod from Sven Vermeulen. |
328 |
-- Cron default contexts fix from Harry Ciao. |
329 |
-- Man page fixes from Justin Mattock. |
330 |
-- Add syslog capability. |
331 |
-- Support for logging in to /dev/console, from Harry Ciao. |
332 |
-- Database object class updates and associated SEPostgreSQL changes from |
333 |
- KaiGai Kohei. |
334 |
-- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi. |
335 |
-- Mount updates from Harry Ciao. |
336 |
-- Semanage update for MLS systems from Harry Ciao. |
337 |
-- Vlock terminal use update from Harry Ciao. |
338 |
-- Hadoop CDH3 updates from Paul Nuzzi. |
339 |
-- Add sepgsql_contexts appconfig files from KaiGai Kohei. |
340 |
-- Added modules: |
341 |
- aiccu |
342 |
- bugzilla (Dan Walsh) |
343 |
- colord (Dan Walsh) |
344 |
- cmirrord (Miroslav Grepl) |
345 |
- mediawiki (Miroslav Grepl) |
346 |
- mpd (Miroslav Grepl) |
347 |
- ncftool |
348 |
- passenger (Miroslav Grepl) |
349 |
- qpid (Dan Walsh) |
350 |
- samhain (Harry Ciao) |
351 |
- telepathy (Dominick Grift) |
352 |
- tcsd (Stephen Smalley) |
353 |
- vnstatd (Dan Walsh) |
354 |
- zarafa (Miroslav Grepl) |
355 |
- |
356 |
-* Mon Dec 13 2010 Chris PeBenito <selinux@××××××.com> - 2.20101213 |
357 |
-- Git man page from Dominick Grift. |
358 |
-- Alsa and oident home content cleanup from Dominick Grift. |
359 |
-- Add support for custom build options. |
360 |
-- Unconditional staff and user oidentd home config access from Dominick Grift. |
361 |
-- Conditional mmap_zero support from Dominick Grift. |
362 |
-- Added devtmpfs support. |
363 |
-- Dbadm updates from KaiGai Kohei. |
364 |
-- Virtio disk file context update from Mika Pfluger. |
365 |
-- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. |
366 |
-- Add JIT usage for freshclam. |
367 |
-- Remove ethereal module since the application was renamed to wireshark. |
368 |
-- Remove duplicate/redundant rules, from Russell Coker. |
369 |
-- Increased default number of categories to 1024, from Russell Coker. |
370 |
-- Added modules: |
371 |
- accountsd (Dan Walsh) |
372 |
- cgroup (Dominick Grift) |
373 |
- hadoop (Paul Nuzzi) |
374 |
- kdumpgui (Dan Walsh) |
375 |
- livecd (Dan Walsh) |
376 |
- mojomojo (Iain Arnell) |
377 |
- sambagui (Dan Walsh) |
378 |
- shutdown (Dan Walsh) |
379 |
- sosreport (Dan Walsh) |
380 |
- vlock (Harry Ciao) |
381 |
- |
382 |
-* Mon May 24 2010 Chris PeBenito <selinux@××××××.com> - 2.20100524 |
383 |
-- Merged a significant portion of Fedora policy. |
384 |
-- Move rules from mta mailserver delivery from interface to .te to use |
385 |
- attributes. |
386 |
-- Remove concept of users from terminal module interfaces since the |
387 |
- attributes are not specific to users. |
388 |
-- Add non-drawing X client support, for consolekit usage. |
389 |
-- Misc Gentoo fixes from Chris Richards. |
390 |
-- AFS and abrt fixes from Dominick Grift. |
391 |
-- Improved the XML docs of 55 most-used interfaces. |
392 |
-- Apcupsd and amavis fixes from Dominick Grift. |
393 |
-- Fix network_port() in corenetwork to correctly handle port ranges. |
394 |
-- SE-Postgresql updates from KaiGai Kohei. |
395 |
-- X object manager revisions from Eamon Walsh. |
396 |
-- Added modules: |
397 |
- aisexec (Dan Walsh) |
398 |
- chronyd (Miroslav Grepl) |
399 |
- cobbler (Dominick Grift) |
400 |
- corosync (Dan Walsh) |
401 |
- dbadm (KaiGai Kohei) |
402 |
- denyhosts (Dan Walsh) |
403 |
- nut (Stefan Schulze Frielinghaus, Miroslav Grepl) |
404 |
- likewise (Scott Salley) |
405 |
- plymouthd (Dan Walsh) |
406 |
- pyicqt (Stefan Schulze Frielinghaus) |
407 |
- rhcs (Dan Walsh) |
408 |
- rgmanager (Dan Walsh) |
409 |
- sectoolm (Miroslav Grepl) |
410 |
- usbmuxd (Dan Walsh) |
411 |
- vhostmd (Dan Walsh) |
412 |
- |
413 |
-* Tue Nov 17 2009 Chris PeBenito <selinux@××××××.com> - 2.20091117 |
414 |
-- Add separate x_pointer and x_keyboard classes inheriting from x_device. |
415 |
- From Eamon Walsh. |
416 |
-- Deprecated the userdom_xwindows_client_template(). |
417 |
-- Misc Gentoo fixes from Corentin Labbe. |
418 |
-- Debian policykit fixes from Martin Orr. |
419 |
-- Fix unconfined_r use of unconfined_java_t. |
420 |
-- Add missing x_device rules for XI2 functions, from Eamon Walsh. |
421 |
-- Add missing rules to make unconfined_cronjob_t a valid cron job domain. |
422 |
-- Add btrfs and ext4 to labeling targets. |
423 |
-- Fix infrastructure to expand macros in initrc_context when installing. |
424 |
-- Handle unix_chkpwd usage by useradd and groupadd. |
425 |
-- Add missing compatibility aliases for xdm_xserver*_t types. |
426 |
-- Added modules: |
427 |
- abrt (Dan Walsh) |
428 |
- dkim (Stefan Schulze Frielinghaus) |
429 |
- gitosis (Miroslav Grepl) |
430 |
- gnomeclock (Dan Walsh) |
431 |
- hddtemp (Dan Walsh) |
432 |
- kdump (Dan Walsh) |
433 |
- modemmanager(Dan Walsh) |
434 |
- nslcd (Dan Walsh) |
435 |
- puppet (Craig Grube) |
436 |
- rtkit (Dan Walsh) |
437 |
- seunshare (Dan Walsh) |
438 |
- shorewall (Dan Walsh) |
439 |
- tgtd (Matthew Ife) |
440 |
- tuned (Miroslav Grepl) |
441 |
- xscreensaver (Corentin Labbe) |
442 |
- |
443 |
-* Thu Jul 30 2009 Chris PeBenito <selinux@××××××.com> - 2.20090730 |
444 |
-- Gentoo fixes for init scripts and system startup. |
445 |
-- Remove read_default_t tunable. |
446 |
-- Greylist milter from Paul Howarth. |
447 |
-- Crack db access for su to handle password expiration, from Brandon Whalen. |
448 |
-- Misc fixes for unix_update from Brandon Whalen. |
449 |
-- Add x_device permissions for XI2 functions, from Eamon Walsh. |
450 |
-- MLS constraints for the x_selection class, from Eamon Walsh. |
451 |
-- Postgresql updates from KaiGai Kohei. |
452 |
-- Milter state directory patch from Paul Howarth. |
453 |
-- Add MLS constrains for ingress/egress and secmark from Paul Moore. |
454 |
-- Drop write permission from fs_read_rpc_sockets(). |
455 |
-- Remove unused udev_runtime_t type. |
456 |
-- Patch for RadSec port from Glen Turner. |
457 |
-- Enable network_peer_controls policy capability from Paul Moore. |
458 |
-- Btrfs xattr support from Paul Moore. |
459 |
-- Add db_procedure install permission from KaiGai Kohei. |
460 |
-- Add support for network interfaces with access controlled by a Boolean |
461 |
- from the CLIP project. |
462 |
-- Several fixes from the CLIP project. |
463 |
-- Add support for labeled Booleans. |
464 |
-- Remove node definitions and change node usage to generic nodes. |
465 |
-- Add kernel_service access vectors, from Stephen Smalley. |
466 |
-- Added modules: |
467 |
- certmaster (Dan Walsh) |
468 |
- cpufreqselector (Dan Walsh) |
469 |
- devicekit (Dan Walsh) |
470 |
- fprintd (Dan Walsh) |
471 |
- git (Dan Walsh) |
472 |
- gpsd (Miroslav Grepl) |
473 |
- guest (Dan Walsh) |
474 |
- ifplugd (Dan Walsh) |
475 |
- lircd (Miroslav Grepl) |
476 |
- logadm (Dan Walsh) |
477 |
- pads (Dan Walsh) |
478 |
- pingd (Dan Walsh) |
479 |
- policykit (Dan Walsh) |
480 |
- pulseaudio (Dan Walsh) |
481 |
- psad (Dan Walsh) |
482 |
- portreserve (Dan Walsh) |
483 |
- sssd (Dan Walsh) |
484 |
- ulogd (Dan Walsh) |
485 |
- varnishd (Dan Walsh) |
486 |
- webadm (Dan Walsh) |
487 |
- wm (Dan Walsh) |
488 |
- xguest (Dan Walsh) |
489 |
- zosremote (Dan Walsh) |
490 |
- |
491 |
-* Wed Dec 10 2008 Chris PeBenito <selinux@××××××.com> - 2.20081210 |
492 |
-- Fix consistency of audioentropy and iscsi module naming. |
493 |
-- Debian file context fix for xen from Russell Coker. |
494 |
-- Xserver MLS fix from Eamon Walsh. |
495 |
-- Add omapi port for dhcpcd. |
496 |
-- Deprecate per-role templates and rolemap support. |
497 |
-- Implement user-based access control for use as role separations. |
498 |
-- Move shared library calls from individual modules to the domain module. |
499 |
-- Enable open permission checks policy capability. |
500 |
-- Remove hierarchy from portage module as it is not a good example of |
501 |
- hieararchy. |
502 |
-- Remove enableaudit target from modular build as semodule -DB supplants it. |
503 |
-- Added modules: |
504 |
- milter (Paul Howarth) |
505 |
- |
506 |
-* Tue Oct 14 2008 Chris PeBenito <selinux@××××××.com> - 20081014 |
507 |
-- Debian update for NetworkManager/wpa_supplicant from Martin Orr. |
508 |
-- Logrotate and Bind updates from Vaclav Ovsik. |
509 |
-- Init script file and domain support. |
510 |
-- Glibc 2.7 fix from Vaclav Ovsik. |
511 |
-- Samba/winbind update from Mike Edenfield. |
512 |
-- Policy size optimization with a non-security file attribute from James |
513 |
- Carter. |
514 |
-- Database labeled networking update from KaiGai Kohei. |
515 |
-- Several misc changes from the Fedora policy, cherry picked by David |
516 |
- Hardeman. |
517 |
-- Large whitespace fix from Dominick Grift. |
518 |
-- Pam_mount fix for local login from Stefan Schulze Frielinghaus. |
519 |
-- Issuing commands to upstart is over a datagram socket, not the initctl |
520 |
- named pipe. Updated init_telinit() to match. |
521 |
-- Added modules: |
522 |
- cyphesis (Dan Walsh) |
523 |
- memcached (Dan Walsh) |
524 |
- oident (Dominick Grift) |
525 |
- w3c (Dan Walsh) |
526 |
- |
527 |
-* Wed Jul 02 2008 Chris PeBenito <selinux@××××××.com> - 20080702 |
528 |
-- Fix httpd_enable_homedirs to actually provide the access it is supposed to |
529 |
- provide. |
530 |
-- Add unused interface/template parameter metadata in XML. |
531 |
-- Patch to handle postfix data_directory from Vaclav Ovsik. |
532 |
-- SE-Postgresql policy from KaiGai Kohei. |
533 |
-- Patch for X.org dbus support from Martin Orr. |
534 |
-- Patch for labeled networking controls in 2.6.25 from Paul Moore. |
535 |
-- Module loading now requires setsched on kernel threads. |
536 |
-- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik. |
537 |
-- X application data class from Eamon Walsh and Ted Toth. |
538 |
-- Move user roles into individual modules. |
539 |
-- Make hald_log_t a log file. |
540 |
-- Cryptsetup runs shell scripts. Patch from Martin Orr. |
541 |
-- Add file for enabling policy capabilities. |
542 |
-- Patch to fix leaky interface/template call depth calculator from Vaclav |
543 |
- Ovsik. |
544 |
-- Added modules: |
545 |
- kerneloops (Dan Walsh) |
546 |
- kismet (Dan Walsh) |
547 |
- podsleuth (Dan Walsh) |
548 |
- prelude (Dan Walsh) |
549 |
- qemu (Dan Walsh) |
550 |
- virt (Dan Walsh) |
551 |
- |
552 |
-* Wed Apr 02 2008 Chris PeBenito <selinux@××××××.com> - 20080402 |
553 |
-- Add core Security Enhanced X Windows support. |
554 |
-- Fix winbind socket connection interface for default location of the |
555 |
- sock_file. |
556 |
-- Add wireshark module based on ethereal module. |
557 |
-- Revise upstart support in init module to use a tunable, as upstart is now |
558 |
- used in Fedora too. |
559 |
-- Add iferror.m4 rather generate it out of the Makefiles. |
560 |
-- Definitions for open permisson on file and similar objects from Eric |
561 |
- Paris. |
562 |
-- Apt updates for ptys and logs, from Martin Orr. |
563 |
-- RPC update from Vaclav Ovsik. |
564 |
-- Exim updates on Debian from Devin Carrawy. |
565 |
-- Pam and samba updates from Stefan Schulze Frielinghaus. |
566 |
-- Backup update on Debian from Vaclav Ovsik. |
567 |
-- Cracklib update on Debian from Vaclav Ovsik. |
568 |
-- Label /proc/kallsyms with system_map_t. |
569 |
-- 64-bit capabilities from Stephen Smalley. |
570 |
-- Labeled networking peer object class updates. |
571 |
- |
572 |
-* Fri Dec 14 2007 Chris PeBenito <selinux@××××××.com> - 20071214 |
573 |
-- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik. |
574 |
-- Improve several tunables descriptions from Dan Walsh. |
575 |
-- Patch to clean up ns switch usage in the policy from Dan Walsh. |
576 |
-- More complete labeled networking infrastructure from KaiGai Kohei. |
577 |
-- Add interface for libselinux constructor, for libselinux-linked |
578 |
- SELinux-enabled programs. |
579 |
-- Patch to restructure user role templates to create restricted user roles |
580 |
- from Dan Walsh. |
581 |
-- Russian man page translations from Andrey Markelov. |
582 |
-- Remove unused types from dbus. |
583 |
-- Add infrastructure for managing all user web content. |
584 |
-- Deprecate some old file and dir permission set macros in favor of the |
585 |
- newer, more consistently-named macros. |
586 |
-- Patch to clean up unescaped periods in several file context entries from |
587 |
- Jan-Frode Myklebust. |
588 |
-- Merge shlib_t into lib_t. |
589 |
-- Merge strict and targeted policies. The policy will now behave like the |
590 |
- strict policy if the unconfined module is not present. If it is, it will |
591 |
- behave like the targeted policy. Added an unconfined role to have a mix |
592 |
- of confined and unconfined users. |
593 |
-- Added modules: |
594 |
- exim (Dan Walsh) |
595 |
- postfixpolicyd (Jan-Frode Myklebust) |
596 |
- |
597 |
-* Fri Sep 28 2007 Chris PeBenito <selinux@××××××.com> - 20070928 |
598 |
-- Add support for setting the unknown permissions handling. |
599 |
-- Fix XML building for external reference builds and headers builds. |
600 |
-- Patch to add missing requirements in userdomain interfaces from Shintaro |
601 |
- Fujiwara. |
602 |
-- Add tcpd_wrapped_domain() for services that use tcp wrappers. |
603 |
-- Update MLS constraints from LSPP evaluated policy. |
604 |
-- Allow initrc_t file descriptors to be inherited regardless of MLS level. |
605 |
- Accordingly drop MLS permissions from daemons that inherit from any level. |
606 |
-- Files and radvd updates from Stefan Schulze Frielinghaus. |
607 |
-- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with |
608 |
- mls_write_all_levels() and mls_read_all_levels(), for consistency. |
609 |
-- Add make kernel and init ranged interfaces pass the range transition MLS |
610 |
- constraints. Also remove calls to mls_rangetrans_target() in modules that use |
611 |
- the kernel and init interfaces, since its redundant. |
612 |
-- Add interfaces for all MLS attributes except X object classes. |
613 |
-- Require all sensitivities and categories for MLS and MCS policies, not just |
614 |
- the low and high sensitivity and category. |
615 |
-- Database userspace object manager classes from KaiGai Kohei. |
616 |
-- Add third-party interface for Apache CGI. |
617 |
-- Add getserv and shmemserv nscd permissions. |
618 |
-- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. |
619 |
-- Added modules: |
620 |
- application |
621 |
- awstats (Stefan Schulze Frielinghaus) |
622 |
- bitlbee (Devin Carraway) |
623 |
- brctl (Dan Walsh) |
624 |
- |
625 |
-* Fri Jun 29 2007 Chris PeBenito <selinux@××××××.com> - 20070629 |
626 |
-- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the |
627 |
- libraries module. |
628 |
-- Unified labeled networking policy from Paul Moore. |
629 |
-- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. |
630 |
-- Xen updates from Dan Walsh. |
631 |
-- Filesystem updates from Dan Walsh. |
632 |
-- Large samba update from Dan Walsh. |
633 |
-- Drop snmpd_etc_t. |
634 |
-- Confine sendmail and logrotate on targeted. |
635 |
-- Tunable connection to postgresql for users from KaiGai Kohei. |
636 |
-- Memprotect support patch from Stephen Smalley. |
637 |
-- Add logging_send_audit_msgs() interface and deprecate |
638 |
- send_audit_msgs_pattern(). |
639 |
-- Openct updates patch from Dan Walsh. |
640 |
-- Merge restorecon into setfiles. |
641 |
-- Patch to begin separating out hald helper programs from Dan Walsh. |
642 |
-- Fixes for squid, dovecot, and snmp from Dan Walsh. |
643 |
-- Miscellaneous consolekit fixes from Dan Walsh. |
644 |
-- Patch to have avahi use the nsswitch interface rather than individual |
645 |
- permissions from Dan Walsh. |
646 |
-- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. |
647 |
-- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes |
648 |
- to handle usage from userhelper from Dan Walsh. |
649 |
-- Patch to allow amavis to read spamassassin libraries from Dan Walsh. |
650 |
-- Patch to allow slocate to getattr other filesystems and directories on those |
651 |
- filesystems from Dan Walsh. |
652 |
-- Fixes for RHEL4 from the CLIP project. |
653 |
-- Replace the old lrrd fc entries with munin ones. |
654 |
-- Move program admin template usage out of userdom_admin_user_template() to |
655 |
- sysadm policy in userdomain.te to fix usage of the template for third |
656 |
- parties. |
657 |
-- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a |
658 |
- template instead of an interface. |
659 |
-- Added modules: |
660 |
- amtu (Dan Walsh) |
661 |
- apcupsd (Dan Walsh) |
662 |
- rpcbind (Dan Walsh) |
663 |
- rwho (Nalin Dahyabhai) |
664 |
- |
665 |
-* Tue Apr 17 2007 Chris PeBenito <selinux@××××××.com> - 20070417 |
666 |
-- Patch for sasl's use of kerberos from Dan Walsh. |
667 |
-- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh. |
668 |
-- Man page updates from Dan Walsh. |
669 |
-- Two patches from Paul Moore to for ipsec to remove redundant rules and |
670 |
- have setkey read the config file. |
671 |
-- Move booleans and tunables to modules when it is only used in a single |
672 |
- module. |
673 |
-- Add support for tunables and booleans local to a module. |
674 |
-- Merge sbin_t and ls_exec_t into bin_t. |
675 |
-- Remove disable_trans booleans. |
676 |
-- Output different header sets for kernel and userland from flask headers. |
677 |
-- Marked the pax class as deprecated, changed it to userland so |
678 |
- it will be removed from the kernel. |
679 |
-- Stop including netfilter contexts by default. |
680 |
-- Add dontaudits for init fds and console to init_daemon_domain(). |
681 |
-- Patch to allow gpg to create user keys dir. |
682 |
-- Patch to support kvmfs from Dan Walsh. |
683 |
-- Patch for misc fixes in sudo from Dan Walsh. |
684 |
-- Patch to fix netlabel recvfrom MLS constraint from Paul Moore. |
685 |
-- Patch for handling restart of nscd when ran from useradd, groupadd, and |
686 |
- admin passwd, from Dan Walsh. |
687 |
-- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh. |
688 |
-- Patch for setroubleshoot for validating file contexts from Dan Walsh. |
689 |
-- Patch for gssd fixes from Dan Walsh. |
690 |
-- Patch for lvm fixes from Dan Walsh. |
691 |
-- Patch for ricci fixes from Dan Walsh. |
692 |
-- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh. |
693 |
-- Patch for kerberized telnet fixes from Dan Walsh. |
694 |
-- Patch for kerberized ftp and other ftp fixes from Dan Walsh. |
695 |
-- Patch for an additional wine executable from Dan Walsh. |
696 |
-- Eight patches for file contexts in games, wine, networkmanager, miscfiles, |
697 |
- corecommands, devices, and java from Dan Walsh. |
698 |
-- Add support for libselinux 2.0.5 init_selinuxmnt() changes. |
699 |
-- Patch for misc fixes to bluetooth from Dan Walsh. |
700 |
-- Patch for misc fixes to kerberos from Dan Walsh. |
701 |
-- Patch to start deprecating usercanread attribute from Ryan Bradetich. |
702 |
-- Add dccp_socket object class which was added in kernel 2.6.20. |
703 |
-- Patch for prelink relabefrom it's temp files from Dan Walsh. |
704 |
-- Patch for capability fix for auditd and networking fix for syslogd from |
705 |
- Dan Walsh. |
706 |
-- Patch to remove redundant mls_trusted_object() call from Dan Walsh. |
707 |
-- Patch for misc fixes to nis ypxfr policy from Dan Walsh. |
708 |
-- Patch to allow apmd to telinit from Dan Walsh. |
709 |
-- Patch for additional labeling of samba files from Stefan Schulze |
710 |
- Frielinghaus. |
711 |
-- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich. |
712 |
-- Fix ptys and ttys to be device nodes. |
713 |
-- Fix explicit use of httpd_t in openca_domtrans(). |
714 |
-- Clean up file context regexes in apache and java, from Eamon Walsh. |
715 |
-- Patches from Dan Walsh: |
716 |
- Thu, 25 Jan 2007 |
717 |
-- Added modules: |
718 |
- consolekit (Dan Walsh) |
719 |
- fail2ban (Dan Walsh) |
720 |
- zabbix (Dan Walsh) |
721 |
- |
722 |
-* Tue Dec 12 2006 Chris PeBenito <selinux@××××××.com> - 20061212 |
723 |
-- Add policy patterns support macros. This changes the behavior of |
724 |
- the create_dir_perms and create_file_perms permission sets. |
725 |
-- Association polmatch MLS constraint making unlabeled_t an exception |
726 |
- is no longer needed, patch from Venkat Yekkirala. |
727 |
-- Context contains checking for PAM and cron from James Antill. |
728 |
-- Add a reload target to Modules.devel and change the load |
729 |
- target to only insert modules that were changed. |
730 |
-- Allow semanage to read from /root on strict non-MLS for |
731 |
- local policy modules. |
732 |
-- Gentoo init script fixes for udev. |
733 |
-- Allow udev to read kernel modules.inputmap. |
734 |
-- Dnsmasq fixes from testing. |
735 |
-- Allow kernel NFS server to getattr filesystems so df can work |
736 |
- on clients. |
737 |
-- Patch from Matt Anderson for a MLS constraint exemption on a |
738 |
- file that can be written to from a subject whose range is |
739 |
- within the object's range. |
740 |
-- Enhanced setransd support from Darrel Goeddel. |
741 |
-- Patches from Dan Walsh: |
742 |
- Tue, 24 Oct 2006 |
743 |
- Wed, 29 Nov 2006 |
744 |
-- Added modules: |
745 |
- aide (Matt Anderson) |
746 |
- ccs (Dan Walsh) |
747 |
- iscsi (Dan Walsh) |
748 |
- ricci (Dan Walsh) |
749 |
- |
750 |
-* Wed Oct 18 2006 Chris PeBenito <selinux@××××××.com> - 20061018 |
751 |
-- Patch from Russell Coker Thu, 5 Oct 2006 |
752 |
-- Move range transitions to modules. |
753 |
-- Make number of MLS sensitivities, and number of MLS and MCS |
754 |
- categories configurable as build options. |
755 |
-- Add role infrastructure. |
756 |
-- Debian updates from Erich Schubert. |
757 |
-- Add nscd_socket_use() to auth_use_nsswitch(). |
758 |
-- Remove old selopt rules. |
759 |
-- Full support for netfilter_contexts. |
760 |
-- MRTG patch for daemon operation from Stefan. |
761 |
-- Add authlogin interface to abstract common access for login programs. |
762 |
-- Remove setbool auditallow, except for RHEL4. |
763 |
-- Change eventpollfs to task SID labeling. |
764 |
-- Add key support from Michael LeMay. |
765 |
-- Add ftpdctl domain to ftp, from Paul Howarth. |
766 |
-- Fix build system to not move type declarations out of optionals. |
767 |
-- Add gcc-config domain to portage. |
768 |
-- Add packet object class and support in corenetwork. |
769 |
-- Add a copy of genhomedircon for monolithic policy building, so that a |
770 |
- policycoreutils package update is not required for RHEL4 systems. |
771 |
-- Add appletalk sockets for use in cups. |
772 |
-- Add Make target to validate module linking. |
773 |
-- Make duplicate template and interface declarations a fatal error. |
774 |
-- Patch to stabilize modules.conf `make conf` output, from Erich Schubert. |
775 |
-- Move xconsole_device_t from devices to xserver since it is |
776 |
- not actually a device, it is a named pipe. |
777 |
-- Handle nonexistant .fc and .if files in devel Makefile by |
778 |
- automatically creating empty files. |
779 |
-- Remove unused devfs_control_t. |
780 |
-- Add rhel4 distro, which also implies redhat distro. |
781 |
-- Remove unneeded range_transition for su_exec_t and move the |
782 |
- type declaration back to the su module. |
783 |
-- Constrain transitions in MCS so unconfined_t cannot have |
784 |
- arbitrary category sets. |
785 |
-- Change reiserfs from xattr filesystem to genfscon as it's xattrs |
786 |
- are currently nonfunctional. |
787 |
-- Change files and filesystem modules to use their own interfaces. |
788 |
-- Add user fonts to xserver. |
789 |
-- Additional interfaces in corecommands, miscfiles, and userdomain |
790 |
- from Joy Latten. |
791 |
-- Miscellaneous fixes from Thomas Bleher. |
792 |
-- Deprecate module name as first parameter of optional_policy() |
793 |
- now that optionals are allowed everywhere. |
794 |
-- Enable optional blocks in base module and monolithic policy. |
795 |
- This requires checkpolicy 1.30.1. |
796 |
-- Fix vpn module declaration. |
797 |
-- Numerous fixes from Dan Walsh. |
798 |
-- Change build order to preserve m4 line number information so policy |
799 |
- compile errors are useful again. |
800 |
-- Additional MLS interfaces from Chad Hanson. |
801 |
-- Move some rules out of domain_type() and domain_base_type() |
802 |
- to the TE file, to use the domain attribute to take advantage |
803 |
- of space savings from attribute use. |
804 |
-- Add global stack smashing protector rule for urandom access from |
805 |
- Petre Rodan. |
806 |
-- Fix temporary rules at the bottom of portmap. |
807 |
-- Updated comments in mls file from Chad Hanson. |
808 |
-- Patches from Dan Walsh: |
809 |
- Fri, 17 Mar 2006 |
810 |
- Wed, 29 Mar 2006 |
811 |
- Tue, 11 Apr 2006 |
812 |
- Fri, 14 Apr 2006 |
813 |
- Tue, 18 Apr 2006 |
814 |
- Thu, 20 Apr 2006 |
815 |
- Tue, 02 May 2006 |
816 |
- Mon, 15 May 2006 |
817 |
- Thu, 18 May 2006 |
818 |
- Tue, 06 Jun 2006 |
819 |
- Mon, 12 Jun 2006 |
820 |
- Tue, 20 Jun 2006 |
821 |
- Wed, 26 Jul 2006 |
822 |
- Wed, 23 Aug 2006 |
823 |
- Thu, 31 Aug 2006 |
824 |
- Fri, 01 Sep 2006 |
825 |
- Tue, 05 Sep 2006 |
826 |
- Wed, 20 Sep 2006 |
827 |
- Fri, 22 Sep 2006 |
828 |
- Mon, 25 Sep 2006 |
829 |
-- Added modules: |
830 |
- afs |
831 |
- amavis (Erich Schubert) |
832 |
- apt (Erich Schubert) |
833 |
- asterisk |
834 |
- audioentropy |
835 |
- authbind |
836 |
- backup |
837 |
- calamaris |
838 |
- cipe |
839 |
- clamav (Erich Schubert) |
840 |
- clockspeed (Petre Rodan) |
841 |
- courier |
842 |
- dante |
843 |
- dcc |
844 |
- ddclient |
845 |
- dpkg (Erich Schubert) |
846 |
- dnsmasq |
847 |
- ethereal |
848 |
- evolution |
849 |
- games |
850 |
- gatekeeper |
851 |
- gift |
852 |
- gnome (James Carter) |
853 |
- imaze |
854 |
- ircd |
855 |
- jabber |
856 |
- monop |
857 |
- mozilla |
858 |
- mplayer |
859 |
- munin |
860 |
- nagios |
861 |
- nessus |
862 |
- netlabel (Paul Moore) |
863 |
- nsd |
864 |
- ntop |
865 |
- nx |
866 |
- oav |
867 |
- oddjob (Dan Walsh) |
868 |
- openca |
869 |
- openvpn (Petre Rodan) |
870 |
- perdition |
871 |
- portslave |
872 |
- postgrey |
873 |
- pxe |
874 |
- pyzor (Dan Walsh) |
875 |
- qmail (Petre Rodan) |
876 |
- razor |
877 |
- resmgr |
878 |
- rhgb |
879 |
- rssh |
880 |
- snort |
881 |
- soundserver |
882 |
- speedtouch |
883 |
- sxid |
884 |
- thunderbird |
885 |
- tor (Erich Schubert) |
886 |
- transproxy |
887 |
- tripwire |
888 |
- uptime |
889 |
- uwimap |
890 |
- vmware |
891 |
- watchdog |
892 |
- xen (Dan Walsh) |
893 |
- xprint |
894 |
- yam |
895 |
- |
896 |
-* Tue Mar 07 2006 Chris PeBenito <selinux@××××××.com> - 20060307 |
897 |
-- Make all interface parameters required. |
898 |
-- Move boot_t, system_map_t, and modules_object_t to files module, |
899 |
- and move bootloader to admin layer. |
900 |
-- Add semanage policy for semodule from Dan Walsh. |
901 |
-- Remove allow_execmem from targeted policy domain_base_type(). |
902 |
-- Add users_extra and seusers support. |
903 |
-- Postfix fixes from Serge Hallyn. |
904 |
-- Run python and shell directly to interpret scripts so policy |
905 |
- sources need not be executable. |
906 |
-- Add desc tag XML to booleans and tunables, and add summary |
907 |
- to param XML tag, to make future translations possible. |
908 |
-- Remove unused lvm_vg_t. |
909 |
-- Many interface renames to improve naming consistency. |
910 |
-- Merge xdm into xserver. |
911 |
-- Remove kernel module reversed interfaces. |
912 |
-- Add filename attribute to module XML tag and lineno attribute to |
913 |
- interface XML tag. |
914 |
-- Changed QUIET build option to a yes or no option. |
915 |
-- Add a Makefile used for compiling loadable modules in a |
916 |
- user's development environment, building against policy headers. |
917 |
-- Add Make target for installing policy headers. |
918 |
-- Separate per-userdomain template expansion from the userdomain |
919 |
- module and add infrastructure to expand templates in the modules |
920 |
- that own the template. |
921 |
-- Enable secadm only for MLS policies. |
922 |
-- Remove role change rules in su and sudo since this functionality has been |
923 |
- removed from these programs. |
924 |
-- Add ctags Make target from Thomas Bleher. |
925 |
-- Collapse commands with grep piped to sed into one sed command. |
926 |
-- Fix type_change bug in term_user_pty(). |
927 |
-- Move ice_tmp_t from miscfiles to xserver. |
928 |
-- Login fixes from Serge Hallyn. |
929 |
-- Move xserver_log_t from xdm to xserver. |
930 |
-- Add lpr per-userdomain policy to lpd. |
931 |
-- Miscellaneous fixes from Dan Walsh. |
932 |
-- Change initrc_var_run_t interface noun from script_pid to utmp, |
933 |
- for greater clarity. |
934 |
-- Added modules: |
935 |
- certwatch |
936 |
- mono (Dan Walsh) |
937 |
- mrtg |
938 |
- portage |
939 |
- tvtime |
940 |
- userhelper |
941 |
- usernetctl |
942 |
- wine (Dan Walsh) |
943 |
- xserver |
944 |
- |
945 |
-* Tue Jan 17 2006 Chris PeBenito <selinux@××××××.com> - 20060117 |
946 |
-- Adds support for generating corenetwork interfaces based on attributes |
947 |
- in addition to types. |
948 |
-- Permits the listing of multiple nodes in a network_node() that will be |
949 |
- given the same type. |
950 |
-- Add two new permission sets for stream sockets. |
951 |
-- Rename file type transition interfaces verb from create to |
952 |
- filetrans to differentiate it from create interfaces without |
953 |
- type transitions. |
954 |
-- Fix expansion of interfaces from disabled modules. |
955 |
-- Rsync can be long running from init, |
956 |
- added rules to allow this. |
957 |
-- Add polyinstantiation build option. |
958 |
-- Add setcontext to the association object class. |
959 |
-- Add apache relay and db connect tunables. |
960 |
-- Rename texrel_shlib_t to textrel_shlib_t. |
961 |
-- Add swat to samba module. |
962 |
-- Numerous miscellaneous fixes from Dan Walsh. |
963 |
-- Added modules: |
964 |
- alsa |
965 |
- automount |
966 |
- cdrecord |
967 |
- daemontools (Petre Rodan) |
968 |
- ddcprobe |
969 |
- djbdns (Petre Rodan) |
970 |
- fetchmail |
971 |
- irc |
972 |
- java |
973 |
- lockdev |
974 |
- logwatch (Dan Walsh) |
975 |
- openct |
976 |
- prelink (Dan Walsh) |
977 |
- publicfile (Petre Rodan) |
978 |
- readahead |
979 |
- roundup |
980 |
- screen |
981 |
- slocate (Dan Walsh) |
982 |
- slrnpull |
983 |
- smartmon |
984 |
- sysstat |
985 |
- ucspitcp (Petre Rodan) |
986 |
- usbmodules |
987 |
- vbetool (Dan Walsh) |
988 |
- |
989 |
-* Wed Dec 07 2005 Chris PeBenito <selinux@××××××.com> - 20051207 |
990 |
-- Add unlabeled IPSEC association rule to domains with |
991 |
- networking permissions. |
992 |
-- Merge systemuser back in to users, as these files |
993 |
- do not need to be split. |
994 |
-- Add check for duplicate interface/template definitions. |
995 |
-- Move domain, files, and corecommands modules to kernel |
996 |
- layer to resolve some layering inconsistencies. |
997 |
-- Move policy build options out of Makefile into build.conf. |
998 |
-- Add yppasswd to nis module. |
999 |
-- Change optional_policy() to refer to the module name |
1000 |
- rather than modulename.te. |
1001 |
-- Fix labeling targets to use installed file_contexts rather |
1002 |
- than partial file_contexts in the policy source directory. |
1003 |
-- Fix build process to use make's internal vpath functions |
1004 |
- to detect modules rather than using subshells and find. |
1005 |
-- Add install target for modular policy. |
1006 |
-- Add load target for modular policy. |
1007 |
-- Add appconfig dependency to the load target. |
1008 |
-- Miscellaneous fixes from Dan Walsh. |
1009 |
-- Fix corenetwork gen_context()'s to expand during the policy |
1010 |
- build phase instead of during the generation phase. |
1011 |
-- Added policies: |
1012 |
- amanda |
1013 |
- avahi |
1014 |
- canna |
1015 |
- cyrus |
1016 |
- dbskk |
1017 |
- dovecot |
1018 |
- distcc |
1019 |
- i18n_input |
1020 |
- irqbalance |
1021 |
- lpd |
1022 |
- networkmanager |
1023 |
- pegasus |
1024 |
- postfix |
1025 |
- procmail |
1026 |
- radius |
1027 |
- rdisc |
1028 |
- rpc |
1029 |
- spamassassin |
1030 |
- timidity |
1031 |
- xdm |
1032 |
- xfs |
1033 |
- |
1034 |
-* Wed Oct 19 2005 Chris PeBenito <selinux@××××××.com> - 20051019 |
1035 |
-- Many fixes to make loadable modules build. |
1036 |
-- Add targets for sechecker. |
1037 |
-- Updated to sedoctool to read bool files and tunable |
1038 |
- files separately. |
1039 |
-- Changed the xml tag of <boolean> to <bool> to be consistent |
1040 |
- with gen_bool(). |
1041 |
-- Modified the implementation of segenxml to use regular |
1042 |
- expressions. |
1043 |
-- Rename context_template() to gen_context() to clarify |
1044 |
- that its not a Reference Policy template, but a support |
1045 |
- macro. |
1046 |
-- Add disable_*_trans bool support for targeted policy. |
1047 |
-- Add MLS module to handle MLS constraint exceptions, |
1048 |
- such as reading up and writing down. |
1049 |
-- Fix errors uncovered by sediff. |
1050 |
-- Added policies: |
1051 |
- anaconda |
1052 |
- apache |
1053 |
- apm |
1054 |
- arpwatch |
1055 |
- bluetooth |
1056 |
- dmidecode |
1057 |
- finger |
1058 |
- ftp |
1059 |
- kudzu |
1060 |
- mailman |
1061 |
- ppp |
1062 |
- radvd |
1063 |
- sasl |
1064 |
- webalizer |
1065 |
- |
1066 |
-* Thu Sep 22 2005 Chris PeBenito <selinux@××××××.com> - 20050922 |
1067 |
-- Make logrotate, sendmail, sshd, and rpm policies |
1068 |
- unconfined in the targeted policy so no special |
1069 |
- modules.conf is required. |
1070 |
-- Add experimental MCS support. |
1071 |
-- Add appconfig for MLS. |
1072 |
-- Add equivalents for old can_resolve(), can_ldap(), and |
1073 |
- can_portmap() to sysnetwork. |
1074 |
-- Fix base module compile issues. |
1075 |
-- Added policies: |
1076 |
- cpucontrol |
1077 |
- cvs |
1078 |
- ktalk |
1079 |
- portmap |
1080 |
- postgresql |
1081 |
- rlogin |
1082 |
- samba |
1083 |
- snmp |
1084 |
- stunnel |
1085 |
- telnet |
1086 |
- tftp |
1087 |
- uucp |
1088 |
- vpn |
1089 |
- zebra |
1090 |
- |
1091 |
-* Wed Sep 07 2005 Chris PeBenito <selinux@××××××.com> - 20050907 |
1092 |
-- Fix errors uncovered by sediff. |
1093 |
-- Doc tool will explicitly say a module does not have interfaces |
1094 |
- or templates on the module page. |
1095 |
-- Added policies: |
1096 |
- comsat |
1097 |
- dbus |
1098 |
- dhcp |
1099 |
- dictd |
1100 |
- hal |
1101 |
- inn |
1102 |
- ntp |
1103 |
- squid |
1104 |
- |
1105 |
-* Fri Aug 26 2005 Chris PeBenito <selinux@××××××.com> - 20050826 |
1106 |
-- Add Makefile support for building loadable modules. |
1107 |
-- Add genclassperms.py tool to add require blocks |
1108 |
- for loadable modules. |
1109 |
-- Change sedoctool to make required modules part of base |
1110 |
- by default, otherwise make as modules, in modules.conf. |
1111 |
-- Fix segenxml to handle modules with no interfaces. |
1112 |
-- Rename ipsec connect interface for consistency. |
1113 |
-- Add missing parts of unix stream socket connect interface |
1114 |
- of ipsec. |
1115 |
-- Rename inetd connect interface for consistency. |
1116 |
-- Rename interface for purging contents of tmp, for clarity, |
1117 |
- since it allows deletion of classes other than file. |
1118 |
-- Misc. cleanups. |
1119 |
-- Added policies: |
1120 |
- acct |
1121 |
- bind |
1122 |
- firstboot |
1123 |
- gpm |
1124 |
- howl |
1125 |
- ldap |
1126 |
- loadkeys |
1127 |
- mysql |
1128 |
- privoxy |
1129 |
- quota |
1130 |
- rshd |
1131 |
- rsync |
1132 |
- su |
1133 |
- sudo |
1134 |
- tcpd |
1135 |
- tmpreaper |
1136 |
- updfstab |
1137 |
- |
1138 |
-* Tue Aug 2 2005 Chris PeBenito <selinux@××××××.com> - 20050802 |
1139 |
-- Fix comparison bug in fc_sort. |
1140 |
-- Fix handling of ordered and unordered HTML lists. |
1141 |
-- Corenetwork now supports multiple network interfaces having the |
1142 |
- same type. |
1143 |
-- Doc tool now creates pages for global Booleans and global tunables. |
1144 |
-- Doc tool now links directly to the interface/template in the |
1145 |
- module page when it is selected in the interface/template index. |
1146 |
-- Added support for layer summaries. |
1147 |
-- Added policies: |
1148 |
- ipsec |
1149 |
- nscd |
1150 |
- pcmcia |
1151 |
- raid |
1152 |
- |
1153 |
-* Thu Jul 7 2005 Chris PeBenito <selinux@××××××.com> - 20050707 |
1154 |
-- Changed xml to have modules encapsulated by layer tags, rather |
1155 |
- than putting layer="foo" in the module tags. Also in the future |
1156 |
- we can put a summary and description for each layer. |
1157 |
-- Added tool to infer interface, module, and layer tags. This will |
1158 |
- now list all interfaces, even if they are missing xml docs. |
1159 |
-- Shortened xml tag names. |
1160 |
-- Added macros to declare interfaces and templates. |
1161 |
-- Added interface call trace. |
1162 |
-- Updated all xml documentation for shorter and inferred tags. |
1163 |
-- Doc tool now displays templates in the web pages. |
1164 |
-- Doc tool retains the user's settings in modules.conf and |
1165 |
- tunables.conf if the files already exist. |
1166 |
-- Modules.conf behavior has been changed to be a list of all |
1167 |
- available modules, and the user can specify if the module is |
1168 |
- built as a loadable module, included in the monolithic policy, |
1169 |
- or excluded. |
1170 |
-- Added policies: |
1171 |
- fstools (fsck, mkfs, swapon, etc. tools) |
1172 |
- logrotate |
1173 |
- inetd |
1174 |
- kerberos |
1175 |
- nis (ypbind and ypserv) |
1176 |
- ssh (server, client, and agent) |
1177 |
- unconfined |
1178 |
-- Added infrastructure for targeted policy support, only missing |
1179 |
- transition boolean support. |
1180 |
- |
1181 |
-* Wed Jun 15 2005 Chris PeBenito <selinux@××××××.com> - 20050615 |
1182 |
- - Initial release |
1183 |
|
1184 |
diff --git a/Changelog b/Changelog.old |
1185 |
similarity index 99% |
1186 |
copy from Changelog |
1187 |
copy to Changelog.old |
1188 |
index 0090893..672e632 100644 |
1189 |
--- a/Changelog |
1190 |
+++ b/Changelog.old |
1191 |
@@ -1,3 +1,7 @@ |
1192 |
+- Mcelog update from Guido Trentalancia. |
1193 |
+- Added contrib modules: |
1194 |
+ bird (Dominick Grift) |
1195 |
+ |
1196 |
* Wed Jul 25 2012 Chris PeBenito <selinux@××××××.com> - 2.20120725 |
1197 |
- Rename epollwakeup capability2 permission to block_suspend to match the |
1198 |
corresponding kernel capability rename. |