472 lines
14 KiB
Text
472 lines
14 KiB
Text
* Add option to write CIL policy, from James Carter
|
|
* Add device tree ocontext nodes to Xen policy, from Daniel De Graaf.
|
|
* Widen Xen IOMEM context entries, from Daniel De Graaf.
|
|
* Expand allowed character set in paths, from Daniel De Graaf.
|
|
* Fix precedence between number and filesystem tokens, from Stephen Smalley.
|
|
* dispol/dismod fgets function warnings fix, from Emre Can Kucukoglu.
|
|
|
|
2.4 2015-02-02
|
|
* Fix bugs found by hardened gcc flags, from Nicolas Iooss.
|
|
* Add missing semicolon in cond_else parser rule, from Steven Capelli.
|
|
* Clear errno before call to strtol(3) from Dan Albert.
|
|
* Global C++11 compatibility from Dan Albert.
|
|
* Allow libsepol C++ static library on device from Daniel Cashman.
|
|
|
|
2.3 2014-05-06
|
|
* Add Android support for building dispol.
|
|
* Report source file and line information for neverallow failures.
|
|
* Prevent incompatible option combinations for checkmodule.
|
|
* Drop -lselinux from LDLIBS for test programs; not used.
|
|
* Add debug feature to display constraints/validatetrans from Richard Haines.
|
|
|
|
2.2 2013-10-30
|
|
* Fix hyphen usage in man pages from Laurent Bigonville.
|
|
* handle-unknown / -U required argument fix from Laurent Bigonville.
|
|
* Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
|
|
* Support space and : in filenames from Dan Walsh.
|
|
|
|
2.1.12 2013-02-01
|
|
* Fix errors found by coverity
|
|
* implement default type policy syntax
|
|
* Free allocated memory when clean up / exit.
|
|
|
|
2.1.11 2012-09-13
|
|
* fd leak reading policy
|
|
* check return code on ebitmap_set_bit
|
|
|
|
2.1.10 2012-06-28
|
|
* sepolgen: We need to support files that have a + in them
|
|
* Android/MacOS X build support
|
|
|
|
2.1.9 2012-03-28
|
|
* implement new default labeling behaviors for usr, role, range
|
|
* Fix dead links to www.nsa.gov/selinux
|
|
|
|
2.1.8 2011-12-21
|
|
* add new helper to translate class sets into bitmaps
|
|
|
|
2.1.7 2011-12-05
|
|
* dis* fixed signed vs unsigned errors
|
|
* dismod: fix unused parameter errors
|
|
* test: Makefile: include -W and -Werror
|
|
* allow ~ in filename transition rules
|
|
|
|
2.1.6 2011-11-03
|
|
* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
|
|
* drop libsepol dynamic link in checkpolicy
|
|
|
|
2.1.5 2011-09-15
|
|
* Separate tunable from boolean during compile.
|
|
|
|
2.1.4 2011-08-26
|
|
* checkpolicy: fix spacing in output message
|
|
|
|
2.1.3 2011-08-17
|
|
* add missing ; to attribute_role_def
|
|
*Redo filename/filesystem syntax to support filename trans
|
|
|
|
2.1.2 2011-08-02
|
|
* .gitignore changes
|
|
* dispol output of role trans
|
|
* man page update: build a module with an older policy version
|
|
|
|
2.1.1 2011-08-01
|
|
* Minor updates to filename trans rule output in dis{mod,pol}
|
|
|
|
2.1.0 2011-07-27
|
|
* Release, minor version bump
|
|
|
|
2.0.27 2011-07-25
|
|
* Add role attribute support by Harry Ciao
|
|
|
|
2.0.26 2011-05-16
|
|
* Wrap file names in filename transitions with quotes by Steve Lawrence.
|
|
* Allow filesystem names to start with a digit by James Carter.
|
|
|
|
2.0.25 2011-05-02
|
|
* Add support for using the last path compnent in type transitions by Eric
|
|
Paris.
|
|
* Allow single digit module versions by Daniel Walsh.
|
|
* Use better filename identifier for filenames by Daniel Walsh.
|
|
* Use #defines for dismod selections by Eric Paris.
|
|
|
|
2.0.24 2011-04-11
|
|
* Add new class field in role_transition by Harry Ciao.
|
|
|
|
2.0.23 2010-12-16
|
|
* Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock
|
|
|
|
2.0.22 2010-06-14
|
|
* Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
|
|
|
|
2.0.21 2009-11-27
|
|
* Add long options to checkpolicy and checkmodule by Guido
|
|
Trentalancia <guido@trentalancia.com>
|
|
|
|
2.0.20 2009-10-14
|
|
* Add support for building Xen policies from Paul Nuzzi.
|
|
|
|
2.0.19 2009-02-18
|
|
* Fix alias field in module format, caused by boundary format change
|
|
from Caleb Case.
|
|
|
|
2.0.18 2008-10-14
|
|
* Properly escape regex symbols in the lexer from Stephen Smalley.
|
|
|
|
2.0.17 2008-10-09
|
|
* Add bounds support from KaiGai Kohei.
|
|
|
|
2.0.16 2008-05-27
|
|
* Update checkpolicy for user and role mapping support from Joshua Brindle.
|
|
|
|
2.0.15 2008-05-05
|
|
* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
|
|
Resolves bug 444451.
|
|
|
|
2.0.14 2008-03-24
|
|
* Add permissive domain support from Eric Paris.
|
|
|
|
2.0.13 2008-03-05
|
|
* Split out non-grammar parts of policy_parse.yacc into
|
|
policy_define.c and policy_define.h from Todd C. Miller.
|
|
|
|
2.0.12 2008-03-04
|
|
* Initialize struct policy_file before using it, from Todd C. Miller.
|
|
|
|
2.0.11 2008-03-03
|
|
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
|
|
|
|
2.0.10 2008-02-28
|
|
* Use yyerror2() where appropriate from Todd C. Miller.
|
|
|
|
2.0.9 2008-02-04
|
|
* Update dispol for libsepol avtab changes from Stephen Smalley.
|
|
|
|
2.0.8 2008-01-24
|
|
* Deprecate role dominance in parser.
|
|
|
|
2.0.7 2008-01-02
|
|
* Added support for policy capabilities from Todd Miller.
|
|
|
|
2.0.6 2007-11-15
|
|
* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
|
|
|
|
2.0.5 2007-11-01
|
|
* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
|
|
|
|
2.0.4 2007-09-18
|
|
* Merged handle unknown policydb flag support from Eric Paris.
|
|
Adds new command line options -U {allow, reject, deny} for selecting
|
|
the flag when a base module or kernel policy is built.
|
|
|
|
2.0.3 2007-05-31
|
|
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
|
|
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
|
|
|
|
2.0.2 2007-04-12
|
|
* Merged checkmodule man page fix from Dan Walsh.
|
|
|
|
2.0.1 2007-02-20
|
|
* Merged patch to allow dots in class identifiers from Caleb Case.
|
|
|
|
2.0.0 2007-02-01
|
|
* Merged patch to use new libsepol error codes by Karl MacMillan.
|
|
|
|
1.34.0 2007-01-18
|
|
* Updated version for stable branch.
|
|
|
|
1.33.1 2006-11-13
|
|
* Collapse user identifiers and identifiers together.
|
|
|
|
1.32 2006-10-17
|
|
* Updated version for release.
|
|
|
|
1.30.12 2006-09-28
|
|
* Merged user and range_transition support for modules from
|
|
Darrel Goeddel
|
|
|
|
1.30.11 2006-09-05
|
|
* merged range_transition enhancements and user module format
|
|
changes from Darrel Goeddel
|
|
|
|
1.30.10 2006-08-03
|
|
* Merged symtab datum patch from Karl MacMillan.
|
|
|
|
1.30.9 2006-06-29
|
|
* Lindent.
|
|
|
|
1.30.8 2006-06-29
|
|
* Merged patch to remove TE rule conflict checking from the parser
|
|
from Joshua Brindle. This can only be done properly by the
|
|
expander.
|
|
|
|
1.30.7 2006-06-27
|
|
* Merged patch to make checkpolicy/checkmodule handling of
|
|
duplicate/conflicting TE rules the same as the expander
|
|
from Joshua Brindle.
|
|
|
|
1.30.6 2006-06-26
|
|
* Merged optionals in base take 2 patch set from Joshua Brindle.
|
|
|
|
1.30.5 2006-05-05
|
|
* Merged compiler cleanup patch from Karl MacMillan.
|
|
* Merged fix warnings patch from Karl MacMillan.
|
|
|
|
1.30.4 2006-04-05
|
|
* Changed require_class to reject permissions that have not been
|
|
declared if building a base module.
|
|
|
|
1.30.3 2006-03-28
|
|
* Fixed checkmodule to call link_modules prior to expand_module
|
|
to handle optionals.
|
|
|
|
1.30.2 2006-03-28
|
|
* Fixed require_class to avoid shadowing permissions already defined
|
|
in an inherited common definition.
|
|
|
|
1.30.1 2006-03-22
|
|
* Moved processing of role and user require statements to 2nd pass.
|
|
|
|
1.30 2006-03-14
|
|
* Updated version for release.
|
|
|
|
1.29.5 2006-03-09
|
|
* Fixed bug in role dominance (define_role_dom).
|
|
|
|
1.29.4 2006-02-14
|
|
* Added a check for failure to declare each sensitivity in
|
|
a level definition.
|
|
|
|
1.29.3 2006-02-13
|
|
* Changed to clone level data for aliased sensitivities to
|
|
avoid double free upon sens_destroy. Bug reported by Kevin
|
|
Carr of Tresys Technology.
|
|
|
|
1.29.2 2006-02-13
|
|
* Merged optionals in base patch from Joshua Brindle.
|
|
|
|
1.29.1 2006-02-01
|
|
* Merged sepol_av_to_string patch from Joshua Brindle.
|
|
|
|
1.28 2005-12-07
|
|
* Updated version for release.
|
|
|
|
1.27.20 2005-12-02
|
|
* Merged checkmodule man page from Dan Walsh, and edited it.
|
|
|
|
1.27.19 2005-12-01
|
|
* Added error checking of all ebitmap_set_bit calls for out of
|
|
memory conditions.
|
|
|
|
1.27.18 2005-12-01
|
|
* Merged removal of compatibility handling of netlink classes
|
|
(requirement that policies with newer versions include the
|
|
netlink class definitions, remapping of fine-grained netlink
|
|
classes in newer source policies to single netlink class when
|
|
generating older policies) from George Coker.
|
|
|
|
1.27.17 2005-10-25
|
|
* Merged dismod fix from Joshua Brindle.
|
|
|
|
1.27.16 2005-10-20
|
|
* Removed obsolete cond_check_type_rules() function and call and
|
|
cond_optimize_lists() call from checkpolicy.c; these are handled
|
|
during parsing and expansion now.
|
|
|
|
1.27.15 2005-10-19
|
|
* Updated calls to expand_module for interface change.
|
|
|
|
1.27.14 2005-10-19
|
|
* Changed checkmodule to verify that expand_module succeeds
|
|
when building base modules.
|
|
|
|
1.27.13 2005-10-19
|
|
* Merged module compiler fixes from Joshua Brindle.
|
|
|
|
1.27.12 2005-10-19
|
|
* Removed direct calls to hierarchy_check_constraints() and
|
|
check_assertions() from checkpolicy since they are now called
|
|
internally by expand_module().
|
|
|
|
1.27.11 2005-10-18
|
|
* Updated for changes to sepol policydb_index_others interface.
|
|
|
|
1.27.10 2005-10-17
|
|
* Updated for changes to sepol expand_module and link_modules interfaces.
|
|
|
|
1.27.9 2005-10-13
|
|
* Merged support for require blocks inside conditionals from
|
|
Joshua Brindle (Tresys).
|
|
|
|
1.27.8 2005-10-06
|
|
* Updated for changes to libsepol.
|
|
|
|
1.27.7 2005-10-05
|
|
* Merged several bug fixes from Joshua Brindle (Tresys).
|
|
|
|
1.27.6 2005-10-03
|
|
* Merged MLS in modules patch from Joshua Brindle (Tresys).
|
|
|
|
1.27.5 2005-09-28
|
|
* Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
|
|
|
|
1.27.4 2005-09-26
|
|
* Merged bugfix for dup role transition error messages from
|
|
Karl MacMillan (Tresys).
|
|
|
|
1.27.3 2005-09-23
|
|
* Merged policyver/modulever patches from Joshua Brindle (Tresys).
|
|
|
|
1.27.2 2005-09-20
|
|
* Fixed parse_categories handling of undefined category.
|
|
|
|
1.27.1 2005-09-16
|
|
* Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
|
|
|
|
1.26 2005-09-06
|
|
* Updated version for release.
|
|
|
|
1.25.12 2005-08-22
|
|
* Fixed handling of validatetrans constraint expressions.
|
|
Bug reported by Dan Walsh for checkpolicy -M.
|
|
|
|
1.25.11 2005-08-18
|
|
* Merged use-after-free fix from Serge Hallyn (IBM).
|
|
Bug found by Coverity.
|
|
|
|
1.25.10 2005-08-15
|
|
* Fixed further memory leaks found by valgrind.
|
|
|
|
1.25.9 2005-08-15
|
|
* Changed checkpolicy to destroy the policydbs prior to exit
|
|
to allow leak detection.
|
|
* Fixed several memory leaks found by valgrind.
|
|
|
|
1.25.8 2005-08-11
|
|
* Updated checkpolicy and dispol for the new avtab format.
|
|
Converted users of ebitmaps to new inline operators.
|
|
Note: The binary policy format version has been incremented to
|
|
version 20 as a result of these changes. To build a policy
|
|
for a kernel that does not yet include these changes, use
|
|
the -c 19 option to checkpolicy.
|
|
|
|
1.25.7 2005-08-11
|
|
* Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
|
|
|
|
1.25.6 2005-08-10
|
|
* Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
|
|
|
|
1.25.5 2005-08-09
|
|
* Fixed call to hierarchy checking code to pass the right policydb.
|
|
|
|
1.25.4 2005-08-02
|
|
* Merged patch to update dismod for the relocation of the
|
|
module read/write code from libsemanage to libsepol, and
|
|
to enable build of test subdirectory from Jason Tang (Tresys).
|
|
|
|
1.25.3 2005-07-18
|
|
* Merged hierarchy check fix from Joshua Brindle (Tresys).
|
|
|
|
1.25.2 2005-07-06
|
|
* Merged loadable module support from Tresys Technology.
|
|
|
|
1.25.1 2005-06-24
|
|
* Merged patch to prohibit the use of * and ~ in type sets
|
|
(other than in neverallow statements) and in role sets
|
|
from Joshua Brindle (Tresys).
|
|
|
|
1.24 2005-06-20
|
|
* Updated version for release.
|
|
|
|
1.23.4 2005-05-19
|
|
* Merged cleanup patch from Dan Walsh.
|
|
|
|
1.23.3 2005-05-13
|
|
* Added sepol_ prefix to Flask types to avoid namespace
|
|
collision with libselinux.
|
|
|
|
1.23.2 2005-04-29
|
|
* Merged identifier fix from Joshua Brindle (Tresys).
|
|
|
|
1.23.1 2005-04-13
|
|
* Merged hierarchical type/role patch from Tresys Technology.
|
|
* Merged MLS fixes from Darrel Goeddel of TCS.
|
|
|
|
1.22 2005-03-09
|
|
* Updated version for release.
|
|
|
|
1.21.4 2005-02-17
|
|
* Moved genpolusers utility to libsepol.
|
|
* Merged range_transition support from Darrel Goeddel (TCS).
|
|
|
|
1.21.3 2005-02-16
|
|
* Merged define_user() cleanup patch from Darrel Goeddel (TCS).
|
|
|
|
1.21.2 2005-02-09
|
|
* Changed relabel Makefile target to use restorecon.
|
|
|
|
1.21.1 2005-01-26
|
|
* Merged enhanced MLS support from Darrel Goeddel (TCS).
|
|
|
|
1.20 2005-01-04
|
|
* Merged typeattribute statement patch from Darrel Goeddel of TCS.
|
|
* Changed genpolusers to handle multiple user config files.
|
|
* Merged nodecon ordering patch from Chad Hanson of TCS.
|
|
|
|
1.18 2004-10-07
|
|
* MLS build fix.
|
|
* Fixed Makefile dependencies (Chris PeBenito).
|
|
* Merged fix for role dominance ordering issue from Chad Hanson of TCS.
|
|
* Preserve portcon ordering and apply more checking.
|
|
|
|
1.16 2004-08-13
|
|
* Allow empty conditional clauses.
|
|
* Moved genpolbools utility to libsepol.
|
|
* Updated for libsepol set functions.
|
|
* Changed to link with libsepol.a.
|
|
* Moved core functionality into libsepol.
|
|
* Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys.
|
|
* Added genpolusers program.
|
|
* Fixed bug in checkpolicy conditional code.
|
|
|
|
1.14 2004-06-28
|
|
* Merged fix for MLS logic from Daniel Thayer of TCS.
|
|
* Require semicolon terminator for typealias statement.
|
|
|
|
1.12 2004-06-16
|
|
* Merged fine-grained netlink class support.
|
|
|
|
1.10 2004-04-07
|
|
* Merged ipv6 support from James Morris of RedHat.
|
|
* Fixed compute_av bug discovered by Chad Hanson of TCS.
|
|
|
|
1.8 2004-03-09
|
|
* Merged policydb MLS patch from Chad Hanson of TCS.
|
|
* Fixed mmap of policy file.
|
|
|
|
1.6 2004-02-18
|
|
* Merged conditional policy extensions from Tresys Technology.
|
|
* Added typealias declaration support per Russell Coker's request.
|
|
* Added support for excluding types from type sets based on
|
|
a patch by David Caplan, but reimplemented as a change to the
|
|
policy grammar.
|
|
* Merged patch from Colin Walters to report source file name and line
|
|
number for errors when available.
|
|
* Un-deprecated role transitions.
|
|
|
|
1.4 2003-12-01
|
|
* Regenerated headers.
|
|
* Merged patches from Bastian Blank and Joerg Hoh.
|
|
|
|
1.2 2003-09-30
|
|
* Merged MLS build patch from Karl MacMillan of Tresys.
|
|
* Merged checkpolicy man page from Magosanyi Arpad.
|
|
|
|
1.1 2003-08-13
|
|
* Fixed endian bug in policydb_write for behavior value.
|
|
* License -> GPL.
|
|
* Merged coding style cleanups from James Morris.
|
|
|
|
1.0 2003-07-11
|
|
* Initial public release.
|
|
|