Add group support to seusers using %groupname syntax from Dan Walsh.
Mark setrans socket close-on-exec from Stephen Smalley.
Only apply nodups checking to base file contexts from Stephen Smalley.
Handle duplicate file context regexes as a fatal error from Stephen
Smalley. This prevents adding them via semanage.
Fix audit2why shadowed variables from Stephen Smalley.
Note that freecon NULL is legal in man page from Karel Zak.
Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call
matchpathcon_init_prefix if not already initialized.
Add -q qualifier for -V option of matchpathcon and change it to indicate
whether verification succeeded or failed via exit status.
Fixed selinux_set_callback man page.
Try loading the max of the kernel-supported version and the
libsepol-supported version when no manipulation of the binary policy is
needed from Stephen Smalley.
Fix memory leaks in matchpathcon from Eamon Walsh.
Disable setlocaldefs if no local boolean or users files are present from
Stephen Smalley.
Skip userspace preservebools processing for Linux >= 2.6.22 from Stephen
Smalley.
dlopen libsepol.so.1 rather than libsepol.so from Stephen Smalley.
Based on a suggestion from Ulrich Drepper, defer regex compilation until we
have a stem match, by Stephen Smalley.
A further optimization would be to defer regex compilation until we have a
complete match of the constant prefix of the regex - TBD.
AVC enforcing mode override patch from Eamon Walsh.
Aligned attributes in AVC netlink code from Eamon Walsh.
- Move libselinux.so back into devel package, procps has been fixed
Merged refactored AVC netlink code from Eamon Walsh.
Merged new X label namespaces from Eamon Walsh.
Bux fix and minor refactoring in string representation code.
Class and permission mapping support patches from Eamon Walsh.
Object class discovery support patches from Chris PeBenito.
Refactoring and errno support in string representation code.
Merged patch to reduce size of libselinux and remove need for libsepol for
embedded systems from Yuichi Nakamura. This patch also turns the
link-time dependency on libsepol into a runtime (dlopen) dependency
even in the non-embedded case.
Merged userspace AVC patch to follow kernel's behavior for permissive mode
in caching previous denials from Eamon Walsh.
Merged sidput(NULL) patch from Eamon Walsh.
the use of the non-standard format %as. (original patch changed for
style).
Merged patch from Todd Miller to fix memory leak in matchpathcon.c.
Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> - 1.34.0-2
- Add context function to python to split context into 4 parts
Merged man page updates to make "apropos selinux" work from Dan Walsh.
Mon Jan 15 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
- Upgrade to upstream
Merged getdefaultcon utility from Dan Walsh.
Merged updated flask definitions from Darrel Goeddel. This adds the context
security class, and also adds the string definitions for setsockcreate
and polmatch.
Merged patch to not log avc stats upon a reset from Steve Grubb.
Applied patch to revert compat_net setting upon policy load.
Merged file context homedir and local path functions from Chris PeBenito.
Merged file context homedir and local path functions from Chris PeBenito.
Rework functions that access /proc/pid/attr to access the per-thread nodes,
and unify the code to simplify maintenance.
Lindent.
Merged {get,set}procattrcon patch set from Eric Paris.
Merged re-base of keycreate patch originally by Michael LeMay from Eric
Paris.
Regenerated Flask headers from refpolicy.
- Added selinux_file_context_{cmp,verify}.
- Added selinux_lsetfilecon_default.
- Delay translation of contexts in matchpathcon.
Added selinux_getpolicytype() function.
Modified setrans code to skip processing if !mls_enabled.
Set errno in the !selinux_mnt case.
Allocate large buffers from the heap, not on stack. Affects
is_context_customizable, selinux_init_load_policy, and
selinux_getenforcemode.
Merged simple setrans client cache from Dan Walsh. Merged avcstat patch
from Russell Coker.
Modified selinux_mkload_policy() to also set /selinux/compat_net
appropriately for the loaded policy.
Merged getfscreatecon man page fix from Dan Walsh.
Updated booleans(8) man page to drop references to the old booleans file
and to note that setsebool can be used to set the boot-time defaults
via -P.
Merged setrans client support from Dan Walsh. This removes use of
libsetrans.
Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
Merged swig typemap fixes from Glauber de Oliveira Costa.
Added distclean target to Makefile.
Regenerated swig files.
Changed matchpathcon_init to verify that the spec file is a regular file.
Merged python binding t_output_helper removal patch from Dan Walsh.
- Upgrade to latest from NSA
Updated version for release.
Altered rpm_execcon fallback logic for permissive mode to also handle case
where /selinux/enforce is not available.
- corrected use of getline
- further calls to __fsetlocking for local files
- use of strdupa and asprintf
- proper handling of dirent in booleans code
- use of -z relro
- several other optimizations
Merged getpidcon python wrapper from Dan Walsh (Red Hat).
Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and modified
matchpathcon implementation to make context validation/
canonicalization optional at matchpathcon_init time, deferring it to a
successful matchpathcon by default unless the new flag is set by the
caller.
Added matchpathcon_init_prefix() interface, and reworked matchpathcon
implementation to support selective loading of file contexts entries
based on prefix matching between the pathname regex stems and the
specified path prefix (stem must be a prefix of the specified path
prefix).
Added -f file_contexts option to matchpathcon util. Fixed warning message
in matchpathcon_init().
Merged Makefile python definitions patch from Dan Walsh.
Added security_canonicalize_context() interface and
set_matchpathcon_canoncon() interface for obtaining canonical contexts.
Changed matchpathcon internals to obtain canonical contexts by default.
Provided fallback for kernels that lack extended selinuxfs context
interface.
- Patch to not translate mls when calling setfiles
Merged seusers parser changes from Ivan Gyurdiev.
Merged setsebool to libsemanage patch from Ivan Gyurdiev.
Changed seusers parser to reject empty fields.
