blob: 429a16336d63cba5391e6049d4eca6c4ecb7638a [file] [log] [blame]
* Set flex as default lexer, from Julien Pivotto.
* Fix checkmodule output message, from Petr Lautrbach.
* Build policy on systems not supporting DCCP protocol, from Richard Haines.
* Fail if module name different than output base filename, from James Carter
* Add support for portcon dccp protocol, from Richard Haines
2.5 2016-02-23
* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
* fix double free on name-based type transitions, from Stephen Smalley.
* switch operations to extended perms, from Jeff Vander Stoep.
* policy_define.c: fix compiler warnings, from Nick Kralevich.
* Remove uses of -Wno-return-type, from Dan Albert.
* Fix -Wreturn-type issues, from Dan Albert.
* dispol: display operations as ranges, from Jeff Vander Stoep.
* dispol: Extend to display operations, from Stephen Smalley.
* Add support for ioctl command whitelisting, from Jeff Vander Stoep.
* Add option to write CIL policy, from James Carter
* Add device tree ocontext nodes to Xen policy, from Daniel De Graaf.
* Widen Xen IOMEM context entries, from Daniel De Graaf.
* Expand allowed character set in paths, from Daniel De Graaf.
* Fix precedence between number and filesystem tokens, from Stephen Smalley.
* dispol/dismod fgets function warnings fix, from Emre Can Kucukoglu.
2.4 2015-02-02
* Fix bugs found by hardened gcc flags, from Nicolas Iooss.
* Add missing semicolon in cond_else parser rule, from Steven Capelli.
* Clear errno before call to strtol(3) from Dan Albert.
* Global C++11 compatibility from Dan Albert.
* Allow libsepol C++ static library on device from Daniel Cashman.
2.3 2014-05-06
* Add Android support for building dispol.
* Report source file and line information for neverallow failures.
* Prevent incompatible option combinations for checkmodule.
* Drop -lselinux from LDLIBS for test programs; not used.
* Add debug feature to display constraints/validatetrans from Richard Haines.
2.2 2013-10-30
* Fix hyphen usage in man pages from Laurent Bigonville.
* handle-unknown / -U required argument fix from Laurent Bigonville.
* Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
* Support space and : in filenames from Dan Walsh.
2.1.12 2013-02-01
* Fix errors found by coverity
* implement default type policy syntax
* Free allocated memory when clean up / exit.
2.1.11 2012-09-13
* fd leak reading policy
* check return code on ebitmap_set_bit
2.1.10 2012-06-28
* sepolgen: We need to support files that have a + in them
* Android/MacOS X build support
2.1.9 2012-03-28
* implement new default labeling behaviors for usr, role, range
* Fix dead links to www.nsa.gov/selinux
2.1.8 2011-12-21
* add new helper to translate class sets into bitmaps
2.1.7 2011-12-05
* dis* fixed signed vs unsigned errors
* dismod: fix unused parameter errors
* test: Makefile: include -W and -Werror
* allow ~ in filename transition rules
2.1.6 2011-11-03
* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
* drop libsepol dynamic link in checkpolicy
2.1.5 2011-09-15
* Separate tunable from boolean during compile.
2.1.4 2011-08-26
* checkpolicy: fix spacing in output message
2.1.3 2011-08-17
* add missing ; to attribute_role_def
*Redo filename/filesystem syntax to support filename trans
2.1.2 2011-08-02
* .gitignore changes
* dispol output of role trans
* man page update: build a module with an older policy version
2.1.1 2011-08-01
* Minor updates to filename trans rule output in dis{mod,pol}
2.1.0 2011-07-27
* Release, minor version bump
2.0.27 2011-07-25
* Add role attribute support by Harry Ciao
2.0.26 2011-05-16
* Wrap file names in filename transitions with quotes by Steve Lawrence.
* Allow filesystem names to start with a digit by James Carter.
2.0.25 2011-05-02
* Add support for using the last path compnent in type transitions by Eric
Paris.
* Allow single digit module versions by Daniel Walsh.
* Use better filename identifier for filenames by Daniel Walsh.
* Use #defines for dismod selections by Eric Paris.
2.0.24 2011-04-11
* Add new class field in role_transition by Harry Ciao.
2.0.23 2010-12-16
* Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock
2.0.22 2010-06-14
* Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
2.0.21 2009-11-27
* Add long options to checkpolicy and checkmodule by Guido
Trentalancia <guido@trentalancia.com>
2.0.20 2009-10-14
* Add support for building Xen policies from Paul Nuzzi.
2.0.19 2009-02-18
* Fix alias field in module format, caused by boundary format change
from Caleb Case.
2.0.18 2008-10-14
* Properly escape regex symbols in the lexer from Stephen Smalley.
2.0.17 2008-10-09
* Add bounds support from KaiGai Kohei.
2.0.16 2008-05-27
* Update checkpolicy for user and role mapping support from Joshua Brindle.
2.0.15 2008-05-05
* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
Resolves bug 444451.
2.0.14 2008-03-24
* Add permissive domain support from Eric Paris.
2.0.13 2008-03-05
* Split out non-grammar parts of policy_parse.yacc into
policy_define.c and policy_define.h from Todd C. Miller.
2.0.12 2008-03-04
* Initialize struct policy_file before using it, from Todd C. Miller.
2.0.11 2008-03-03
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
2.0.10 2008-02-28
* Use yyerror2() where appropriate from Todd C. Miller.
2.0.9 2008-02-04
* Update dispol for libsepol avtab changes from Stephen Smalley.
2.0.8 2008-01-24
* Deprecate role dominance in parser.
2.0.7 2008-01-02
* Added support for policy capabilities from Todd Miller.
2.0.6 2007-11-15
* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
2.0.5 2007-11-01
* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
2.0.4 2007-09-18
* Merged handle unknown policydb flag support from Eric Paris.
Adds new command line options -U {allow, reject, deny} for selecting
the flag when a base module or kernel policy is built.
2.0.3 2007-05-31
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
2.0.2 2007-04-12
* Merged checkmodule man page fix from Dan Walsh.
2.0.1 2007-02-20
* Merged patch to allow dots in class identifiers from Caleb Case.
2.0.0 2007-02-01
* Merged patch to use new libsepol error codes by Karl MacMillan.
1.34.0 2007-01-18
* Updated version for stable branch.
1.33.1 2006-11-13
* Collapse user identifiers and identifiers together.
1.32 2006-10-17
* Updated version for release.
1.30.12 2006-09-28
* Merged user and range_transition support for modules from
Darrel Goeddel
1.30.11 2006-09-05
* merged range_transition enhancements and user module format
changes from Darrel Goeddel
1.30.10 2006-08-03
* Merged symtab datum patch from Karl MacMillan.
1.30.9 2006-06-29
* Lindent.
1.30.8 2006-06-29
* Merged patch to remove TE rule conflict checking from the parser
from Joshua Brindle. This can only be done properly by the
expander.
1.30.7 2006-06-27
* Merged patch to make checkpolicy/checkmodule handling of
duplicate/conflicting TE rules the same as the expander
from Joshua Brindle.
1.30.6 2006-06-26
* Merged optionals in base take 2 patch set from Joshua Brindle.
1.30.5 2006-05-05
* Merged compiler cleanup patch from Karl MacMillan.
* Merged fix warnings patch from Karl MacMillan.
1.30.4 2006-04-05
* Changed require_class to reject permissions that have not been
declared if building a base module.
1.30.3 2006-03-28
* Fixed checkmodule to call link_modules prior to expand_module
to handle optionals.
1.30.2 2006-03-28
* Fixed require_class to avoid shadowing permissions already defined
in an inherited common definition.
1.30.1 2006-03-22
* Moved processing of role and user require statements to 2nd pass.
1.30 2006-03-14
* Updated version for release.
1.29.5 2006-03-09
* Fixed bug in role dominance (define_role_dom).
1.29.4 2006-02-14
* Added a check for failure to declare each sensitivity in
a level definition.
1.29.3 2006-02-13
* Changed to clone level data for aliased sensitivities to
avoid double free upon sens_destroy. Bug reported by Kevin
Carr of Tresys Technology.
1.29.2 2006-02-13
* Merged optionals in base patch from Joshua Brindle.
1.29.1 2006-02-01
* Merged sepol_av_to_string patch from Joshua Brindle.
1.28 2005-12-07
* Updated version for release.
1.27.20 2005-12-02
* Merged checkmodule man page from Dan Walsh, and edited it.
1.27.19 2005-12-01
* Added error checking of all ebitmap_set_bit calls for out of
memory conditions.
1.27.18 2005-12-01
* Merged removal of compatibility handling of netlink classes
(requirement that policies with newer versions include the
netlink class definitions, remapping of fine-grained netlink
classes in newer source policies to single netlink class when
generating older policies) from George Coker.
1.27.17 2005-10-25
* Merged dismod fix from Joshua Brindle.
1.27.16 2005-10-20
* Removed obsolete cond_check_type_rules() function and call and
cond_optimize_lists() call from checkpolicy.c; these are handled
during parsing and expansion now.
1.27.15 2005-10-19
* Updated calls to expand_module for interface change.
1.27.14 2005-10-19
* Changed checkmodule to verify that expand_module succeeds
when building base modules.
1.27.13 2005-10-19
* Merged module compiler fixes from Joshua Brindle.
1.27.12 2005-10-19
* Removed direct calls to hierarchy_check_constraints() and
check_assertions() from checkpolicy since they are now called
internally by expand_module().
1.27.11 2005-10-18
* Updated for changes to sepol policydb_index_others interface.
1.27.10 2005-10-17
* Updated for changes to sepol expand_module and link_modules interfaces.
1.27.9 2005-10-13
* Merged support for require blocks inside conditionals from
Joshua Brindle (Tresys).
1.27.8 2005-10-06
* Updated for changes to libsepol.
1.27.7 2005-10-05
* Merged several bug fixes from Joshua Brindle (Tresys).
1.27.6 2005-10-03
* Merged MLS in modules patch from Joshua Brindle (Tresys).
1.27.5 2005-09-28
* Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
1.27.4 2005-09-26
* Merged bugfix for dup role transition error messages from
Karl MacMillan (Tresys).
1.27.3 2005-09-23
* Merged policyver/modulever patches from Joshua Brindle (Tresys).
1.27.2 2005-09-20
* Fixed parse_categories handling of undefined category.
1.27.1 2005-09-16
* Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
1.26 2005-09-06
* Updated version for release.
1.25.12 2005-08-22
* Fixed handling of validatetrans constraint expressions.
Bug reported by Dan Walsh for checkpolicy -M.
1.25.11 2005-08-18
* Merged use-after-free fix from Serge Hallyn (IBM).
Bug found by Coverity.
1.25.10 2005-08-15
* Fixed further memory leaks found by valgrind.
1.25.9 2005-08-15
* Changed checkpolicy to destroy the policydbs prior to exit
to allow leak detection.
* Fixed several memory leaks found by valgrind.
1.25.8 2005-08-11
* Updated checkpolicy and dispol for the new avtab format.
Converted users of ebitmaps to new inline operators.
Note: The binary policy format version has been incremented to
version 20 as a result of these changes. To build a policy
for a kernel that does not yet include these changes, use
the -c 19 option to checkpolicy.
1.25.7 2005-08-11
* Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
1.25.6 2005-08-10
* Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
1.25.5 2005-08-09
* Fixed call to hierarchy checking code to pass the right policydb.
1.25.4 2005-08-02
* Merged patch to update dismod for the relocation of the
module read/write code from libsemanage to libsepol, and
to enable build of test subdirectory from Jason Tang (Tresys).
1.25.3 2005-07-18
* Merged hierarchy check fix from Joshua Brindle (Tresys).
1.25.2 2005-07-06
* Merged loadable module support from Tresys Technology.
1.25.1 2005-06-24
* Merged patch to prohibit the use of * and ~ in type sets
(other than in neverallow statements) and in role sets
from Joshua Brindle (Tresys).
1.24 2005-06-20
* Updated version for release.
1.23.4 2005-05-19
* Merged cleanup patch from Dan Walsh.
1.23.3 2005-05-13
* Added sepol_ prefix to Flask types to avoid namespace
collision with libselinux.
1.23.2 2005-04-29
* Merged identifier fix from Joshua Brindle (Tresys).
1.23.1 2005-04-13
* Merged hierarchical type/role patch from Tresys Technology.
* Merged MLS fixes from Darrel Goeddel of TCS.
1.22 2005-03-09
* Updated version for release.
1.21.4 2005-02-17
* Moved genpolusers utility to libsepol.
* Merged range_transition support from Darrel Goeddel (TCS).
1.21.3 2005-02-16
* Merged define_user() cleanup patch from Darrel Goeddel (TCS).
1.21.2 2005-02-09
* Changed relabel Makefile target to use restorecon.
1.21.1 2005-01-26
* Merged enhanced MLS support from Darrel Goeddel (TCS).
1.20 2005-01-04
* Merged typeattribute statement patch from Darrel Goeddel of TCS.
* Changed genpolusers to handle multiple user config files.
* Merged nodecon ordering patch from Chad Hanson of TCS.
1.18 2004-10-07
* MLS build fix.
* Fixed Makefile dependencies (Chris PeBenito).
* Merged fix for role dominance ordering issue from Chad Hanson of TCS.
* Preserve portcon ordering and apply more checking.
1.16 2004-08-13
* Allow empty conditional clauses.
* Moved genpolbools utility to libsepol.
* Updated for libsepol set functions.
* Changed to link with libsepol.a.
* Moved core functionality into libsepol.
* Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys.
* Added genpolusers program.
* Fixed bug in checkpolicy conditional code.
1.14 2004-06-28
* Merged fix for MLS logic from Daniel Thayer of TCS.
* Require semicolon terminator for typealias statement.
1.12 2004-06-16
* Merged fine-grained netlink class support.
1.10 2004-04-07
* Merged ipv6 support from James Morris of RedHat.
* Fixed compute_av bug discovered by Chad Hanson of TCS.
1.8 2004-03-09
* Merged policydb MLS patch from Chad Hanson of TCS.
* Fixed mmap of policy file.
1.6 2004-02-18
* Merged conditional policy extensions from Tresys Technology.
* Added typealias declaration support per Russell Coker's request.
* Added support for excluding types from type sets based on
a patch by David Caplan, but reimplemented as a change to the
policy grammar.
* Merged patch from Colin Walters to report source file name and line
number for errors when available.
* Un-deprecated role transitions.
1.4 2003-12-01
* Regenerated headers.
* Merged patches from Bastian Blank and Joerg Hoh.
1.2 2003-09-30
* Merged MLS build patch from Karl MacMillan of Tresys.
* Merged checkpolicy man page from Magosanyi Arpad.
1.1 2003-08-13
* Fixed endian bug in policydb_write for behavior value.
* License -> GPL.
* Merged coding style cleanups from James Morris.
1.0 2003-07-11
* Initial public release.