1 2.1.8 2011-12-21 2 * add new helper to translate class sets into bitmaps 3 4 2.1.7 2011-12-05 5 * dis* fixed signed vs unsigned errors 6 * dismod: fix unused parameter errors 7 * test: Makefile: include -W and -Werror 8 * allow ~ in filename transition rules 9 10 2.1.6 2011-11-03 11 * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" 12 * drop libsepol dynamic link in checkpolicy 13 14 2.1.5 2011-09-15 15 * Separate tunable from boolean during compile. 16 17 2.1.4 2011-08-26 18 * checkpolicy: fix spacing in output message 19 20 2.1.3 2011-08-17 21 * add missing ; to attribute_role_def 22 *Redo filename/filesystem syntax to support filename trans 23 24 2.1.2 2011-08-02 25 * .gitignore changes 26 * dispol output of role trans 27 * man page update: build a module with an older policy version 28 29 2.1.1 2011-08-01 30 * Minor updates to filename trans rule output in dis{mod,pol} 31 32 2.1.0 2011-07-27 33 * Release, minor version bump 34 35 2.0.27 2011-07-25 36 * Add role attribute support by Harry Ciao 37 38 2.0.26 2011-05-16 39 * Wrap file names in filename transitions with quotes by Steve Lawrence. 40 * Allow filesystem names to start with a digit by James Carter. 41 42 2.0.25 2011-05-02 43 * Add support for using the last path compnent in type transitions by Eric 44 Paris. 45 * Allow single digit module versions by Daniel Walsh. 46 * Use better filename identifier for filenames by Daniel Walsh. 47 * Use #defines for dismod selections by Eric Paris. 48 49 2.0.24 2011-04-11 50 * Add new class field in role_transition by Harry Ciao. 51 52 2.0.23 2010-12-16 53 * Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock 54 55 2.0.22 2010-06-14 56 * Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence 57 58 2.0.21 2009-11-27 59 * Add long options to checkpolicy and checkmodule by Guido 60 Trentalancia <guido (a] trentalancia.com> 61 62 2.0.20 2009-10-14 63 * Add support for building Xen policies from Paul Nuzzi. 64 65 2.0.19 2009-02-18 66 * Fix alias field in module format, caused by boundary format change 67 from Caleb Case. 68 69 2.0.18 2008-10-14 70 * Properly escape regex symbols in the lexer from Stephen Smalley. 71 72 2.0.17 2008-10-09 73 * Add bounds support from KaiGai Kohei. 74 75 2.0.16 2008-05-27 76 * Update checkpolicy for user and role mapping support from Joshua Brindle. 77 78 2.0.15 2008-05-05 79 * Fix for policy module versions that look like IPv4 addresses from Jim Carter. 80 Resolves bug 444451. 81 82 2.0.14 2008-03-24 83 * Add permissive domain support from Eric Paris. 84 85 2.0.13 2008-03-05 86 * Split out non-grammar parts of policy_parse.yacc into 87 policy_define.c and policy_define.h from Todd C. Miller. 88 89 2.0.12 2008-03-04 90 * Initialize struct policy_file before using it, from Todd C. Miller. 91 92 2.0.11 2008-03-03 93 * Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller. 94 95 2.0.10 2008-02-28 96 * Use yyerror2() where appropriate from Todd C. Miller. 97 98 2.0.9 2008-02-04 99 * Update dispol for libsepol avtab changes from Stephen Smalley. 100 101 2.0.8 2008-01-24 102 * Deprecate role dominance in parser. 103 104 2.0.7 2008-01-02 105 * Added support for policy capabilities from Todd Miller. 106 107 2.0.6 2007-11-15 108 * Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source". 109 110 2.0.5 2007-11-01 111 * Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter. 112 113 2.0.4 2007-09-18 114 * Merged handle unknown policydb flag support from Eric Paris. 115 Adds new command line options -U {allow, reject, deny} for selecting 116 the flag when a base module or kernel policy is built. 117 118 2.0.3 2007-05-31 119 * Merged fix for segfault on duplicate require of sensitivity from Caleb Case. 120 * Merged fix for dead URLs in checkpolicy man pages from Dan Walsh. 121 122 2.0.2 2007-04-12 123 * Merged checkmodule man page fix from Dan Walsh. 124 125 2.0.1 2007-02-20 126 * Merged patch to allow dots in class identifiers from Caleb Case. 127 128 2.0.0 2007-02-01 129 * Merged patch to use new libsepol error codes by Karl MacMillan. 130 131 1.34.0 2007-01-18 132 * Updated version for stable branch. 133 134 1.33.1 2006-11-13 135 * Collapse user identifiers and identifiers together. 136 137 1.32 2006-10-17 138 * Updated version for release. 139 140 1.30.12 2006-09-28 141 * Merged user and range_transition support for modules from 142 Darrel Goeddel 143 144 1.30.11 2006-09-05 145 * merged range_transition enhancements and user module format 146 changes from Darrel Goeddel 147 148 1.30.10 2006-08-03 149 * Merged symtab datum patch from Karl MacMillan. 150 151 1.30.9 2006-06-29 152 * Lindent. 153 154 1.30.8 2006-06-29 155 * Merged patch to remove TE rule conflict checking from the parser 156 from Joshua Brindle. This can only be done properly by the 157 expander. 158 159 1.30.7 2006-06-27 160 * Merged patch to make checkpolicy/checkmodule handling of 161 duplicate/conflicting TE rules the same as the expander 162 from Joshua Brindle. 163 164 1.30.6 2006-06-26 165 * Merged optionals in base take 2 patch set from Joshua Brindle. 166 167 1.30.5 2006-05-05 168 * Merged compiler cleanup patch from Karl MacMillan. 169 * Merged fix warnings patch from Karl MacMillan. 170 171 1.30.4 2006-04-05 172 * Changed require_class to reject permissions that have not been 173 declared if building a base module. 174 175 1.30.3 2006-03-28 176 * Fixed checkmodule to call link_modules prior to expand_module 177 to handle optionals. 178 179 1.30.2 2006-03-28 180 * Fixed require_class to avoid shadowing permissions already defined 181 in an inherited common definition. 182 183 1.30.1 2006-03-22 184 * Moved processing of role and user require statements to 2nd pass. 185 186 1.30 2006-03-14 187 * Updated version for release. 188 189 1.29.5 2006-03-09 190 * Fixed bug in role dominance (define_role_dom). 191 192 1.29.4 2006-02-14 193 * Added a check for failure to declare each sensitivity in 194 a level definition. 195 196 1.29.3 2006-02-13 197 * Changed to clone level data for aliased sensitivities to 198 avoid double free upon sens_destroy. Bug reported by Kevin 199 Carr of Tresys Technology. 200 201 1.29.2 2006-02-13 202 * Merged optionals in base patch from Joshua Brindle. 203 204 1.29.1 2006-02-01 205 * Merged sepol_av_to_string patch from Joshua Brindle. 206 207 1.28 2005-12-07 208 * Updated version for release. 209 210 1.27.20 2005-12-02 211 * Merged checkmodule man page from Dan Walsh, and edited it. 212 213 1.27.19 2005-12-01 214 * Added error checking of all ebitmap_set_bit calls for out of 215 memory conditions. 216 217 1.27.18 2005-12-01 218 * Merged removal of compatibility handling of netlink classes 219 (requirement that policies with newer versions include the 220 netlink class definitions, remapping of fine-grained netlink 221 classes in newer source policies to single netlink class when 222 generating older policies) from George Coker. 223 224 1.27.17 2005-10-25 225 * Merged dismod fix from Joshua Brindle. 226 227 1.27.16 2005-10-20 228 * Removed obsolete cond_check_type_rules() function and call and 229 cond_optimize_lists() call from checkpolicy.c; these are handled 230 during parsing and expansion now. 231 232 1.27.15 2005-10-19 233 * Updated calls to expand_module for interface change. 234 235 1.27.14 2005-10-19 236 * Changed checkmodule to verify that expand_module succeeds 237 when building base modules. 238 239 1.27.13 2005-10-19 240 * Merged module compiler fixes from Joshua Brindle. 241 242 1.27.12 2005-10-19 243 * Removed direct calls to hierarchy_check_constraints() and 244 check_assertions() from checkpolicy since they are now called 245 internally by expand_module(). 246 247 1.27.11 2005-10-18 248 * Updated for changes to sepol policydb_index_others interface. 249 250 1.27.10 2005-10-17 251 * Updated for changes to sepol expand_module and link_modules interfaces. 252 253 1.27.9 2005-10-13 254 * Merged support for require blocks inside conditionals from 255 Joshua Brindle (Tresys). 256 257 1.27.8 2005-10-06 258 * Updated for changes to libsepol. 259 260 1.27.7 2005-10-05 261 * Merged several bug fixes from Joshua Brindle (Tresys). 262 263 1.27.6 2005-10-03 264 * Merged MLS in modules patch from Joshua Brindle (Tresys). 265 266 1.27.5 2005-09-28 267 * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys). 268 269 1.27.4 2005-09-26 270 * Merged bugfix for dup role transition error messages from 271 Karl MacMillan (Tresys). 272 273 1.27.3 2005-09-23 274 * Merged policyver/modulever patches from Joshua Brindle (Tresys). 275 276 1.27.2 2005-09-20 277 * Fixed parse_categories handling of undefined category. 278 279 1.27.1 2005-09-16 280 * Merged bug fix for role dominance handling from Darrel Goeddel (TCS). 281 282 1.26 2005-09-06 283 * Updated version for release. 284 285 1.25.12 2005-08-22 286 * Fixed handling of validatetrans constraint expressions. 287 Bug reported by Dan Walsh for checkpolicy -M. 288 289 1.25.11 2005-08-18 290 * Merged use-after-free fix from Serge Hallyn (IBM). 291 Bug found by Coverity. 292 293 1.25.10 2005-08-15 294 * Fixed further memory leaks found by valgrind. 295 296 1.25.9 2005-08-15 297 * Changed checkpolicy to destroy the policydbs prior to exit 298 to allow leak detection. 299 * Fixed several memory leaks found by valgrind. 300 301 1.25.8 2005-08-11 302 * Updated checkpolicy and dispol for the new avtab format. 303 Converted users of ebitmaps to new inline operators. 304 Note: The binary policy format version has been incremented to 305 version 20 as a result of these changes. To build a policy 306 for a kernel that does not yet include these changes, use 307 the -c 19 option to checkpolicy. 308 309 1.25.7 2005-08-11 310 * Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys). 311 312 1.25.6 2005-08-10 313 * Merged patch to fix dismod compilation from Joshua Brindle (Tresys). 314 315 1.25.5 2005-08-09 316 * Fixed call to hierarchy checking code to pass the right policydb. 317 318 1.25.4 2005-08-02 319 * Merged patch to update dismod for the relocation of the 320 module read/write code from libsemanage to libsepol, and 321 to enable build of test subdirectory from Jason Tang (Tresys). 322 323 1.25.3 2005-07-18 324 * Merged hierarchy check fix from Joshua Brindle (Tresys). 325 326 1.25.2 2005-07-06 327 * Merged loadable module support from Tresys Technology. 328 329 1.25.1 2005-06-24 330 * Merged patch to prohibit the use of * and ~ in type sets 331 (other than in neverallow statements) and in role sets 332 from Joshua Brindle (Tresys). 333 334 1.24 2005-06-20 335 * Updated version for release. 336 337 1.23.4 2005-05-19 338 * Merged cleanup patch from Dan Walsh. 339 340 1.23.3 2005-05-13 341 * Added sepol_ prefix to Flask types to avoid namespace 342 collision with libselinux. 343 344 1.23.2 2005-04-29 345 * Merged identifier fix from Joshua Brindle (Tresys). 346 347 1.23.1 2005-04-13 348 * Merged hierarchical type/role patch from Tresys Technology. 349 * Merged MLS fixes from Darrel Goeddel of TCS. 350 351 1.22 2005-03-09 352 * Updated version for release. 353 354 1.21.4 2005-02-17 355 * Moved genpolusers utility to libsepol. 356 * Merged range_transition support from Darrel Goeddel (TCS). 357 358 1.21.3 2005-02-16 359 * Merged define_user() cleanup patch from Darrel Goeddel (TCS). 360 361 1.21.2 2005-02-09 362 * Changed relabel Makefile target to use restorecon. 363 364 1.21.1 2005-01-26 365 * Merged enhanced MLS support from Darrel Goeddel (TCS). 366 367 1.20 2005-01-04 368 * Merged typeattribute statement patch from Darrel Goeddel of TCS. 369 * Changed genpolusers to handle multiple user config files. 370 * Merged nodecon ordering patch from Chad Hanson of TCS. 371 372 1.18 2004-10-07 373 * MLS build fix. 374 * Fixed Makefile dependencies (Chris PeBenito). 375 * Merged fix for role dominance ordering issue from Chad Hanson of TCS. 376 * Preserve portcon ordering and apply more checking. 377 378 1.16 2004-08-13 379 * Allow empty conditional clauses. 380 * Moved genpolbools utility to libsepol. 381 * Updated for libsepol set functions. 382 * Changed to link with libsepol.a. 383 * Moved core functionality into libsepol. 384 * Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys. 385 * Added genpolusers program. 386 * Fixed bug in checkpolicy conditional code. 387 388 1.14 2004-06-28 389 * Merged fix for MLS logic from Daniel Thayer of TCS. 390 * Require semicolon terminator for typealias statement. 391 392 1.12 2004-06-16 393 * Merged fine-grained netlink class support. 394 395 1.10 2004-04-07 396 * Merged ipv6 support from James Morris of RedHat. 397 * Fixed compute_av bug discovered by Chad Hanson of TCS. 398 399 1.8 2004-03-09 400 * Merged policydb MLS patch from Chad Hanson of TCS. 401 * Fixed mmap of policy file. 402 403 1.6 2004-02-18 404 * Merged conditional policy extensions from Tresys Technology. 405 * Added typealias declaration support per Russell Coker's request. 406 * Added support for excluding types from type sets based on 407 a patch by David Caplan, but reimplemented as a change to the 408 policy grammar. 409 * Merged patch from Colin Walters to report source file name and line 410 number for errors when available. 411 * Un-deprecated role transitions. 412 413 1.4 2003-12-01 414 * Regenerated headers. 415 * Merged patches from Bastian Blank and Joerg Hoh. 416 417 1.2 2003-09-30 418 * Merged MLS build patch from Karl MacMillan of Tresys. 419 * Merged checkpolicy man page from Magosanyi Arpad. 420 421 1.1 2003-08-13 422 * Fixed endian bug in policydb_write for behavior value. 423 * License -> GPL. 424 * Merged coding style cleanups from James Morris. 425 426 1.0 2003-07-11 427 * Initial public release. 428 429
