Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date: Wed, 01 May 2013 18:23:19
Message-Id: 1367432123.f71f05b9435fb78d1b6929d2d146e8381d8f4da6.SwifT@gentoo
1 commit: f71f05b9435fb78d1b6929d2d146e8381d8f4da6
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Wed May 1 18:15:23 2013 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Wed May 1 18:15:23 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f71f05b9
7
8 Archive old Changelog for log format change
9
10 ---
11 Changelog | 1162 ++++++++------------------------------------
12 Changelog => Changelog.old | 4 +
13 2 files changed, 219 insertions(+), 947 deletions(-)
14
15 diff --git a/Changelog b/Changelog
16 index 0090893..5fcca55 100644
17 --- a/Changelog
18 +++ b/Changelog
19 @@ -1,948 +1,216 @@
20 -* Wed Jul 25 2012 Chris PeBenito <selinux@××××××.com> - 2.20120725
21 -- Rename epollwakeup capability2 permission to block_suspend to match the
22 - corresponding kernel capability rename.
23 -- Udev and init changes to support /run, from Sven Vermeulen.
24 -- auth_use_nsswitch updates from Miroslav Grepl.
25 -- Mount runtime files fix from Guido Trentalancia.
26 -- Update Python scripts to support Python 3, from Sven Vermeulen.
27 -- Update capability2 object class for new wake_alarm and epollwakeup
28 - capabilities.
29 -- SEPostgresql updates from Kohei KaiGai.
30 -- Simplify file contexts based on file context path substitutions, from Sven
31 - Vermeulen.
32 -- Add optional name for kernel and system filetrans interfaces.
33 -- Non-auth file attribute to eliminate set expressions, from James Carter.
34 -- Virt updates from Sven Vermeulen.
35 -- Various dontaudits from Sven Vermeulen.
36 -- Fix base module and monolithic role declaration ordering issue now that
37 - role declarations must be explicit, from Harry Ciao.
38 -- Added contrib modules:
39 - bacula (Stan Sander/Sven Vermeulen)
40 - bcfg2 (Miroslav Grepl)
41 - blueman (Miroslav Grepl)
42 +* Wed Apr 24 2013 Chris PeBenito <selinux@××××××.com> - 2.20130424
43 +Chris PeBenito (78):
44 + Mcelog update from Guido Trentalancia.
45 + Add bird contrib module from Dominick Grift.
46 + Minor whitespace fix in udev.fc
47 + Module version bump for udev binary location update from Sven Vermeulen.
48 + clarify the file_contexts.subs_dist configuration file usage from Guido
49 + Trentalancia
50 + Update contrib.
51 + Remove trailing / from paths
52 + Module version bump for fc substitutions optimizations from Sven
53 + Vermeulen.
54 + Update contrib.
55 + Module version bump for /run/dhcpc directory creation by dhcp from Sven
56 + Vermeulen.
57 + Module version bump for fc fixes in devices module from Dominick Grift.
58 + Update contrib.
59 + Module version bump for /dev/mei type and label from Dominick Grift.
60 + Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
61 + Module version bump for lost+found labeling in /var/log from Guido
62 + Trentalancia.
63 + Module version bump for loop-control patch.
64 + Turn off all tunables by default, from Guido Trentalancia.
65 + Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
66 + Module version bump for various changes from Sven Vermeulen.
67 + Module version bump for ports update from Dominick Grift.
68 + Module version bump for Debian file context updates from Laurent
69 + Bigonville.
70 + Update contrib.
71 + Update contrib.
72 + split kmod fc into two lines.
73 + Module version bump for kmod fc from Laurent Bigonville.
74 + Module version bump for cfengine fc change from Dominick Grift.
75 + Module verision bump for Debian cert file fc update from Laurent
76 + Bigonville.
77 + Module version bump for ipsec net sysctls reading from Miroslav Grepl.
78 + Module version bump for srvloc port definition from Dominick Grift.
79 + Rename cachefiles_dev_t to cachefiles_device_t.
80 + Module version bump for cachefiles core support.
81 + Module version bump for changes from Dominick Grift and Sven Vermeulen.
82 + Module version bump for modutils patch from Dominick Grift.
83 + Module version bump for dhcp6 ports, from Russell Coker.
84 + Rearrange new xserver interfaces.
85 + Rename new xserver interfaces.
86 + Module version bump for xserver interfaces from Dominick Grift.
87 + Move kernel_stream_connect() declaration.
88 + Module version bump for kernel_stream_connect() from Dominick Grift.
89 + Rename logging_search_all_log_dirs to logging_search_all_logs
90 + Module version bump for minor logging and sysnet changes from Sven
91 + Vermeulen.
92 + Module version bump for dovecot libs from Mika Pflueger.
93 + Rearrange interfaces in files, clock, and udev.
94 + Module version bump for interfaces used by virt from Dominick Grift.
95 + Module version bump for arping setcap from Dominick Grift.
96 + Rearrange devices interfaces.
97 + Module version bump/contrib sync.
98 + Rearrange lines.
99 + Module version bump for user home content fixes from Dominick Grift.
100 + Rearrange files interfaces.
101 + Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
102 + Update contrib.
103 + Whitespace fix in miscfiles.fc.
104 + Adjust man cache interface names.
105 + Module version bump for man cache from Dominick Grift.
106 + Module version bump for Debian ssh-keysign location from Laurent
107 + Bigonville.
108 + Module version bump for userdomain portion of XDG updates from Dominick
109 + Grift.
110 + Module version bump for iptables fc entry from Sven Vermeulen and inn log
111 + from Dominick Grift.
112 + Module version bump for logging and tcpdump fixes from Sven Vermeulen.
113 + Move mcs_constrained() impementation.
114 + Module version bump for mcs_constrained from Dominick Grift.
115 + Update contrib.
116 + Module version bump from Debian changes from Laurent Bigonville.
117 + Module version bump for zfs labeling from Matthew Thode.
118 + Module version bump for misc updates from Sven Vermeulen.
119 + Update contrib.
120 + Module version bump for fixes from Dominick Grift.
121 + Module version bump for Debian updates from Laurent Bigonville.
122 + Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
123 + Update contrib
124 + Fix fc_sort.c warning uncovered by recent gcc
125 + Module version bump for chfn fixes from Sven Vermeulen.
126 + Add swapoff fc entry.
127 + Add conntrack fc entry.
128 + Update contrib.
129 + Update contrib
130 + Archive old Changelog for log format change.
131 + Bump module versions for release.
132 +
133 +Dominick Grift (40):
134 + There can be more than a single watchdog interface
135 + Fix a suspected typo
136 + Intel® Active Management Technology
137 + Declare a loop control device node type and label /dev/loop-control
138 + accordingly
139 + Declare port types for ports used by Fedora but use /etc/services for port
140 + names rather than using fedora port names. If /etc/services does not
141 + have a port name for a port used by Fedora, skip for now.
142 + Remove var_log_t file context spec
143 + svrloc port type declaration from slpd policy module
144 + Declare a cachfiles device node type
145 + Implement files_create_all_files_as() for cachefilesd
146 + Restricted Xwindows user domains run windows managers in the windows
147 + managers domain
148 + Declare a cslistener port type for phpfpm
149 + Changes to the sysnetwork policy module
150 + Changes to the userdomain policy module
151 + Changes to the bootloader policy module
152 + Changes to the modutils policy module
153 + Changes to the xserver policy module
154 + Changes to various policy modules
155 + Changes to the kernel policy module
156 + For svirt_lxc_domain
157 + For svirt_lxc_domain
158 + For svirt_lxc_domain
159 + For virtd lxc
160 + For virtd_lxc
161 + For virtd_lxc
162 + For virtd lxc
163 + For virtd lxc
164 + For virtd
165 + Arping needs setcap to cap_set_proc
166 + For virtd
167 + Changes to the user domain policy module
168 + Samhain_admin() now requires a role for the role_transition from $1 to
169 + initrc_t via samhain_initrc_exec_t
170 + Changes to the user domain policy module
171 + Label /var/cache/man with a private man cache type for mandb
172 + Create a attribute user_home_content_type and assign it to all types that
173 + are classified userdom_user_home_content()
174 + These two attribute are unused
175 + System logger creates innd log files with a named file transition
176 + Implement mcs_constrained_type
177 + Changes to the init policy module
178 + Changes to the userdomain policy module
179 + NSCD related changes in various policy modules
180 +
181 +Guido Trentalancia (1):
182 + add lost+found filesystem labels to support NSA security guidelines
183 +
184 +Laurent Bigonville (21):
185 + Add Debian locations for GDM 3
186 + Add Debian location for udisks helpers
187 + Add insmod_exec_t label for kmod executable
188 + Add Debian location for PKI files
189 + Add Debian location for ssh-keysign
190 + Properly label all the ssh host keys
191 + Allow udev_t domain to read files labeled as consolekit_var_run_t
192 + authlogin.if: Add auth_create_pam_console_data_dirs and
193 + auth_pid_filetrans_pam_var_console interfaces
194 + Label /etc/rc.d/init.d/x11-common as xdm_exec_t
195 + Drop /etc/rc.d/init.d/xfree86-common filecontext definition
196 + Label /var/run/shm as tmpfs_t for Debian
197 + Label /var/run/motd.dynamic as initrc_var_run_t
198 + Label /var/run/initctl as initctl_t
199 + udev.if: Call files_search_pid instead of files_search_var_lib in
200 + udev_manage_pid_files
201 + Label executables in /usr/lib/NetworkManager/ as bin_t
202 + Add support for rsyslog
203 + Label var_lock_t as a mountpoint
204 + Add mount_var_run_t type and allow mount_t domain to manage the files and
205 + directories
206 + Add initrc_t to use block_suspend capability
207 + Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
208 + Label nut drivers that are installed in /lib/nut on Debian as bin_t
209 +
210 +Matthew Thode (1):
211 + Implement zfs support
212 +
213 +Mika Pflüger (2):
214 + Debian locations of gvfs and kde4 libexec binaries in /usr/lib
215 + Explicitly label dovecot libraries lib_t for debian
216 +
217 +Miroslav Grepl (1):
218 + Allow ipsec to read kernel sysctl
219 +
220 +Paul Moore (1):
221 + flask: add the attach_queue permission to the tun_socket object class
222 +
223 +Russell Coker (1):
224 + Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
225 + client control
226 +
227 +Sven Vermeulen (27):
228 + New location for udevd binary
229 + Use substititions for /usr/local/lib and /etc/init.d
230 + DHCP client's hooks create /run/dhcpc directory
231 + Introduce init_daemon_run_dir transformation
232 + Use the init_daemon_run_dir interface for udev
233 + Allow initrc_t to create run dirs for core modules
234 + Puppet uses mount output for verification
235 + Allow syslogd to create /var/lib/syslog and
236 + /var/lib/misc/syslog-ng.persist
237 + Gentoo's openrc does not require initrc_exec_t for runscripts anymore
238 + Allow init scripts to read courier configuration
239 + Allow search within postgresql var directory for the stream connect
240 + interface
241 + Introduce logging_getattr_all_logs interface
242 + Introduce logging_search_all_log_dirs interface
243 + Support flushing routing cache
244 + Allow init to set attributes on device_t
245 + Introduce files_manage_all_pids interface
246 + Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
247 + Update files_manage_generic_locks with directory permissions
248 + Run ipset in iptables domain
249 + tcpdump chroots into /var/lib/tcpdump
250 + Remove generic log label for cron location
251 + Postgresql 9.2 connects to its unix stream socket
252 + lvscan creates the /run/lock/lvm directory if nonexisting (v2)
253 + Allow syslogger to manage cron log files (v2)
254 + Allow initrc_t to read stunnel configuration
255 + Introduce exec-check interfaces for passwd binaries and useradd binaries
256 + chfn_t reads in file context information and executes nscd
257
258 -* Wed Feb 15 2012 Chris PeBenito <selinux@××××××.com> - 2.20120215
259 -- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
260 -- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
261 -- Add userdom interfaces for user application domains, user tmp files,
262 - and user tmpfs files.
263 -- Asterisk administration fixes from Sven Vermeulen.
264 -- Fix makefiles to install files with the correct DAC permissions if the
265 - umask is not 022.
266 -- Remove deprecated support macros.
267 -- Remove rolemap and per-role template support.
268 -- Change corenetwork port declaration to apply the reserved port type
269 - attribute only, when the type has ports above and below 1024.
270 -- Change secure_mode_policyload to disable only toggling of this Boolean
271 - rather than disabling all Boolean toggling permissions.
272 -- Use role attributes to assist with domain transitions in interactive
273 - programs.
274 -- Milter ports patch from Paul Howarth.
275 -- Separate portage fetch rules out of portage_run() and portage_domtrans()
276 - from Sven Vermeulen.
277 -- Enhance corenetwork network_port() macro to support ports that do not have
278 - a well defined port number, such as stunnel.
279 -- Opendkim support in dkim module from Paul Howarth.
280 -- Wireshark updates from Sven Vermeulen.
281 -- Change secure_mode_insmod to control sys_module capability rather than
282 - controlling domain transitions to insmod.
283 -- Openrc and portage updates from Sven Vermeulen.
284 -- Allow user and role changes on dynamic transitions with the same
285 - constraints as regular transitions.
286 -- New git service features from Dominick Grift.
287 -- Corenetwork policy size optimization from Dan Walsh.
288 -- Silence spurious udp_socket listen denials.
289 -- Fix unexpanded MLS/MCS fields in monolithic seusers file.
290 -- Type transition fix in Postgresql database objects from KaiGai Kohei.
291 -- Support for file context path substitutions (file_contexts.subs).
292 -- Added contrib modules:
293 - glance (Dan Walsh)
294 - rhsmcertd (Dan Walsh)
295 - sanlock (Dan Walsh)
296 - sblim (Dan Walsh)
297 - uuidd (Dan Walsh)
298 - vdagent (Dan Walsh)
299 -
300 -* Tue Jul 26 2011 Chris PeBenito <selinux@××××××.com> - 2.20110726
301 -- Fix role declarations to handle role attribute compilers.
302 -- Rename audioentropy module to entropyd due to haveged support.
303 -- Add haveged support from Sven Vermeulen.
304 -- Authentication file patch from Matthew Ife.
305 -- Add agent support to zabbix from Sven Vermeulen.
306 -- Cyrus file context update for Gentoo from Corentin Labbe.
307 -- Portage updates from Sven Vermeulen.
308 -- Fix init_system_domain() description, pointed out by Elia Pinto.
309 -- Postgresql selabel_lookup update from KaiGai Kohei.
310 -- Dovecot managesieve support from Mika Pfluger.
311 -- Semicolon after interface/template calls cleanup from Elia Pinto.
312 -- Gentoo courier updates from Sven Vermeulen.
313 -- Amavis patch for connecting to nslcd from Miroslav Grepl.
314 -- Shorewall patch from Miroslav Grepl.
315 -- Cpufreqselector dbus patch from Guido Trentalancia.
316 -- Cron pam_namespace and pam_loginuid support from Harry Ciao.
317 -- Xserver update for startx from Sven Vermeulen.
318 -- Fix MLS constraint for contains permission from Harry Ciao.
319 -- Apache user webpages fix from Dominick Grift.
320 -- Change default build.conf to modular policy from Stephen Smalley.
321 -- Xen refinement patch from Stephen Smalley.
322 -- Sudo timestamp file location update from Sven Vermeulen.
323 -- XServer keyboard event patch from Sven Vermeulen.
324 -- RAID uevent patch from Sven Vermeulen.
325 -- Gentoo ALSA init script usage patch from Sven Vermeulen.
326 -- LVM semaphore usage patch from Sven Vermeulen.
327 -- Module load request patch for insmod from Sven Vermeulen.
328 -- Cron default contexts fix from Harry Ciao.
329 -- Man page fixes from Justin Mattock.
330 -- Add syslog capability.
331 -- Support for logging in to /dev/console, from Harry Ciao.
332 -- Database object class updates and associated SEPostgreSQL changes from
333 - KaiGai Kohei.
334 -- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
335 -- Mount updates from Harry Ciao.
336 -- Semanage update for MLS systems from Harry Ciao.
337 -- Vlock terminal use update from Harry Ciao.
338 -- Hadoop CDH3 updates from Paul Nuzzi.
339 -- Add sepgsql_contexts appconfig files from KaiGai Kohei.
340 -- Added modules:
341 - aiccu
342 - bugzilla (Dan Walsh)
343 - colord (Dan Walsh)
344 - cmirrord (Miroslav Grepl)
345 - mediawiki (Miroslav Grepl)
346 - mpd (Miroslav Grepl)
347 - ncftool
348 - passenger (Miroslav Grepl)
349 - qpid (Dan Walsh)
350 - samhain (Harry Ciao)
351 - telepathy (Dominick Grift)
352 - tcsd (Stephen Smalley)
353 - vnstatd (Dan Walsh)
354 - zarafa (Miroslav Grepl)
355 -
356 -* Mon Dec 13 2010 Chris PeBenito <selinux@××××××.com> - 2.20101213
357 -- Git man page from Dominick Grift.
358 -- Alsa and oident home content cleanup from Dominick Grift.
359 -- Add support for custom build options.
360 -- Unconditional staff and user oidentd home config access from Dominick Grift.
361 -- Conditional mmap_zero support from Dominick Grift.
362 -- Added devtmpfs support.
363 -- Dbadm updates from KaiGai Kohei.
364 -- Virtio disk file context update from Mika Pfluger.
365 -- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
366 -- Add JIT usage for freshclam.
367 -- Remove ethereal module since the application was renamed to wireshark.
368 -- Remove duplicate/redundant rules, from Russell Coker.
369 -- Increased default number of categories to 1024, from Russell Coker.
370 -- Added modules:
371 - accountsd (Dan Walsh)
372 - cgroup (Dominick Grift)
373 - hadoop (Paul Nuzzi)
374 - kdumpgui (Dan Walsh)
375 - livecd (Dan Walsh)
376 - mojomojo (Iain Arnell)
377 - sambagui (Dan Walsh)
378 - shutdown (Dan Walsh)
379 - sosreport (Dan Walsh)
380 - vlock (Harry Ciao)
381 -
382 -* Mon May 24 2010 Chris PeBenito <selinux@××××××.com> - 2.20100524
383 -- Merged a significant portion of Fedora policy.
384 -- Move rules from mta mailserver delivery from interface to .te to use
385 - attributes.
386 -- Remove concept of users from terminal module interfaces since the
387 - attributes are not specific to users.
388 -- Add non-drawing X client support, for consolekit usage.
389 -- Misc Gentoo fixes from Chris Richards.
390 -- AFS and abrt fixes from Dominick Grift.
391 -- Improved the XML docs of 55 most-used interfaces.
392 -- Apcupsd and amavis fixes from Dominick Grift.
393 -- Fix network_port() in corenetwork to correctly handle port ranges.
394 -- SE-Postgresql updates from KaiGai Kohei.
395 -- X object manager revisions from Eamon Walsh.
396 -- Added modules:
397 - aisexec (Dan Walsh)
398 - chronyd (Miroslav Grepl)
399 - cobbler (Dominick Grift)
400 - corosync (Dan Walsh)
401 - dbadm (KaiGai Kohei)
402 - denyhosts (Dan Walsh)
403 - nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
404 - likewise (Scott Salley)
405 - plymouthd (Dan Walsh)
406 - pyicqt (Stefan Schulze Frielinghaus)
407 - rhcs (Dan Walsh)
408 - rgmanager (Dan Walsh)
409 - sectoolm (Miroslav Grepl)
410 - usbmuxd (Dan Walsh)
411 - vhostmd (Dan Walsh)
412 -
413 -* Tue Nov 17 2009 Chris PeBenito <selinux@××××××.com> - 2.20091117
414 -- Add separate x_pointer and x_keyboard classes inheriting from x_device.
415 - From Eamon Walsh.
416 -- Deprecated the userdom_xwindows_client_template().
417 -- Misc Gentoo fixes from Corentin Labbe.
418 -- Debian policykit fixes from Martin Orr.
419 -- Fix unconfined_r use of unconfined_java_t.
420 -- Add missing x_device rules for XI2 functions, from Eamon Walsh.
421 -- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
422 -- Add btrfs and ext4 to labeling targets.
423 -- Fix infrastructure to expand macros in initrc_context when installing.
424 -- Handle unix_chkpwd usage by useradd and groupadd.
425 -- Add missing compatibility aliases for xdm_xserver*_t types.
426 -- Added modules:
427 - abrt (Dan Walsh)
428 - dkim (Stefan Schulze Frielinghaus)
429 - gitosis (Miroslav Grepl)
430 - gnomeclock (Dan Walsh)
431 - hddtemp (Dan Walsh)
432 - kdump (Dan Walsh)
433 - modemmanager(Dan Walsh)
434 - nslcd (Dan Walsh)
435 - puppet (Craig Grube)
436 - rtkit (Dan Walsh)
437 - seunshare (Dan Walsh)
438 - shorewall (Dan Walsh)
439 - tgtd (Matthew Ife)
440 - tuned (Miroslav Grepl)
441 - xscreensaver (Corentin Labbe)
442 -
443 -* Thu Jul 30 2009 Chris PeBenito <selinux@××××××.com> - 2.20090730
444 -- Gentoo fixes for init scripts and system startup.
445 -- Remove read_default_t tunable.
446 -- Greylist milter from Paul Howarth.
447 -- Crack db access for su to handle password expiration, from Brandon Whalen.
448 -- Misc fixes for unix_update from Brandon Whalen.
449 -- Add x_device permissions for XI2 functions, from Eamon Walsh.
450 -- MLS constraints for the x_selection class, from Eamon Walsh.
451 -- Postgresql updates from KaiGai Kohei.
452 -- Milter state directory patch from Paul Howarth.
453 -- Add MLS constrains for ingress/egress and secmark from Paul Moore.
454 -- Drop write permission from fs_read_rpc_sockets().
455 -- Remove unused udev_runtime_t type.
456 -- Patch for RadSec port from Glen Turner.
457 -- Enable network_peer_controls policy capability from Paul Moore.
458 -- Btrfs xattr support from Paul Moore.
459 -- Add db_procedure install permission from KaiGai Kohei.
460 -- Add support for network interfaces with access controlled by a Boolean
461 - from the CLIP project.
462 -- Several fixes from the CLIP project.
463 -- Add support for labeled Booleans.
464 -- Remove node definitions and change node usage to generic nodes.
465 -- Add kernel_service access vectors, from Stephen Smalley.
466 -- Added modules:
467 - certmaster (Dan Walsh)
468 - cpufreqselector (Dan Walsh)
469 - devicekit (Dan Walsh)
470 - fprintd (Dan Walsh)
471 - git (Dan Walsh)
472 - gpsd (Miroslav Grepl)
473 - guest (Dan Walsh)
474 - ifplugd (Dan Walsh)
475 - lircd (Miroslav Grepl)
476 - logadm (Dan Walsh)
477 - pads (Dan Walsh)
478 - pingd (Dan Walsh)
479 - policykit (Dan Walsh)
480 - pulseaudio (Dan Walsh)
481 - psad (Dan Walsh)
482 - portreserve (Dan Walsh)
483 - sssd (Dan Walsh)
484 - ulogd (Dan Walsh)
485 - varnishd (Dan Walsh)
486 - webadm (Dan Walsh)
487 - wm (Dan Walsh)
488 - xguest (Dan Walsh)
489 - zosremote (Dan Walsh)
490 -
491 -* Wed Dec 10 2008 Chris PeBenito <selinux@××××××.com> - 2.20081210
492 -- Fix consistency of audioentropy and iscsi module naming.
493 -- Debian file context fix for xen from Russell Coker.
494 -- Xserver MLS fix from Eamon Walsh.
495 -- Add omapi port for dhcpcd.
496 -- Deprecate per-role templates and rolemap support.
497 -- Implement user-based access control for use as role separations.
498 -- Move shared library calls from individual modules to the domain module.
499 -- Enable open permission checks policy capability.
500 -- Remove hierarchy from portage module as it is not a good example of
501 - hieararchy.
502 -- Remove enableaudit target from modular build as semodule -DB supplants it.
503 -- Added modules:
504 - milter (Paul Howarth)
505 -
506 -* Tue Oct 14 2008 Chris PeBenito <selinux@××××××.com> - 20081014
507 -- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
508 -- Logrotate and Bind updates from Vaclav Ovsik.
509 -- Init script file and domain support.
510 -- Glibc 2.7 fix from Vaclav Ovsik.
511 -- Samba/winbind update from Mike Edenfield.
512 -- Policy size optimization with a non-security file attribute from James
513 - Carter.
514 -- Database labeled networking update from KaiGai Kohei.
515 -- Several misc changes from the Fedora policy, cherry picked by David
516 - Hardeman.
517 -- Large whitespace fix from Dominick Grift.
518 -- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
519 -- Issuing commands to upstart is over a datagram socket, not the initctl
520 - named pipe. Updated init_telinit() to match.
521 -- Added modules:
522 - cyphesis (Dan Walsh)
523 - memcached (Dan Walsh)
524 - oident (Dominick Grift)
525 - w3c (Dan Walsh)
526 -
527 -* Wed Jul 02 2008 Chris PeBenito <selinux@××××××.com> - 20080702
528 -- Fix httpd_enable_homedirs to actually provide the access it is supposed to
529 - provide.
530 -- Add unused interface/template parameter metadata in XML.
531 -- Patch to handle postfix data_directory from Vaclav Ovsik.
532 -- SE-Postgresql policy from KaiGai Kohei.
533 -- Patch for X.org dbus support from Martin Orr.
534 -- Patch for labeled networking controls in 2.6.25 from Paul Moore.
535 -- Module loading now requires setsched on kernel threads.
536 -- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
537 -- X application data class from Eamon Walsh and Ted Toth.
538 -- Move user roles into individual modules.
539 -- Make hald_log_t a log file.
540 -- Cryptsetup runs shell scripts. Patch from Martin Orr.
541 -- Add file for enabling policy capabilities.
542 -- Patch to fix leaky interface/template call depth calculator from Vaclav
543 - Ovsik.
544 -- Added modules:
545 - kerneloops (Dan Walsh)
546 - kismet (Dan Walsh)
547 - podsleuth (Dan Walsh)
548 - prelude (Dan Walsh)
549 - qemu (Dan Walsh)
550 - virt (Dan Walsh)
551 -
552 -* Wed Apr 02 2008 Chris PeBenito <selinux@××××××.com> - 20080402
553 -- Add core Security Enhanced X Windows support.
554 -- Fix winbind socket connection interface for default location of the
555 - sock_file.
556 -- Add wireshark module based on ethereal module.
557 -- Revise upstart support in init module to use a tunable, as upstart is now
558 - used in Fedora too.
559 -- Add iferror.m4 rather generate it out of the Makefiles.
560 -- Definitions for open permisson on file and similar objects from Eric
561 - Paris.
562 -- Apt updates for ptys and logs, from Martin Orr.
563 -- RPC update from Vaclav Ovsik.
564 -- Exim updates on Debian from Devin Carrawy.
565 -- Pam and samba updates from Stefan Schulze Frielinghaus.
566 -- Backup update on Debian from Vaclav Ovsik.
567 -- Cracklib update on Debian from Vaclav Ovsik.
568 -- Label /proc/kallsyms with system_map_t.
569 -- 64-bit capabilities from Stephen Smalley.
570 -- Labeled networking peer object class updates.
571 -
572 -* Fri Dec 14 2007 Chris PeBenito <selinux@××××××.com> - 20071214
573 -- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
574 -- Improve several tunables descriptions from Dan Walsh.
575 -- Patch to clean up ns switch usage in the policy from Dan Walsh.
576 -- More complete labeled networking infrastructure from KaiGai Kohei.
577 -- Add interface for libselinux constructor, for libselinux-linked
578 - SELinux-enabled programs.
579 -- Patch to restructure user role templates to create restricted user roles
580 - from Dan Walsh.
581 -- Russian man page translations from Andrey Markelov.
582 -- Remove unused types from dbus.
583 -- Add infrastructure for managing all user web content.
584 -- Deprecate some old file and dir permission set macros in favor of the
585 - newer, more consistently-named macros.
586 -- Patch to clean up unescaped periods in several file context entries from
587 - Jan-Frode Myklebust.
588 -- Merge shlib_t into lib_t.
589 -- Merge strict and targeted policies. The policy will now behave like the
590 - strict policy if the unconfined module is not present. If it is, it will
591 - behave like the targeted policy. Added an unconfined role to have a mix
592 - of confined and unconfined users.
593 -- Added modules:
594 - exim (Dan Walsh)
595 - postfixpolicyd (Jan-Frode Myklebust)
596 -
597 -* Fri Sep 28 2007 Chris PeBenito <selinux@××××××.com> - 20070928
598 -- Add support for setting the unknown permissions handling.
599 -- Fix XML building for external reference builds and headers builds.
600 -- Patch to add missing requirements in userdomain interfaces from Shintaro
601 - Fujiwara.
602 -- Add tcpd_wrapped_domain() for services that use tcp wrappers.
603 -- Update MLS constraints from LSPP evaluated policy.
604 -- Allow initrc_t file descriptors to be inherited regardless of MLS level.
605 - Accordingly drop MLS permissions from daemons that inherit from any level.
606 -- Files and radvd updates from Stefan Schulze Frielinghaus.
607 -- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
608 - mls_write_all_levels() and mls_read_all_levels(), for consistency.
609 -- Add make kernel and init ranged interfaces pass the range transition MLS
610 - constraints. Also remove calls to mls_rangetrans_target() in modules that use
611 - the kernel and init interfaces, since its redundant.
612 -- Add interfaces for all MLS attributes except X object classes.
613 -- Require all sensitivities and categories for MLS and MCS policies, not just
614 - the low and high sensitivity and category.
615 -- Database userspace object manager classes from KaiGai Kohei.
616 -- Add third-party interface for Apache CGI.
617 -- Add getserv and shmemserv nscd permissions.
618 -- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
619 -- Added modules:
620 - application
621 - awstats (Stefan Schulze Frielinghaus)
622 - bitlbee (Devin Carraway)
623 - brctl (Dan Walsh)
624 -
625 -* Fri Jun 29 2007 Chris PeBenito <selinux@××××××.com> - 20070629
626 -- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
627 - libraries module.
628 -- Unified labeled networking policy from Paul Moore.
629 -- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
630 -- Xen updates from Dan Walsh.
631 -- Filesystem updates from Dan Walsh.
632 -- Large samba update from Dan Walsh.
633 -- Drop snmpd_etc_t.
634 -- Confine sendmail and logrotate on targeted.
635 -- Tunable connection to postgresql for users from KaiGai Kohei.
636 -- Memprotect support patch from Stephen Smalley.
637 -- Add logging_send_audit_msgs() interface and deprecate
638 - send_audit_msgs_pattern().
639 -- Openct updates patch from Dan Walsh.
640 -- Merge restorecon into setfiles.
641 -- Patch to begin separating out hald helper programs from Dan Walsh.
642 -- Fixes for squid, dovecot, and snmp from Dan Walsh.
643 -- Miscellaneous consolekit fixes from Dan Walsh.
644 -- Patch to have avahi use the nsswitch interface rather than individual
645 - permissions from Dan Walsh.
646 -- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
647 -- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
648 - to handle usage from userhelper from Dan Walsh.
649 -- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
650 -- Patch to allow slocate to getattr other filesystems and directories on those
651 - filesystems from Dan Walsh.
652 -- Fixes for RHEL4 from the CLIP project.
653 -- Replace the old lrrd fc entries with munin ones.
654 -- Move program admin template usage out of userdom_admin_user_template() to
655 - sysadm policy in userdomain.te to fix usage of the template for third
656 - parties.
657 -- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
658 - template instead of an interface.
659 -- Added modules:
660 - amtu (Dan Walsh)
661 - apcupsd (Dan Walsh)
662 - rpcbind (Dan Walsh)
663 - rwho (Nalin Dahyabhai)
664 -
665 -* Tue Apr 17 2007 Chris PeBenito <selinux@××××××.com> - 20070417
666 -- Patch for sasl's use of kerberos from Dan Walsh.
667 -- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
668 -- Man page updates from Dan Walsh.
669 -- Two patches from Paul Moore to for ipsec to remove redundant rules and
670 - have setkey read the config file.
671 -- Move booleans and tunables to modules when it is only used in a single
672 - module.
673 -- Add support for tunables and booleans local to a module.
674 -- Merge sbin_t and ls_exec_t into bin_t.
675 -- Remove disable_trans booleans.
676 -- Output different header sets for kernel and userland from flask headers.
677 -- Marked the pax class as deprecated, changed it to userland so
678 - it will be removed from the kernel.
679 -- Stop including netfilter contexts by default.
680 -- Add dontaudits for init fds and console to init_daemon_domain().
681 -- Patch to allow gpg to create user keys dir.
682 -- Patch to support kvmfs from Dan Walsh.
683 -- Patch for misc fixes in sudo from Dan Walsh.
684 -- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
685 -- Patch for handling restart of nscd when ran from useradd, groupadd, and
686 - admin passwd, from Dan Walsh.
687 -- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
688 -- Patch for setroubleshoot for validating file contexts from Dan Walsh.
689 -- Patch for gssd fixes from Dan Walsh.
690 -- Patch for lvm fixes from Dan Walsh.
691 -- Patch for ricci fixes from Dan Walsh.
692 -- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
693 -- Patch for kerberized telnet fixes from Dan Walsh.
694 -- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
695 -- Patch for an additional wine executable from Dan Walsh.
696 -- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
697 - corecommands, devices, and java from Dan Walsh.
698 -- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
699 -- Patch for misc fixes to bluetooth from Dan Walsh.
700 -- Patch for misc fixes to kerberos from Dan Walsh.
701 -- Patch to start deprecating usercanread attribute from Ryan Bradetich.
702 -- Add dccp_socket object class which was added in kernel 2.6.20.
703 -- Patch for prelink relabefrom it's temp files from Dan Walsh.
704 -- Patch for capability fix for auditd and networking fix for syslogd from
705 - Dan Walsh.
706 -- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
707 -- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
708 -- Patch to allow apmd to telinit from Dan Walsh.
709 -- Patch for additional labeling of samba files from Stefan Schulze
710 - Frielinghaus.
711 -- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
712 -- Fix ptys and ttys to be device nodes.
713 -- Fix explicit use of httpd_t in openca_domtrans().
714 -- Clean up file context regexes in apache and java, from Eamon Walsh.
715 -- Patches from Dan Walsh:
716 - Thu, 25 Jan 2007
717 -- Added modules:
718 - consolekit (Dan Walsh)
719 - fail2ban (Dan Walsh)
720 - zabbix (Dan Walsh)
721 -
722 -* Tue Dec 12 2006 Chris PeBenito <selinux@××××××.com> - 20061212
723 -- Add policy patterns support macros. This changes the behavior of
724 - the create_dir_perms and create_file_perms permission sets.
725 -- Association polmatch MLS constraint making unlabeled_t an exception
726 - is no longer needed, patch from Venkat Yekkirala.
727 -- Context contains checking for PAM and cron from James Antill.
728 -- Add a reload target to Modules.devel and change the load
729 - target to only insert modules that were changed.
730 -- Allow semanage to read from /root on strict non-MLS for
731 - local policy modules.
732 -- Gentoo init script fixes for udev.
733 -- Allow udev to read kernel modules.inputmap.
734 -- Dnsmasq fixes from testing.
735 -- Allow kernel NFS server to getattr filesystems so df can work
736 - on clients.
737 -- Patch from Matt Anderson for a MLS constraint exemption on a
738 - file that can be written to from a subject whose range is
739 - within the object's range.
740 -- Enhanced setransd support from Darrel Goeddel.
741 -- Patches from Dan Walsh:
742 - Tue, 24 Oct 2006
743 - Wed, 29 Nov 2006
744 -- Added modules:
745 - aide (Matt Anderson)
746 - ccs (Dan Walsh)
747 - iscsi (Dan Walsh)
748 - ricci (Dan Walsh)
749 -
750 -* Wed Oct 18 2006 Chris PeBenito <selinux@××××××.com> - 20061018
751 -- Patch from Russell Coker Thu, 5 Oct 2006
752 -- Move range transitions to modules.
753 -- Make number of MLS sensitivities, and number of MLS and MCS
754 - categories configurable as build options.
755 -- Add role infrastructure.
756 -- Debian updates from Erich Schubert.
757 -- Add nscd_socket_use() to auth_use_nsswitch().
758 -- Remove old selopt rules.
759 -- Full support for netfilter_contexts.
760 -- MRTG patch for daemon operation from Stefan.
761 -- Add authlogin interface to abstract common access for login programs.
762 -- Remove setbool auditallow, except for RHEL4.
763 -- Change eventpollfs to task SID labeling.
764 -- Add key support from Michael LeMay.
765 -- Add ftpdctl domain to ftp, from Paul Howarth.
766 -- Fix build system to not move type declarations out of optionals.
767 -- Add gcc-config domain to portage.
768 -- Add packet object class and support in corenetwork.
769 -- Add a copy of genhomedircon for monolithic policy building, so that a
770 - policycoreutils package update is not required for RHEL4 systems.
771 -- Add appletalk sockets for use in cups.
772 -- Add Make target to validate module linking.
773 -- Make duplicate template and interface declarations a fatal error.
774 -- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
775 -- Move xconsole_device_t from devices to xserver since it is
776 - not actually a device, it is a named pipe.
777 -- Handle nonexistant .fc and .if files in devel Makefile by
778 - automatically creating empty files.
779 -- Remove unused devfs_control_t.
780 -- Add rhel4 distro, which also implies redhat distro.
781 -- Remove unneeded range_transition for su_exec_t and move the
782 - type declaration back to the su module.
783 -- Constrain transitions in MCS so unconfined_t cannot have
784 - arbitrary category sets.
785 -- Change reiserfs from xattr filesystem to genfscon as it's xattrs
786 - are currently nonfunctional.
787 -- Change files and filesystem modules to use their own interfaces.
788 -- Add user fonts to xserver.
789 -- Additional interfaces in corecommands, miscfiles, and userdomain
790 - from Joy Latten.
791 -- Miscellaneous fixes from Thomas Bleher.
792 -- Deprecate module name as first parameter of optional_policy()
793 - now that optionals are allowed everywhere.
794 -- Enable optional blocks in base module and monolithic policy.
795 - This requires checkpolicy 1.30.1.
796 -- Fix vpn module declaration.
797 -- Numerous fixes from Dan Walsh.
798 -- Change build order to preserve m4 line number information so policy
799 - compile errors are useful again.
800 -- Additional MLS interfaces from Chad Hanson.
801 -- Move some rules out of domain_type() and domain_base_type()
802 - to the TE file, to use the domain attribute to take advantage
803 - of space savings from attribute use.
804 -- Add global stack smashing protector rule for urandom access from
805 - Petre Rodan.
806 -- Fix temporary rules at the bottom of portmap.
807 -- Updated comments in mls file from Chad Hanson.
808 -- Patches from Dan Walsh:
809 - Fri, 17 Mar 2006
810 - Wed, 29 Mar 2006
811 - Tue, 11 Apr 2006
812 - Fri, 14 Apr 2006
813 - Tue, 18 Apr 2006
814 - Thu, 20 Apr 2006
815 - Tue, 02 May 2006
816 - Mon, 15 May 2006
817 - Thu, 18 May 2006
818 - Tue, 06 Jun 2006
819 - Mon, 12 Jun 2006
820 - Tue, 20 Jun 2006
821 - Wed, 26 Jul 2006
822 - Wed, 23 Aug 2006
823 - Thu, 31 Aug 2006
824 - Fri, 01 Sep 2006
825 - Tue, 05 Sep 2006
826 - Wed, 20 Sep 2006
827 - Fri, 22 Sep 2006
828 - Mon, 25 Sep 2006
829 -- Added modules:
830 - afs
831 - amavis (Erich Schubert)
832 - apt (Erich Schubert)
833 - asterisk
834 - audioentropy
835 - authbind
836 - backup
837 - calamaris
838 - cipe
839 - clamav (Erich Schubert)
840 - clockspeed (Petre Rodan)
841 - courier
842 - dante
843 - dcc
844 - ddclient
845 - dpkg (Erich Schubert)
846 - dnsmasq
847 - ethereal
848 - evolution
849 - games
850 - gatekeeper
851 - gift
852 - gnome (James Carter)
853 - imaze
854 - ircd
855 - jabber
856 - monop
857 - mozilla
858 - mplayer
859 - munin
860 - nagios
861 - nessus
862 - netlabel (Paul Moore)
863 - nsd
864 - ntop
865 - nx
866 - oav
867 - oddjob (Dan Walsh)
868 - openca
869 - openvpn (Petre Rodan)
870 - perdition
871 - portslave
872 - postgrey
873 - pxe
874 - pyzor (Dan Walsh)
875 - qmail (Petre Rodan)
876 - razor
877 - resmgr
878 - rhgb
879 - rssh
880 - snort
881 - soundserver
882 - speedtouch
883 - sxid
884 - thunderbird
885 - tor (Erich Schubert)
886 - transproxy
887 - tripwire
888 - uptime
889 - uwimap
890 - vmware
891 - watchdog
892 - xen (Dan Walsh)
893 - xprint
894 - yam
895 -
896 -* Tue Mar 07 2006 Chris PeBenito <selinux@××××××.com> - 20060307
897 -- Make all interface parameters required.
898 -- Move boot_t, system_map_t, and modules_object_t to files module,
899 - and move bootloader to admin layer.
900 -- Add semanage policy for semodule from Dan Walsh.
901 -- Remove allow_execmem from targeted policy domain_base_type().
902 -- Add users_extra and seusers support.
903 -- Postfix fixes from Serge Hallyn.
904 -- Run python and shell directly to interpret scripts so policy
905 - sources need not be executable.
906 -- Add desc tag XML to booleans and tunables, and add summary
907 - to param XML tag, to make future translations possible.
908 -- Remove unused lvm_vg_t.
909 -- Many interface renames to improve naming consistency.
910 -- Merge xdm into xserver.
911 -- Remove kernel module reversed interfaces.
912 -- Add filename attribute to module XML tag and lineno attribute to
913 - interface XML tag.
914 -- Changed QUIET build option to a yes or no option.
915 -- Add a Makefile used for compiling loadable modules in a
916 - user's development environment, building against policy headers.
917 -- Add Make target for installing policy headers.
918 -- Separate per-userdomain template expansion from the userdomain
919 - module and add infrastructure to expand templates in the modules
920 - that own the template.
921 -- Enable secadm only for MLS policies.
922 -- Remove role change rules in su and sudo since this functionality has been
923 - removed from these programs.
924 -- Add ctags Make target from Thomas Bleher.
925 -- Collapse commands with grep piped to sed into one sed command.
926 -- Fix type_change bug in term_user_pty().
927 -- Move ice_tmp_t from miscfiles to xserver.
928 -- Login fixes from Serge Hallyn.
929 -- Move xserver_log_t from xdm to xserver.
930 -- Add lpr per-userdomain policy to lpd.
931 -- Miscellaneous fixes from Dan Walsh.
932 -- Change initrc_var_run_t interface noun from script_pid to utmp,
933 - for greater clarity.
934 -- Added modules:
935 - certwatch
936 - mono (Dan Walsh)
937 - mrtg
938 - portage
939 - tvtime
940 - userhelper
941 - usernetctl
942 - wine (Dan Walsh)
943 - xserver
944 -
945 -* Tue Jan 17 2006 Chris PeBenito <selinux@××××××.com> - 20060117
946 -- Adds support for generating corenetwork interfaces based on attributes
947 - in addition to types.
948 -- Permits the listing of multiple nodes in a network_node() that will be
949 - given the same type.
950 -- Add two new permission sets for stream sockets.
951 -- Rename file type transition interfaces verb from create to
952 - filetrans to differentiate it from create interfaces without
953 - type transitions.
954 -- Fix expansion of interfaces from disabled modules.
955 -- Rsync can be long running from init,
956 - added rules to allow this.
957 -- Add polyinstantiation build option.
958 -- Add setcontext to the association object class.
959 -- Add apache relay and db connect tunables.
960 -- Rename texrel_shlib_t to textrel_shlib_t.
961 -- Add swat to samba module.
962 -- Numerous miscellaneous fixes from Dan Walsh.
963 -- Added modules:
964 - alsa
965 - automount
966 - cdrecord
967 - daemontools (Petre Rodan)
968 - ddcprobe
969 - djbdns (Petre Rodan)
970 - fetchmail
971 - irc
972 - java
973 - lockdev
974 - logwatch (Dan Walsh)
975 - openct
976 - prelink (Dan Walsh)
977 - publicfile (Petre Rodan)
978 - readahead
979 - roundup
980 - screen
981 - slocate (Dan Walsh)
982 - slrnpull
983 - smartmon
984 - sysstat
985 - ucspitcp (Petre Rodan)
986 - usbmodules
987 - vbetool (Dan Walsh)
988 -
989 -* Wed Dec 07 2005 Chris PeBenito <selinux@××××××.com> - 20051207
990 -- Add unlabeled IPSEC association rule to domains with
991 - networking permissions.
992 -- Merge systemuser back in to users, as these files
993 - do not need to be split.
994 -- Add check for duplicate interface/template definitions.
995 -- Move domain, files, and corecommands modules to kernel
996 - layer to resolve some layering inconsistencies.
997 -- Move policy build options out of Makefile into build.conf.
998 -- Add yppasswd to nis module.
999 -- Change optional_policy() to refer to the module name
1000 - rather than modulename.te.
1001 -- Fix labeling targets to use installed file_contexts rather
1002 - than partial file_contexts in the policy source directory.
1003 -- Fix build process to use make's internal vpath functions
1004 - to detect modules rather than using subshells and find.
1005 -- Add install target for modular policy.
1006 -- Add load target for modular policy.
1007 -- Add appconfig dependency to the load target.
1008 -- Miscellaneous fixes from Dan Walsh.
1009 -- Fix corenetwork gen_context()'s to expand during the policy
1010 - build phase instead of during the generation phase.
1011 -- Added policies:
1012 - amanda
1013 - avahi
1014 - canna
1015 - cyrus
1016 - dbskk
1017 - dovecot
1018 - distcc
1019 - i18n_input
1020 - irqbalance
1021 - lpd
1022 - networkmanager
1023 - pegasus
1024 - postfix
1025 - procmail
1026 - radius
1027 - rdisc
1028 - rpc
1029 - spamassassin
1030 - timidity
1031 - xdm
1032 - xfs
1033 -
1034 -* Wed Oct 19 2005 Chris PeBenito <selinux@××××××.com> - 20051019
1035 -- Many fixes to make loadable modules build.
1036 -- Add targets for sechecker.
1037 -- Updated to sedoctool to read bool files and tunable
1038 - files separately.
1039 -- Changed the xml tag of <boolean> to <bool> to be consistent
1040 - with gen_bool().
1041 -- Modified the implementation of segenxml to use regular
1042 - expressions.
1043 -- Rename context_template() to gen_context() to clarify
1044 - that its not a Reference Policy template, but a support
1045 - macro.
1046 -- Add disable_*_trans bool support for targeted policy.
1047 -- Add MLS module to handle MLS constraint exceptions,
1048 - such as reading up and writing down.
1049 -- Fix errors uncovered by sediff.
1050 -- Added policies:
1051 - anaconda
1052 - apache
1053 - apm
1054 - arpwatch
1055 - bluetooth
1056 - dmidecode
1057 - finger
1058 - ftp
1059 - kudzu
1060 - mailman
1061 - ppp
1062 - radvd
1063 - sasl
1064 - webalizer
1065 -
1066 -* Thu Sep 22 2005 Chris PeBenito <selinux@××××××.com> - 20050922
1067 -- Make logrotate, sendmail, sshd, and rpm policies
1068 - unconfined in the targeted policy so no special
1069 - modules.conf is required.
1070 -- Add experimental MCS support.
1071 -- Add appconfig for MLS.
1072 -- Add equivalents for old can_resolve(), can_ldap(), and
1073 - can_portmap() to sysnetwork.
1074 -- Fix base module compile issues.
1075 -- Added policies:
1076 - cpucontrol
1077 - cvs
1078 - ktalk
1079 - portmap
1080 - postgresql
1081 - rlogin
1082 - samba
1083 - snmp
1084 - stunnel
1085 - telnet
1086 - tftp
1087 - uucp
1088 - vpn
1089 - zebra
1090 -
1091 -* Wed Sep 07 2005 Chris PeBenito <selinux@××××××.com> - 20050907
1092 -- Fix errors uncovered by sediff.
1093 -- Doc tool will explicitly say a module does not have interfaces
1094 - or templates on the module page.
1095 -- Added policies:
1096 - comsat
1097 - dbus
1098 - dhcp
1099 - dictd
1100 - hal
1101 - inn
1102 - ntp
1103 - squid
1104 -
1105 -* Fri Aug 26 2005 Chris PeBenito <selinux@××××××.com> - 20050826
1106 -- Add Makefile support for building loadable modules.
1107 -- Add genclassperms.py tool to add require blocks
1108 - for loadable modules.
1109 -- Change sedoctool to make required modules part of base
1110 - by default, otherwise make as modules, in modules.conf.
1111 -- Fix segenxml to handle modules with no interfaces.
1112 -- Rename ipsec connect interface for consistency.
1113 -- Add missing parts of unix stream socket connect interface
1114 - of ipsec.
1115 -- Rename inetd connect interface for consistency.
1116 -- Rename interface for purging contents of tmp, for clarity,
1117 - since it allows deletion of classes other than file.
1118 -- Misc. cleanups.
1119 -- Added policies:
1120 - acct
1121 - bind
1122 - firstboot
1123 - gpm
1124 - howl
1125 - ldap
1126 - loadkeys
1127 - mysql
1128 - privoxy
1129 - quota
1130 - rshd
1131 - rsync
1132 - su
1133 - sudo
1134 - tcpd
1135 - tmpreaper
1136 - updfstab
1137 -
1138 -* Tue Aug 2 2005 Chris PeBenito <selinux@××××××.com> - 20050802
1139 -- Fix comparison bug in fc_sort.
1140 -- Fix handling of ordered and unordered HTML lists.
1141 -- Corenetwork now supports multiple network interfaces having the
1142 - same type.
1143 -- Doc tool now creates pages for global Booleans and global tunables.
1144 -- Doc tool now links directly to the interface/template in the
1145 - module page when it is selected in the interface/template index.
1146 -- Added support for layer summaries.
1147 -- Added policies:
1148 - ipsec
1149 - nscd
1150 - pcmcia
1151 - raid
1152 -
1153 -* Thu Jul 7 2005 Chris PeBenito <selinux@××××××.com> - 20050707
1154 -- Changed xml to have modules encapsulated by layer tags, rather
1155 - than putting layer="foo" in the module tags. Also in the future
1156 - we can put a summary and description for each layer.
1157 -- Added tool to infer interface, module, and layer tags. This will
1158 - now list all interfaces, even if they are missing xml docs.
1159 -- Shortened xml tag names.
1160 -- Added macros to declare interfaces and templates.
1161 -- Added interface call trace.
1162 -- Updated all xml documentation for shorter and inferred tags.
1163 -- Doc tool now displays templates in the web pages.
1164 -- Doc tool retains the user's settings in modules.conf and
1165 - tunables.conf if the files already exist.
1166 -- Modules.conf behavior has been changed to be a list of all
1167 - available modules, and the user can specify if the module is
1168 - built as a loadable module, included in the monolithic policy,
1169 - or excluded.
1170 -- Added policies:
1171 - fstools (fsck, mkfs, swapon, etc. tools)
1172 - logrotate
1173 - inetd
1174 - kerberos
1175 - nis (ypbind and ypserv)
1176 - ssh (server, client, and agent)
1177 - unconfined
1178 -- Added infrastructure for targeted policy support, only missing
1179 - transition boolean support.
1180 -
1181 -* Wed Jun 15 2005 Chris PeBenito <selinux@××××××.com> - 20050615
1182 - - Initial release
1183
1184 diff --git a/Changelog b/Changelog.old
1185 similarity index 99%
1186 copy from Changelog
1187 copy to Changelog.old
1188 index 0090893..672e632 100644
1189 --- a/Changelog
1190 +++ b/Changelog.old
1191 @@ -1,3 +1,7 @@
1192 +- Mcelog update from Guido Trentalancia.
1193 +- Added contrib modules:
1194 + bird (Dominick Grift)
1195 +
1196 * Wed Jul 25 2012 Chris PeBenito <selinux@××××××.com> - 2.20120725
1197 - Rename epollwakeup capability2 permission to block_suspend to match the
1198 corresponding kernel capability rename.
Report Message
Find on MARC Find on Google Groups