458 lines
13 KiB
Plaintext
458 lines
13 KiB
Plaintext
- Association polmatch MLS constraint making unlabeled_t an exception
|
|
is no longer needed, patch from Venkat Yekkirala.
|
|
- Context contains checking for PAM and cron from James Antill.
|
|
- Add a reload target to Modules.devel and change the load
|
|
target to only insert modules that were changed.
|
|
- Allow semanage to read from /root on strict non-MLS for
|
|
local policy modules.
|
|
- Gentoo init script fixes for udev.
|
|
- Allow udev to read kernel modules.inputmap.
|
|
- Dnsmasq fixes from testing.
|
|
- Allow kernel NFS server to getattr filesystems so df can work
|
|
on clients.
|
|
- Patch from Matt Anderson for a MLS constraint exemption on a
|
|
file that can be written to from a subject whose range is
|
|
within the object's range.
|
|
- Enhanced setransd support from Darrel Goeddel.
|
|
- Patches from Dan Walsh:
|
|
Tue, 24 Oct 2006
|
|
- Added modules:
|
|
aide (Matt Anderson)
|
|
ccs (Dan Walsh)
|
|
iscsi (Dan Walsh)
|
|
ricci (Dan Walsh)
|
|
|
|
* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
|
|
- Patch from Russell Coker Thu, 5 Oct 2006
|
|
- Move range transitions to modules.
|
|
- Make number of MLS sensitivities, and number of MLS and MCS
|
|
categories configurable as build options.
|
|
- Add role infrastructure.
|
|
- Debian updates from Erich Schubert.
|
|
- Add nscd_socket_use() to auth_use_nsswitch().
|
|
- Remove old selopt rules.
|
|
- Full support for netfilter_contexts.
|
|
- MRTG patch for daemon operation from Stefan.
|
|
- Add authlogin interface to abstract common access for login programs.
|
|
- Remove setbool auditallow, except for RHEL4.
|
|
- Change eventpollfs to task SID labeling.
|
|
- Add key support from Michael LeMay.
|
|
- Add ftpdctl domain to ftp, from Paul Howarth.
|
|
- Fix build system to not move type declarations out of optionals.
|
|
- Add gcc-config domain to portage.
|
|
- Add packet object class and support in corenetwork.
|
|
- Add a copy of genhomedircon for monolithic policy building, so that a
|
|
policycoreutils package update is not required for RHEL4 systems.
|
|
- Add appletalk sockets for use in cups.
|
|
- Add Make target to validate module linking.
|
|
- Make duplicate template and interface declarations a fatal error.
|
|
- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
|
|
- Move xconsole_device_t from devices to xserver since it is
|
|
not actually a device, it is a named pipe.
|
|
- Handle nonexistant .fc and .if files in devel Makefile by
|
|
automatically creating empty files.
|
|
- Remove unused devfs_control_t.
|
|
- Add rhel4 distro, which also implies redhat distro.
|
|
- Remove unneeded range_transition for su_exec_t and move the
|
|
type declaration back to the su module.
|
|
- Constrain transitions in MCS so unconfined_t cannot have
|
|
arbitrary category sets.
|
|
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
|
|
are currently nonfunctional.
|
|
- Change files and filesystem modules to use their own interfaces.
|
|
- Add user fonts to xserver.
|
|
- Additional interfaces in corecommands, miscfiles, and userdomain
|
|
from Joy Latten.
|
|
- Miscellaneous fixes from Thomas Bleher.
|
|
- Deprecate module name as first parameter of optional_policy()
|
|
now that optionals are allowed everywhere.
|
|
- Enable optional blocks in base module and monolithic policy.
|
|
This requires checkpolicy 1.30.1.
|
|
- Fix vpn module declaration.
|
|
- Numerous fixes from Dan Walsh.
|
|
- Change build order to preserve m4 line number information so policy
|
|
compile errors are useful again.
|
|
- Additional MLS interfaces from Chad Hanson.
|
|
- Move some rules out of domain_type() and domain_base_type()
|
|
to the TE file, to use the domain attribute to take advantage
|
|
of space savings from attribute use.
|
|
- Add global stack smashing protector rule for urandom access from
|
|
Petre Rodan.
|
|
- Fix temporary rules at the bottom of portmap.
|
|
- Updated comments in mls file from Chad Hanson.
|
|
- Patches from Dan Walsh:
|
|
Fri, 17 Mar 2006
|
|
Wed, 29 Mar 2006
|
|
Tue, 11 Apr 2006
|
|
Fri, 14 Apr 2006
|
|
Tue, 18 Apr 2006
|
|
Thu, 20 Apr 2006
|
|
Tue, 02 May 2006
|
|
Mon, 15 May 2006
|
|
Thu, 18 May 2006
|
|
Tue, 06 Jun 2006
|
|
Mon, 12 Jun 2006
|
|
Tue, 20 Jun 2006
|
|
Wed, 26 Jul 2006
|
|
Wed, 23 Aug 2006
|
|
Thu, 31 Aug 2006
|
|
Fri, 01 Sep 2006
|
|
Tue, 05 Sep 2006
|
|
Wed, 20 Sep 2006
|
|
Fri, 22 Sep 2006
|
|
Mon, 25 Sep 2006
|
|
- Added modules:
|
|
afs
|
|
amavis (Erich Schubert)
|
|
apt (Erich Schubert)
|
|
asterisk
|
|
audioentropy
|
|
authbind
|
|
backup
|
|
calamaris
|
|
cipe
|
|
clamav (Erich Schubert)
|
|
clockspeed (Petre Rodan)
|
|
courier
|
|
dante
|
|
dcc
|
|
ddclient
|
|
dpkg (Erich Schubert)
|
|
dnsmasq
|
|
ethereal
|
|
evolution
|
|
games
|
|
gatekeeper
|
|
gift
|
|
gnome (James Carter)
|
|
imaze
|
|
ircd
|
|
jabber
|
|
monop
|
|
mozilla
|
|
mplayer
|
|
munin
|
|
nagios
|
|
nessus
|
|
netlabel (Paul Moore)
|
|
nsd
|
|
ntop
|
|
nx
|
|
oav
|
|
oddjob (Dan Walsh)
|
|
openca
|
|
openvpn (Petre Rodan)
|
|
perdition
|
|
portslave
|
|
postgrey
|
|
pxe
|
|
pyzor (Dan Walsh)
|
|
qmail (Petre Rodan)
|
|
razor
|
|
resmgr
|
|
rhgb
|
|
rssh
|
|
snort
|
|
soundserver
|
|
speedtouch
|
|
sxid
|
|
thunderbird
|
|
tor (Erich Schubert)
|
|
transproxy
|
|
tripwire
|
|
uptime
|
|
uwimap
|
|
vmware
|
|
watchdog
|
|
xen (Dan Walsh)
|
|
xprint
|
|
yam
|
|
|
|
* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
|
|
- Make all interface parameters required.
|
|
- Move boot_t, system_map_t, and modules_object_t to files module,
|
|
and move bootloader to admin layer.
|
|
- Add semanage policy for semodule from Dan Walsh.
|
|
- Remove allow_execmem from targeted policy domain_base_type().
|
|
- Add users_extra and seusers support.
|
|
- Postfix fixes from Serge Hallyn.
|
|
- Run python and shell directly to interpret scripts so policy
|
|
sources need not be executable.
|
|
- Add desc tag XML to booleans and tunables, and add summary
|
|
to param XML tag, to make future translations possible.
|
|
- Remove unused lvm_vg_t.
|
|
- Many interface renames to improve naming consistency.
|
|
- Merge xdm into xserver.
|
|
- Remove kernel module reversed interfaces.
|
|
- Add filename attribute to module XML tag and lineno attribute to
|
|
interface XML tag.
|
|
- Changed QUIET build option to a yes or no option.
|
|
- Add a Makefile used for compiling loadable modules in a
|
|
user's development environment, building against policy headers.
|
|
- Add Make target for installing policy headers.
|
|
- Separate per-userdomain template expansion from the userdomain
|
|
module and add infrastructure to expand templates in the modules
|
|
that own the template.
|
|
- Enable secadm only for MLS policies.
|
|
- Remove role change rules in su and sudo since this functionality has been
|
|
removed from these programs.
|
|
- Add ctags Make target from Thomas Bleher.
|
|
- Collapse commands with grep piped to sed into one sed command.
|
|
- Fix type_change bug in term_user_pty().
|
|
- Move ice_tmp_t from miscfiles to xserver.
|
|
- Login fixes from Serge Hallyn.
|
|
- Move xserver_log_t from xdm to xserver.
|
|
- Add lpr per-userdomain policy to lpd.
|
|
- Miscellaneous fixes from Dan Walsh.
|
|
- Change initrc_var_run_t interface noun from script_pid to utmp,
|
|
for greater clarity.
|
|
- Added modules:
|
|
certwatch
|
|
mono (Dan Walsh)
|
|
mrtg
|
|
portage
|
|
tvtime
|
|
userhelper
|
|
usernetctl
|
|
wine (Dan Walsh)
|
|
xserver
|
|
|
|
* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
|
|
- Adds support for generating corenetwork interfaces based on attributes
|
|
in addition to types.
|
|
- Permits the listing of multiple nodes in a network_node() that will be
|
|
given the same type.
|
|
- Add two new permission sets for stream sockets.
|
|
- Rename file type transition interfaces verb from create to
|
|
filetrans to differentiate it from create interfaces without
|
|
type transitions.
|
|
- Fix expansion of interfaces from disabled modules.
|
|
- Rsync can be long running from init,
|
|
added rules to allow this.
|
|
- Add polyinstantiation build option.
|
|
- Add setcontext to the association object class.
|
|
- Add apache relay and db connect tunables.
|
|
- Rename texrel_shlib_t to textrel_shlib_t.
|
|
- Add swat to samba module.
|
|
- Numerous miscellaneous fixes from Dan Walsh.
|
|
- Added modules:
|
|
alsa
|
|
automount
|
|
cdrecord
|
|
daemontools (Petre Rodan)
|
|
ddcprobe
|
|
djbdns (Petre Rodan)
|
|
fetchmail
|
|
irc
|
|
java
|
|
lockdev
|
|
logwatch (Dan Walsh)
|
|
openct
|
|
prelink (Dan Walsh)
|
|
publicfile (Petre Rodan)
|
|
readahead
|
|
roundup
|
|
screen
|
|
slocate (Dan Walsh)
|
|
slrnpull
|
|
smartmon
|
|
sysstat
|
|
ucspitcp (Petre Rodan)
|
|
usbmodules
|
|
vbetool (Dan Walsh)
|
|
|
|
* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
|
|
- Add unlabeled IPSEC association rule to domains with
|
|
networking permissions.
|
|
- Merge systemuser back in to users, as these files
|
|
do not need to be split.
|
|
- Add check for duplicate interface/template definitions.
|
|
- Move domain, files, and corecommands modules to kernel
|
|
layer to resolve some layering inconsistencies.
|
|
- Move policy build options out of Makefile into build.conf.
|
|
- Add yppasswd to nis module.
|
|
- Change optional_policy() to refer to the module name
|
|
rather than modulename.te.
|
|
- Fix labeling targets to use installed file_contexts rather
|
|
than partial file_contexts in the policy source directory.
|
|
- Fix build process to use make's internal vpath functions
|
|
to detect modules rather than using subshells and find.
|
|
- Add install target for modular policy.
|
|
- Add load target for modular policy.
|
|
- Add appconfig dependency to the load target.
|
|
- Miscellaneous fixes from Dan Walsh.
|
|
- Fix corenetwork gen_context()'s to expand during the policy
|
|
build phase instead of during the generation phase.
|
|
- Added policies:
|
|
amanda
|
|
avahi
|
|
canna
|
|
cyrus
|
|
dbskk
|
|
dovecot
|
|
distcc
|
|
i18n_input
|
|
irqbalance
|
|
lpd
|
|
networkmanager
|
|
pegasus
|
|
postfix
|
|
procmail
|
|
radius
|
|
rdisc
|
|
rpc
|
|
spamassassin
|
|
timidity
|
|
xdm
|
|
xfs
|
|
|
|
* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
|
|
- Many fixes to make loadable modules build.
|
|
- Add targets for sechecker.
|
|
- Updated to sedoctool to read bool files and tunable
|
|
files separately.
|
|
- Changed the xml tag of <boolean> to <bool> to be consistent
|
|
with gen_bool().
|
|
- Modified the implementation of segenxml to use regular
|
|
expressions.
|
|
- Rename context_template() to gen_context() to clarify
|
|
that its not a Reference Policy template, but a support
|
|
macro.
|
|
- Add disable_*_trans bool support for targeted policy.
|
|
- Add MLS module to handle MLS constraint exceptions,
|
|
such as reading up and writing down.
|
|
- Fix errors uncovered by sediff.
|
|
- Added policies:
|
|
anaconda
|
|
apache
|
|
apm
|
|
arpwatch
|
|
bluetooth
|
|
dmidecode
|
|
finger
|
|
ftp
|
|
kudzu
|
|
mailman
|
|
ppp
|
|
radvd
|
|
sasl
|
|
webalizer
|
|
|
|
* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
|
|
- Make logrotate, sendmail, sshd, and rpm policies
|
|
unconfined in the targeted policy so no special
|
|
modules.conf is required.
|
|
- Add experimental MCS support.
|
|
- Add appconfig for MLS.
|
|
- Add equivalents for old can_resolve(), can_ldap(), and
|
|
can_portmap() to sysnetwork.
|
|
- Fix base module compile issues.
|
|
- Added policies:
|
|
cpucontrol
|
|
cvs
|
|
ktalk
|
|
portmap
|
|
postgresql
|
|
rlogin
|
|
samba
|
|
snmp
|
|
stunnel
|
|
telnet
|
|
tftp
|
|
uucp
|
|
vpn
|
|
zebra
|
|
|
|
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
|
|
- Fix errors uncovered by sediff.
|
|
- Doc tool will explicitly say a module does not have interfaces
|
|
or templates on the module page.
|
|
- Added policies:
|
|
comsat
|
|
dbus
|
|
dhcp
|
|
dictd
|
|
hal
|
|
inn
|
|
ntp
|
|
squid
|
|
|
|
* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
|
|
- Add Makefile support for building loadable modules.
|
|
- Add genclassperms.py tool to add require blocks
|
|
for loadable modules.
|
|
- Change sedoctool to make required modules part of base
|
|
by default, otherwise make as modules, in modules.conf.
|
|
- Fix segenxml to handle modules with no interfaces.
|
|
- Rename ipsec connect interface for consistency.
|
|
- Add missing parts of unix stream socket connect interface
|
|
of ipsec.
|
|
- Rename inetd connect interface for consistency.
|
|
- Rename interface for purging contents of tmp, for clarity,
|
|
since it allows deletion of classes other than file.
|
|
- Misc. cleanups.
|
|
- Added policies:
|
|
acct
|
|
bind
|
|
firstboot
|
|
gpm
|
|
howl
|
|
ldap
|
|
loadkeys
|
|
mysql
|
|
privoxy
|
|
quota
|
|
rshd
|
|
rsync
|
|
su
|
|
sudo
|
|
tcpd
|
|
tmpreaper
|
|
updfstab
|
|
|
|
* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
|
|
- Fix comparison bug in fc_sort.
|
|
- Fix handling of ordered and unordered HTML lists.
|
|
- Corenetwork now supports multiple network interfaces having the
|
|
same type.
|
|
- Doc tool now creates pages for global Booleans and global tunables.
|
|
- Doc tool now links directly to the interface/template in the
|
|
module page when it is selected in the interface/template index.
|
|
- Added support for layer summaries.
|
|
- Added policies:
|
|
ipsec
|
|
nscd
|
|
pcmcia
|
|
raid
|
|
|
|
* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
|
|
- Changed xml to have modules encapsulated by layer tags, rather
|
|
than putting layer="foo" in the module tags. Also in the future
|
|
we can put a summary and description for each layer.
|
|
- Added tool to infer interface, module, and layer tags. This will
|
|
now list all interfaces, even if they are missing xml docs.
|
|
- Shortened xml tag names.
|
|
- Added macros to declare interfaces and templates.
|
|
- Added interface call trace.
|
|
- Updated all xml documentation for shorter and inferred tags.
|
|
- Doc tool now displays templates in the web pages.
|
|
- Doc tool retains the user's settings in modules.conf and
|
|
tunables.conf if the files already exist.
|
|
- Modules.conf behavior has been changed to be a list of all
|
|
available modules, and the user can specify if the module is
|
|
built as a loadable module, included in the monolithic policy,
|
|
or excluded.
|
|
- Added policies:
|
|
fstools (fsck, mkfs, swapon, etc. tools)
|
|
logrotate
|
|
inetd
|
|
kerberos
|
|
nis (ypbind and ypserv)
|
|
ssh (server, client, and agent)
|
|
unconfined
|
|
- Added infrastructure for targeted policy support, only missing
|
|
transition boolean support.
|
|
|
|
* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
|
|
- Initial release
|