* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307

- Make all interface parameters required.

- Move boot_t, system_map_t, and modules_object_t to files module,

  and move bootloader to admin layer.

- Add semanage policy for semodule from Dan Walsh.

- Remove allow_execmem from targeted policy domain_base_type().

- Add users_extra and seusers support.

- Postfix fixes from Serge Hallyn.

- Run python and shell directly to interpret scripts so policy

  sources need not be executable.

- Add desc tag XML to booleans and tunables, and add summary

  to param XML tag, to make future translations possible.

- Remove unused lvm_vg_t.

- Many interface renames to improve naming consistency.

- Merge xdm into xserver.

- Remove kernel module reversed interfaces.

- Add filename attribute to module XML tag and lineno attribute to

  interface XML tag.

- Changed QUIET build option to a yes or no option.

- Add a Makefile used for compiling loadable modules in a

  user's development environment, building against policy headers.

- Add Make target for installing policy headers.

- Separate per-userdomain template expansion from the userdomain

  module and add infrastructure to expand templates in the modules

  that own the template.

- Enable secadm only for MLS policies.

- Remove role change rules in su and sudo since this functionality has been

  removed from these programs.

- Add ctags Make target from Thomas Bleher.

- Collapse commands with grep piped to sed into one sed command.

- Fix type_change bug in term_user_pty().

- Move ice_tmp_t from miscfiles to xserver.

- Login fixes from Serge Hallyn.

- Move xserver_log_t from xdm to xserver.

- Add lpr per-userdomain policy to lpd.

- Miscellaneous fixes from Dan Walsh.

- Change initrc_var_run_t interface noun from script_pid to utmp,

  for greater clarity.

- Added modules:

	certwatch

	mono (Dan Walsh)

	mrtg

	portage

	tvtime

	userhelper

	usernetctl

	wine (Dan Walsh)

	xserver

* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117

- Adds support for generating corenetwork interfaces based on attributes 

  in addition to types.

- Permits the listing of multiple nodes in a network_node() that will be

  given the same type.

- Add two new permission sets for stream sockets.

- Rename file type transition interfaces verb from create to

  filetrans to differentiate it from create interfaces without

  type transitions.

- Fix expansion of interfaces from disabled modules.

- Rsync can be long running from init,

  added rules to allow this.

- Add polyinstantiation build option.

- Add setcontext to the association object class.

- Add apache relay and db connect tunables.

- Rename texrel_shlib_t to textrel_shlib_t.

- Add swat to samba module.

- Numerous miscellaneous fixes from Dan Walsh.

- Added modules:

	alsa

	automount

	cdrecord

	daemontools (Petre Rodan)

	ddcprobe

	djbdns (Petre Rodan)

	fetchmail

	irc

	java

	lockdev

	logwatch (Dan Walsh)

	openct

	prelink (Dan Walsh)

	publicfile (Petre Rodan)

	readahead

	roundup

	screen

	slocate (Dan Walsh)

	slrnpull

	smartmon

	sysstat

	ucspitcp (Petre Rodan)

	usbmodules

	vbetool (Dan Walsh)

* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207

- Add unlabeled IPSEC association rule to domains with

  networking permissions.

- Merge systemuser back in to users, as these files

  do not need to be split.

- Add check for duplicate interface/template definitions.

- Move domain, files, and corecommands modules to kernel

  layer to resolve some layering inconsistencies.

- Move policy build options out of Makefile into build.conf.

- Add yppasswd to nis module.

- Change optional_policy() to refer to the module name

  rather than modulename.te.

- Fix labeling targets to use installed file_contexts rather

  than partial file_contexts in the policy source directory.

- Fix build process to use make's internal vpath functions

  to detect modules rather than using subshells and find.

- Add install target for modular policy.

- Add load target for modular policy.

- Add appconfig dependency to the load target.

- Miscellaneous fixes from Dan Walsh.

- Fix corenetwork gen_context()'s to expand during the policy

  build phase instead of during the generation phase.  

- Added policies:

	amanda

	avahi

	canna

	cyrus

	dbskk

	dovecot

	distcc

	i18n_input

	irqbalance

	lpd

	networkmanager

	pegasus

	postfix

	procmail

	radius

	rdisc

	rpc

	spamassassin

	timidity

	xdm

	xfs

* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019

- Many fixes to make loadable modules build.

- Add targets for sechecker.

- Updated to sedoctool to read bool files and tunable

  files separately.

- Changed the xml tag of <boolean> to <bool> to be consistent

  with gen_bool().

- Modified the implementation of segenxml to use regular

  expressions.

- Rename context_template() to gen_context() to clarify

  that its not a Reference Policy template, but a support

  macro.

- Add disable_*_trans bool support for targeted policy.

- Add MLS module to handle MLS constraint exceptions,

  such as reading up and writing down.

- Fix errors uncovered by sediff.

- Added policies:

	anaconda

	apache

	apm

	arpwatch

	bluetooth

	dmidecode

	finger

	ftp

	kudzu

	mailman

	ppp

	radvd

	sasl

	webalizer

* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922

- Make logrotate, sendmail, sshd, and rpm policies

  unconfined in the targeted policy so no special

  modules.conf is required.

- Add experimental MCS support.

- Add appconfig for MLS.

- Add equivalents for old can_resolve(), can_ldap(), and

  can_portmap() to sysnetwork.

- Fix base module compile issues.

- Added policies:

	cpucontrol

	cvs

	ktalk

	portmap

	postgresql

	rlogin

	samba

	snmp

	stunnel

	telnet

	tftp

	uucp

	vpn

	zebra

* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907

- Fix errors uncovered by sediff.

- Doc tool will explicitly say a module does not have interfaces

  or templates on the module page.

- Added policies:

	comsat

	dbus

	dhcp

	dictd

	hal

	inn

	ntp

	squid

* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826

- Add Makefile support for building loadable modules.

- Add genclassperms.py tool to add require blocks

  for loadable modules.

- Change sedoctool to make required modules part of base

  by default, otherwise make as modules, in modules.conf.

- Fix segenxml to handle modules with no interfaces.

- Rename ipsec connect interface for consistency.

- Add missing parts of unix stream socket connect interface

  of ipsec.

- Rename inetd connect interface for consistency.

- Rename interface for purging contents of tmp, for clarity,

  since it allows deletion of classes other than file.

- Misc. cleanups.

- Added policies:

	acct

	bind

	firstboot

	gpm

	howl

	ldap

	loadkeys

	mysql

	privoxy

	quota

	rshd

	rsync

	su

	sudo

	tcpd

	tmpreaper

	updfstab

* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802

- Fix comparison bug in fc_sort.

- Fix handling of ordered and unordered HTML lists.

- Corenetwork now supports multiple network interfaces having the

  same type.

- Doc tool now creates pages for global Booleans and global tunables.

- Doc tool now links directly to the interface/template in the

  module page when it is selected in the interface/template index.

- Added support for layer summaries.

- Added policies:

	ipsec

	nscd

	pcmcia

	raid

* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707

- Changed xml to have modules encapsulated by layer tags, rather

  than putting layer="foo" in the module tags.  Also in the future

  we can put a summary and description for each layer.

- Added tool to infer interface, module, and layer tags.  This will

  now list all interfaces, even if they are missing xml docs.

- Shortened xml tag names.

- Added macros to declare interfaces and templates.

- Added interface call trace.

- Updated all xml documentation for shorter and inferred tags.

- Doc tool now displays templates in the web pages.

- Doc tool retains the user's settings in modules.conf and

  tunables.conf if the files already exist.

- Modules.conf behavior has been changed to be a list of all

  available modules, and the user can specify if the module is

  built as a loadable module, included in the monolithic policy,

  or excluded.

- Added policies:

	fstools (fsck, mkfs, swapon, etc. tools)

	logrotate

	inetd

	kerberos

	nis (ypbind and ypserv)

	ssh (server, client, and agent)

	unconfined

- Added infrastructure for targeted policy support, only missing

	transition boolean support.

* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615

	- Initial release