1 2.5-rc1 2016-01-07 2 * Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep. 3 * fix double free on name-based type transitions, from Stephen Smalley. 4 * switch operations to extended perms, from Jeff Vander Stoep. 5 * policy_define.c: fix compiler warnings, from Nick Kralevich. 6 * Remove uses of -Wno-return-type, from Dan Albert. 7 * Fix -Wreturn-type issues, from Dan Albert. 8 * dispol: display operations as ranges, from Jeff Vander Stoep. 9 * dispol: Extend to display operations, from Stephen Smalley. 10 * Add support for ioctl command whitelisting, from Jeff Vander Stoep. 11 * Add option to write CIL policy, from James Carter 12 * Add device tree ocontext nodes to Xen policy, from Daniel De Graaf. 13 * Widen Xen IOMEM context entries, from Daniel De Graaf. 14 * Expand allowed character set in paths, from Daniel De Graaf. 15 * Fix precedence between number and filesystem tokens, from Stephen Smalley. 16 * dispol/dismod fgets function warnings fix, from Emre Can Kucukoglu. 17 18 2.4 2015-02-02 19 * Fix bugs found by hardened gcc flags, from Nicolas Iooss. 20 * Add missing semicolon in cond_else parser rule, from Steven Capelli. 21 * Clear errno before call to strtol(3) from Dan Albert. 22 * Global C++11 compatibility from Dan Albert. 23 * Allow libsepol C++ static library on device from Daniel Cashman. 24 25 2.3 2014-05-06 26 * Add Android support for building dispol. 27 * Report source file and line information for neverallow failures. 28 * Prevent incompatible option combinations for checkmodule. 29 * Drop -lselinux from LDLIBS for test programs; not used. 30 * Add debug feature to display constraints/validatetrans from Richard Haines. 31 32 2.2 2013-10-30 33 * Fix hyphen usage in man pages from Laurent Bigonville. 34 * handle-unknown / -U required argument fix from Laurent Bigonville. 35 * Support overriding Makefile PATH and LIBDIR from Laurent Bigonville. 36 * Support space and : in filenames from Dan Walsh. 37 38 2.1.12 2013-02-01 39 * Fix errors found by coverity 40 * implement default type policy syntax 41 * Free allocated memory when clean up / exit. 42 43 2.1.11 2012-09-13 44 * fd leak reading policy 45 * check return code on ebitmap_set_bit 46 47 2.1.10 2012-06-28 48 * sepolgen: We need to support files that have a + in them 49 * Android/MacOS X build support 50 51 2.1.9 2012-03-28 52 * implement new default labeling behaviors for usr, role, range 53 * Fix dead links to www.nsa.gov/selinux 54 55 2.1.8 2011-12-21 56 * add new helper to translate class sets into bitmaps 57 58 2.1.7 2011-12-05 59 * dis* fixed signed vs unsigned errors 60 * dismod: fix unused parameter errors 61 * test: Makefile: include -W and -Werror 62 * allow ~ in filename transition rules 63 64 2.1.6 2011-11-03 65 * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" 66 * drop libsepol dynamic link in checkpolicy 67 68 2.1.5 2011-09-15 69 * Separate tunable from boolean during compile. 70 71 2.1.4 2011-08-26 72 * checkpolicy: fix spacing in output message 73 74 2.1.3 2011-08-17 75 * add missing ; to attribute_role_def 76 *Redo filename/filesystem syntax to support filename trans 77 78 2.1.2 2011-08-02 79 * .gitignore changes 80 * dispol output of role trans 81 * man page update: build a module with an older policy version 82 83 2.1.1 2011-08-01 84 * Minor updates to filename trans rule output in dis{mod,pol} 85 86 2.1.0 2011-07-27 87 * Release, minor version bump 88 89 2.0.27 2011-07-25 90 * Add role attribute support by Harry Ciao 91 92 2.0.26 2011-05-16 93 * Wrap file names in filename transitions with quotes by Steve Lawrence. 94 * Allow filesystem names to start with a digit by James Carter. 95 96 2.0.25 2011-05-02 97 * Add support for using the last path compnent in type transitions by Eric 98 Paris. 99 * Allow single digit module versions by Daniel Walsh. 100 * Use better filename identifier for filenames by Daniel Walsh. 101 * Use #defines for dismod selections by Eric Paris. 102 103 2.0.24 2011-04-11 104 * Add new class field in role_transition by Harry Ciao. 105 106 2.0.23 2010-12-16 107 * Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock 108 109 2.0.22 2010-06-14 110 * Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence 111 112 2.0.21 2009-11-27 113 * Add long options to checkpolicy and checkmodule by Guido 114 Trentalancia <guido (a] trentalancia.com> 115 116 2.0.20 2009-10-14 117 * Add support for building Xen policies from Paul Nuzzi. 118 119 2.0.19 2009-02-18 120 * Fix alias field in module format, caused by boundary format change 121 from Caleb Case. 122 123 2.0.18 2008-10-14 124 * Properly escape regex symbols in the lexer from Stephen Smalley. 125 126 2.0.17 2008-10-09 127 * Add bounds support from KaiGai Kohei. 128 129 2.0.16 2008-05-27 130 * Update checkpolicy for user and role mapping support from Joshua Brindle. 131 132 2.0.15 2008-05-05 133 * Fix for policy module versions that look like IPv4 addresses from Jim Carter. 134 Resolves bug 444451. 135 136 2.0.14 2008-03-24 137 * Add permissive domain support from Eric Paris. 138 139 2.0.13 2008-03-05 140 * Split out non-grammar parts of policy_parse.yacc into 141 policy_define.c and policy_define.h from Todd C. Miller. 142 143 2.0.12 2008-03-04 144 * Initialize struct policy_file before using it, from Todd C. Miller. 145 146 2.0.11 2008-03-03 147 * Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller. 148 149 2.0.10 2008-02-28 150 * Use yyerror2() where appropriate from Todd C. Miller. 151 152 2.0.9 2008-02-04 153 * Update dispol for libsepol avtab changes from Stephen Smalley. 154 155 2.0.8 2008-01-24 156 * Deprecate role dominance in parser. 157 158 2.0.7 2008-01-02 159 * Added support for policy capabilities from Todd Miller. 160 161 2.0.6 2007-11-15 162 * Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source". 163 164 2.0.5 2007-11-01 165 * Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter. 166 167 2.0.4 2007-09-18 168 * Merged handle unknown policydb flag support from Eric Paris. 169 Adds new command line options -U {allow, reject, deny} for selecting 170 the flag when a base module or kernel policy is built. 171 172 2.0.3 2007-05-31 173 * Merged fix for segfault on duplicate require of sensitivity from Caleb Case. 174 * Merged fix for dead URLs in checkpolicy man pages from Dan Walsh. 175 176 2.0.2 2007-04-12 177 * Merged checkmodule man page fix from Dan Walsh. 178 179 2.0.1 2007-02-20 180 * Merged patch to allow dots in class identifiers from Caleb Case. 181 182 2.0.0 2007-02-01 183 * Merged patch to use new libsepol error codes by Karl MacMillan. 184 185 1.34.0 2007-01-18 186 * Updated version for stable branch. 187 188 1.33.1 2006-11-13 189 * Collapse user identifiers and identifiers together. 190 191 1.32 2006-10-17 192 * Updated version for release. 193 194 1.30.12 2006-09-28 195 * Merged user and range_transition support for modules from 196 Darrel Goeddel 197 198 1.30.11 2006-09-05 199 * merged range_transition enhancements and user module format 200 changes from Darrel Goeddel 201 202 1.30.10 2006-08-03 203 * Merged symtab datum patch from Karl MacMillan. 204 205 1.30.9 2006-06-29 206 * Lindent. 207 208 1.30.8 2006-06-29 209 * Merged patch to remove TE rule conflict checking from the parser 210 from Joshua Brindle. This can only be done properly by the 211 expander. 212 213 1.30.7 2006-06-27 214 * Merged patch to make checkpolicy/checkmodule handling of 215 duplicate/conflicting TE rules the same as the expander 216 from Joshua Brindle. 217 218 1.30.6 2006-06-26 219 * Merged optionals in base take 2 patch set from Joshua Brindle. 220 221 1.30.5 2006-05-05 222 * Merged compiler cleanup patch from Karl MacMillan. 223 * Merged fix warnings patch from Karl MacMillan. 224 225 1.30.4 2006-04-05 226 * Changed require_class to reject permissions that have not been 227 declared if building a base module. 228 229 1.30.3 2006-03-28 230 * Fixed checkmodule to call link_modules prior to expand_module 231 to handle optionals. 232 233 1.30.2 2006-03-28 234 * Fixed require_class to avoid shadowing permissions already defined 235 in an inherited common definition. 236 237 1.30.1 2006-03-22 238 * Moved processing of role and user require statements to 2nd pass. 239 240 1.30 2006-03-14 241 * Updated version for release. 242 243 1.29.5 2006-03-09 244 * Fixed bug in role dominance (define_role_dom). 245 246 1.29.4 2006-02-14 247 * Added a check for failure to declare each sensitivity in 248 a level definition. 249 250 1.29.3 2006-02-13 251 * Changed to clone level data for aliased sensitivities to 252 avoid double free upon sens_destroy. Bug reported by Kevin 253 Carr of Tresys Technology. 254 255 1.29.2 2006-02-13 256 * Merged optionals in base patch from Joshua Brindle. 257 258 1.29.1 2006-02-01 259 * Merged sepol_av_to_string patch from Joshua Brindle. 260 261 1.28 2005-12-07 262 * Updated version for release. 263 264 1.27.20 2005-12-02 265 * Merged checkmodule man page from Dan Walsh, and edited it. 266 267 1.27.19 2005-12-01 268 * Added error checking of all ebitmap_set_bit calls for out of 269 memory conditions. 270 271 1.27.18 2005-12-01 272 * Merged removal of compatibility handling of netlink classes 273 (requirement that policies with newer versions include the 274 netlink class definitions, remapping of fine-grained netlink 275 classes in newer source policies to single netlink class when 276 generating older policies) from George Coker. 277 278 1.27.17 2005-10-25 279 * Merged dismod fix from Joshua Brindle. 280 281 1.27.16 2005-10-20 282 * Removed obsolete cond_check_type_rules() function and call and 283 cond_optimize_lists() call from checkpolicy.c; these are handled 284 during parsing and expansion now. 285 286 1.27.15 2005-10-19 287 * Updated calls to expand_module for interface change. 288 289 1.27.14 2005-10-19 290 * Changed checkmodule to verify that expand_module succeeds 291 when building base modules. 292 293 1.27.13 2005-10-19 294 * Merged module compiler fixes from Joshua Brindle. 295 296 1.27.12 2005-10-19 297 * Removed direct calls to hierarchy_check_constraints() and 298 check_assertions() from checkpolicy since they are now called 299 internally by expand_module(). 300 301 1.27.11 2005-10-18 302 * Updated for changes to sepol policydb_index_others interface. 303 304 1.27.10 2005-10-17 305 * Updated for changes to sepol expand_module and link_modules interfaces. 306 307 1.27.9 2005-10-13 308 * Merged support for require blocks inside conditionals from 309 Joshua Brindle (Tresys). 310 311 1.27.8 2005-10-06 312 * Updated for changes to libsepol. 313 314 1.27.7 2005-10-05 315 * Merged several bug fixes from Joshua Brindle (Tresys). 316 317 1.27.6 2005-10-03 318 * Merged MLS in modules patch from Joshua Brindle (Tresys). 319 320 1.27.5 2005-09-28 321 * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys). 322 323 1.27.4 2005-09-26 324 * Merged bugfix for dup role transition error messages from 325 Karl MacMillan (Tresys). 326 327 1.27.3 2005-09-23 328 * Merged policyver/modulever patches from Joshua Brindle (Tresys). 329 330 1.27.2 2005-09-20 331 * Fixed parse_categories handling of undefined category. 332 333 1.27.1 2005-09-16 334 * Merged bug fix for role dominance handling from Darrel Goeddel (TCS). 335 336 1.26 2005-09-06 337 * Updated version for release. 338 339 1.25.12 2005-08-22 340 * Fixed handling of validatetrans constraint expressions. 341 Bug reported by Dan Walsh for checkpolicy -M. 342 343 1.25.11 2005-08-18 344 * Merged use-after-free fix from Serge Hallyn (IBM). 345 Bug found by Coverity. 346 347 1.25.10 2005-08-15 348 * Fixed further memory leaks found by valgrind. 349 350 1.25.9 2005-08-15 351 * Changed checkpolicy to destroy the policydbs prior to exit 352 to allow leak detection. 353 * Fixed several memory leaks found by valgrind. 354 355 1.25.8 2005-08-11 356 * Updated checkpolicy and dispol for the new avtab format. 357 Converted users of ebitmaps to new inline operators. 358 Note: The binary policy format version has been incremented to 359 version 20 as a result of these changes. To build a policy 360 for a kernel that does not yet include these changes, use 361 the -c 19 option to checkpolicy. 362 363 1.25.7 2005-08-11 364 * Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys). 365 366 1.25.6 2005-08-10 367 * Merged patch to fix dismod compilation from Joshua Brindle (Tresys). 368 369 1.25.5 2005-08-09 370 * Fixed call to hierarchy checking code to pass the right policydb. 371 372 1.25.4 2005-08-02 373 * Merged patch to update dismod for the relocation of the 374 module read/write code from libsemanage to libsepol, and 375 to enable build of test subdirectory from Jason Tang (Tresys). 376 377 1.25.3 2005-07-18 378 * Merged hierarchy check fix from Joshua Brindle (Tresys). 379 380 1.25.2 2005-07-06 381 * Merged loadable module support from Tresys Technology. 382 383 1.25.1 2005-06-24 384 * Merged patch to prohibit the use of * and ~ in type sets 385 (other than in neverallow statements) and in role sets 386 from Joshua Brindle (Tresys). 387 388 1.24 2005-06-20 389 * Updated version for release. 390 391 1.23.4 2005-05-19 392 * Merged cleanup patch from Dan Walsh. 393 394 1.23.3 2005-05-13 395 * Added sepol_ prefix to Flask types to avoid namespace 396 collision with libselinux. 397 398 1.23.2 2005-04-29 399 * Merged identifier fix from Joshua Brindle (Tresys). 400 401 1.23.1 2005-04-13 402 * Merged hierarchical type/role patch from Tresys Technology. 403 * Merged MLS fixes from Darrel Goeddel of TCS. 404 405 1.22 2005-03-09 406 * Updated version for release. 407 408 1.21.4 2005-02-17 409 * Moved genpolusers utility to libsepol. 410 * Merged range_transition support from Darrel Goeddel (TCS). 411 412 1.21.3 2005-02-16 413 * Merged define_user() cleanup patch from Darrel Goeddel (TCS). 414 415 1.21.2 2005-02-09 416 * Changed relabel Makefile target to use restorecon. 417 418 1.21.1 2005-01-26 419 * Merged enhanced MLS support from Darrel Goeddel (TCS). 420 421 1.20 2005-01-04 422 * Merged typeattribute statement patch from Darrel Goeddel of TCS. 423 * Changed genpolusers to handle multiple user config files. 424 * Merged nodecon ordering patch from Chad Hanson of TCS. 425 426 1.18 2004-10-07 427 * MLS build fix. 428 * Fixed Makefile dependencies (Chris PeBenito). 429 * Merged fix for role dominance ordering issue from Chad Hanson of TCS. 430 * Preserve portcon ordering and apply more checking. 431 432 1.16 2004-08-13 433 * Allow empty conditional clauses. 434 * Moved genpolbools utility to libsepol. 435 * Updated for libsepol set functions. 436 * Changed to link with libsepol.a. 437 * Moved core functionality into libsepol. 438 * Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys. 439 * Added genpolusers program. 440 * Fixed bug in checkpolicy conditional code. 441 442 1.14 2004-06-28 443 * Merged fix for MLS logic from Daniel Thayer of TCS. 444 * Require semicolon terminator for typealias statement. 445 446 1.12 2004-06-16 447 * Merged fine-grained netlink class support. 448 449 1.10 2004-04-07 450 * Merged ipv6 support from James Morris of RedHat. 451 * Fixed compute_av bug discovered by Chad Hanson of TCS. 452 453 1.8 2004-03-09 454 * Merged policydb MLS patch from Chad Hanson of TCS. 455 * Fixed mmap of policy file. 456 457 1.6 2004-02-18 458 * Merged conditional policy extensions from Tresys Technology. 459 * Added typealias declaration support per Russell Coker's request. 460 * Added support for excluding types from type sets based on 461 a patch by David Caplan, but reimplemented as a change to the 462 policy grammar. 463 * Merged patch from Colin Walters to report source file name and line 464 number for errors when available. 465 * Un-deprecated role transitions. 466 467 1.4 2003-12-01 468 * Regenerated headers. 469 * Merged patches from Bastian Blank and Joerg Hoh. 470 471 1.2 2003-09-30 472 * Merged MLS build patch from Karl MacMillan of Tresys. 473 * Merged checkpolicy man page from Magosanyi Arpad. 474 475 1.1 2003-08-13 476 * Fixed endian bug in policydb_write for behavior value. 477 * License -> GPL. 478 * Merged coding style cleanups from James Morris. 479 480 1.0 2003-07-11 481 * Initial public release. 482 483
