- Unconditional staff and user oidentd home config access from Dominick Grift.

- Conditional mmap_zero support from Dominick Grift.

- Added devtmpfs support.

- Dbadm updates from KaiGai Kohei.

- Virtio disk file context update from Mika Pfluger.

- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.

- Add JIT usage for freshclam.

- Remove ethereal module since the application was renamed to wireshark.

- Remove duplicate/redundant rules, from Russell Coker.

- Increased default number of categories to 1024, from Russell Coker.

- Added modules:

	accountsd (Dan Walsh)

	cgroup (Dominick Grift)

	kdumpgui (Dan Walsh)

	livecd (Dan Walsh)

	mojomojo (Lain Arnell)

	sambagui (Dan Walsh)

	shutdown (Dan Walsh)

* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524

- Merged a significant portion of Fedora policy.

- Move rules from mta mailserver delivery from interface to .te to use

  attributes.

- Remove concept of users from terminal module interfaces since the

  attributes are not specific to users.

- Add non-drawing X client support, for consolekit usage.

- Misc Gentoo fixes from Chris Richards.

- AFS and abrt fixes from Dominick Grift.

- Improved the XML docs of 55 most-used interfaces.

- Apcupsd and amavis fixes from Dominick Grift.

- Fix network_port() in corenetwork to correctly handle port ranges.

- SE-Postgresql updates from KaiGai Kohei.

- X object manager revisions from Eamon Walsh.

- Added modules:

	aisexec (Dan Walsh)

	chronyd (Miroslav Grepl)

	cobbler (Dominick Grift)

	corosync (Dan Walsh)

	dbadm (KaiGai Kohei)

	denyhosts (Dan Walsh)

	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)

	likewise (Scott Salley)

	plymouthd (Dan Walsh)

	pyicqt (Stefan Schulze Frielinghaus)

	rhcs (Dan Walsh)

	rgmanager (Dan Walsh)

	sectoolm (Miroslav Grepl)

	usbmuxd (Dan Walsh)

	vhostmd (Dan Walsh)

* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117

- Add separate x_pointer and x_keyboard classes inheriting from x_device. 

  From Eamon Walsh.

- Deprecated the userdom_xwindows_client_template().

- Misc Gentoo fixes from Corentin Labbe.

- Debian policykit fixes from Martin Orr.

- Fix unconfined_r use of unconfined_java_t.

- Add missing x_device rules for XI2 functions, from Eamon Walsh.

- Add missing rules to make unconfined_cronjob_t a valid cron job domain.

- Add btrfs and ext4 to labeling targets.

- Fix infrastructure to expand macros in initrc_context when installing.

- Handle unix_chkpwd usage by useradd and groupadd.

- Add missing compatibility aliases for xdm_xserver*_t types.

- Added modules:

	abrt (Dan Walsh)

	dkim (Stefan Schulze Frielinghaus)

	gitosis (Miroslav Grepl)

	gnomeclock (Dan Walsh)

	hddtemp (Dan Walsh)

	kdump (Dan Walsh)

	modemmanager(Dan Walsh)

	nslcd (Dan Walsh)

	puppet (Craig Grube)

	rtkit (Dan Walsh)

	seunshare (Dan Walsh)

	shorewall (Dan Walsh)

	tgtd (Matthew Ife)

	tuned (Miroslav Grepl)

	xscreensaver (Corentin Labbe)

* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730

- Gentoo fixes for init scripts and system startup.

- Remove read_default_t tunable.

- Greylist milter from Paul Howarth.

- Crack db access for su to handle password expiration, from Brandon Whalen.

- Misc fixes for unix_update from Brandon Whalen.

- Add x_device permissions for XI2 functions, from Eamon Walsh.

- MLS constraints for the x_selection class, from Eamon Walsh.

- Postgresql updates from KaiGai Kohei.

- Milter state directory patch from Paul Howarth.

- Add MLS constrains for ingress/egress and secmark from Paul Moore.

- Drop write permission from fs_read_rpc_sockets().

- Remove unused udev_runtime_t type.

- Patch for RadSec port from Glen Turner.

- Enable network_peer_controls policy capability from Paul Moore.

- Btrfs xattr support from Paul Moore.

- Add db_procedure install permission from KaiGai Kohei.

- Add support for network interfaces with access controlled by a Boolean

  from the CLIP project.

- Several fixes from the CLIP project.

- Add support for labeled Booleans.

- Remove node definitions and change node usage to generic nodes.

- Add kernel_service access vectors, from Stephen Smalley.

- Added modules:

	certmaster (Dan Walsh)

	cpufreqselector (Dan Walsh)

	devicekit (Dan Walsh)

	fprintd (Dan Walsh)

	git (Dan Walsh)

	gpsd (Miroslav Grepl)

	guest (Dan Walsh)

	ifplugd (Dan Walsh)

	lircd (Miroslav Grepl)

	logadm (Dan Walsh)

	pads (Dan Walsh)

	pingd (Dan Walsh)

	policykit (Dan Walsh)

	pulseaudio (Dan Walsh)

	psad (Dan Walsh)

	portreserve (Dan Walsh)

	sssd (Dan Walsh)

	ulogd (Dan Walsh)

	varnishd (Dan Walsh)

	webadm (Dan Walsh)

	wm (Dan Walsh)

	xguest (Dan Walsh)

	zosremote (Dan Walsh)

* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210

- Fix consistency of audioentropy and iscsi module naming.

- Debian file context fix for xen from Russell Coker.

- Xserver MLS fix from Eamon Walsh.

- Add omapi port for dhcpcd.

- Deprecate per-role templates and rolemap support.

- Implement user-based access control for use as role separations.

- Move shared library calls from individual modules to the domain module.

- Enable open permission checks policy capability.

- Remove hierarchy from portage module as it is not a good example of

  hieararchy.

- Remove enableaudit target from modular build as semodule -DB supplants it.

- Added modules:

	milter (Paul Howarth)

* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014

- Debian update for NetworkManager/wpa_supplicant from Martin Orr.

- Logrotate and Bind updates from Vaclav Ovsik.

- Init script file and domain support.

- Glibc 2.7 fix from Vaclav Ovsik.

- Samba/winbind update from Mike Edenfield.

- Policy size optimization with a non-security file attribute from James

  Carter.

- Database labeled networking update from KaiGai Kohei.

- Several misc changes from the Fedora policy, cherry picked by David

  Hardeman.

- Large whitespace fix from Dominick Grift.

- Pam_mount fix for local login from Stefan Schulze Frielinghaus.

- Issuing commands to upstart is over a datagram socket, not the initctl

  named pipe.  Updated init_telinit() to match.

- Added modules:

	cyphesis (Dan Walsh)

	memcached (Dan Walsh)

	oident (Dominick Grift)

	w3c (Dan Walsh)

* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702

- Fix httpd_enable_homedirs to actually provide the access it is supposed to

  provide.

- Add unused interface/template parameter metadata in XML.

- Patch to handle postfix data_directory from Vaclav Ovsik.

- SE-Postgresql policy from KaiGai Kohei.

- Patch for X.org dbus support from Martin Orr.

- Patch for labeled networking controls in 2.6.25 from Paul Moore.

- Module loading now requires setsched on kernel threads.

- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.

- X application data class from Eamon Walsh and Ted Toth.

- Move user roles into individual modules.

- Make hald_log_t a log file.

- Cryptsetup runs shell scripts.  Patch from Martin Orr.

- Add file for enabling policy capabilities.

- Patch to fix leaky interface/template call depth calculator from Vaclav

  Ovsik.

- Added modules:

	kerneloops (Dan Walsh)

	kismet (Dan Walsh)

	podsleuth (Dan Walsh)

	prelude (Dan Walsh)

	qemu (Dan Walsh)

	virt (Dan Walsh)

* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402

- Add core Security Enhanced X Windows support.

- Fix winbind socket connection interface for default location of the

  sock_file.

- Add wireshark module based on ethereal module.

- Revise upstart support in init module to use a tunable, as upstart is now

  used in Fedora too.

- Add iferror.m4 rather generate it out of the Makefiles.

- Definitions for open permisson on file and similar objects from Eric

  Paris.

- Apt updates for ptys and logs, from Martin Orr.

- RPC update from Vaclav Ovsik.

- Exim updates on Debian from Devin Carrawy.

- Pam and samba updates from Stefan Schulze Frielinghaus.

- Backup update on Debian from Vaclav Ovsik.

- Cracklib update on Debian from Vaclav Ovsik.

- Label /proc/kallsyms with system_map_t.

- 64-bit capabilities from Stephen Smalley.

- Labeled networking peer object class updates.

* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214

- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.

- Improve several tunables descriptions from Dan Walsh.

- Patch to clean up ns switch usage in the policy from Dan Walsh.

- More complete labeled networking infrastructure from KaiGai Kohei.

- Add interface for libselinux constructor, for libselinux-linked

  SELinux-enabled programs.

- Patch to restructure user role templates to create restricted user roles

  from Dan Walsh.

- Russian man page translations from Andrey Markelov.

- Remove unused types from dbus.

- Add infrastructure for managing all user web content.

- Deprecate some old file and dir permission set macros in favor of the

  newer, more consistently-named macros.

- Patch to clean up unescaped periods in several file context entries from

  Jan-Frode Myklebust.

- Merge shlib_t into lib_t.

- Merge strict and targeted policies.  The policy will now behave like the

  strict policy if the unconfined module is not present.  If it is, it will

  behave like the targeted policy.  Added an unconfined role to have a mix

  of confined and unconfined users.

- Added modules:

	exim (Dan Walsh)

	postfixpolicyd (Jan-Frode Myklebust)

* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928

- Add support for setting the unknown permissions handling.

- Fix XML building for external reference builds and headers builds.

- Patch to add missing requirements in userdomain interfaces from Shintaro

  Fujiwara.

- Add tcpd_wrapped_domain() for services that use tcp wrappers.

- Update MLS constraints from LSPP evaluated policy.

- Allow initrc_t file descriptors to be inherited regardless of MLS level.

  Accordingly drop MLS permissions from daemons that inherit from any level.

- Files and radvd updates from Stefan Schulze Frielinghaus.

- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with

  mls_write_all_levels() and mls_read_all_levels(), for consistency.

- Add make kernel and init ranged interfaces pass the range transition MLS

  constraints.  Also remove calls to mls_rangetrans_target() in modules that use

  the kernel and init interfaces, since its redundant.

- Add interfaces for all MLS attributes except X object classes.

- Require all sensitivities and categories for MLS and MCS policies, not just

  the low and high sensitivity and category.

- Database userspace object manager classes from KaiGai Kohei.

- Add third-party interface for Apache CGI.

- Add getserv and shmemserv nscd permissions.

- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.

- Added modules:

	application

	awstats (Stefan Schulze Frielinghaus)

	bitlbee (Devin Carraway)

	brctl (Dan Walsh)

* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629

- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the

  libraries module.

- Unified labeled networking policy from Paul Moore.

- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

- Xen updates from Dan Walsh.

- Filesystem updates from Dan Walsh.

- Large samba update from Dan Walsh.

- Drop snmpd_etc_t.

- Confine sendmail and logrotate on targeted.

- Tunable connection to postgresql for users from KaiGai Kohei.

- Memprotect support patch from Stephen Smalley.

- Add logging_send_audit_msgs() interface and deprecate

  send_audit_msgs_pattern().

- Openct updates patch from Dan Walsh.

- Merge restorecon into setfiles.

- Patch to begin separating out hald helper programs from Dan Walsh.

- Fixes for squid, dovecot, and snmp from Dan Walsh.

- Miscellaneous consolekit fixes from Dan Walsh.

- Patch to have avahi use the nsswitch interface rather than individual

  permissions from Dan Walsh.

- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.

- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes

  to handle usage from userhelper from Dan Walsh.

- Patch to allow amavis to read spamassassin libraries from Dan Walsh.

- Patch to allow slocate to getattr other filesystems and directories on those

  filesystems from Dan Walsh.

- Fixes for RHEL4 from the CLIP project.

- Replace the old lrrd fc entries with munin ones.

- Move program admin template usage out of userdom_admin_user_template() to

  sysadm policy in userdomain.te to fix usage of the template for third

  parties.

- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a

  template instead of an interface.

- Added modules:

	amtu (Dan Walsh)

	apcupsd (Dan Walsh)

	rpcbind (Dan Walsh)

	rwho (Nalin Dahyabhai)

* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417

- Patch for sasl's use of kerberos from Dan Walsh.

- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.

- Man page updates from Dan Walsh.

- Two patches from Paul Moore to for ipsec to remove redundant rules and

  have setkey read the config file.

- Move booleans and tunables to modules when it is only used in a single

  module.

- Add support for tunables and booleans local to a module.

- Merge sbin_t and ls_exec_t into bin_t.

- Remove disable_trans booleans.

- Output different header sets for kernel and userland from flask headers.

- Marked the pax class as deprecated, changed it to userland so

  it will be removed from the kernel.

- Stop including netfilter contexts by default.

- Add dontaudits for init fds and console to init_daemon_domain().

- Patch to allow gpg to create user keys dir.

- Patch to support kvmfs from Dan Walsh.

- Patch for misc fixes in sudo from Dan Walsh.

- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.

- Patch for handling restart of nscd when ran from useradd, groupadd, and

  admin passwd, from Dan Walsh.

- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.

- Patch for setroubleshoot for validating file contexts from Dan Walsh.

- Patch for gssd fixes from Dan Walsh.

- Patch for lvm fixes from Dan Walsh.

- Patch for ricci fixes from Dan Walsh.

- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.

- Patch for kerberized telnet fixes from Dan Walsh.

- Patch for kerberized ftp and other ftp fixes from Dan Walsh.

- Patch for an additional wine executable from Dan Walsh.

- Eight patches for file contexts in games, wine, networkmanager, miscfiles,

  corecommands, devices, and java from Dan Walsh.

- Add support for libselinux 2.0.5 init_selinuxmnt() changes.

- Patch for misc fixes to bluetooth from Dan Walsh.

- Patch for misc fixes to kerberos from Dan Walsh.

- Patch to start deprecating usercanread attribute from Ryan Bradetich.

- Add dccp_socket object class which was added in kernel 2.6.20.

- Patch for prelink relabefrom it's temp files from Dan Walsh.

- Patch for capability fix for auditd and networking fix for syslogd from

  Dan Walsh.

- Patch to remove redundant mls_trusted_object() call from Dan Walsh.

- Patch for misc fixes to nis ypxfr policy from Dan Walsh.

- Patch to allow apmd to telinit from Dan Walsh.

- Patch for additional labeling of samba files from Stefan Schulze

  Frielinghaus.

- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.

- Fix ptys and ttys to be device nodes.

- Fix explicit use of httpd_t in openca_domtrans().

- Clean up file context regexes in apache and java, from Eamon Walsh.

- Patches from Dan Walsh:

	Thu, 25 Jan 2007

- Added modules:

	consolekit (Dan Walsh)

	fail2ban (Dan Walsh)

	zabbix (Dan Walsh)

* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212

- Add policy patterns support macros.  This changes the behavior of

  the create_dir_perms and create_file_perms permission sets.

- Association polmatch MLS constraint making unlabeled_t an exception

  is no longer needed, patch from Venkat Yekkirala.

- Context contains checking for PAM and cron from James Antill.

- Add a reload target to Modules.devel and change the load

  target to only insert modules that were changed.

- Allow semanage to read from /root on strict non-MLS for

  local policy modules.

- Gentoo init script fixes for udev.

- Allow udev to read kernel modules.inputmap.

- Dnsmasq fixes from testing.

- Allow kernel NFS server to getattr filesystems so df can work

  on clients.

- Patch from Matt Anderson for a MLS constraint exemption on a

  file that can be written to from a subject whose range is

  within the object's range.

- Enhanced setransd support from Darrel Goeddel.

- Patches from Dan Walsh:

	Tue, 24 Oct 2006

	Wed, 29 Nov 2006

- Added modules:

	aide (Matt Anderson)

	ccs (Dan Walsh)

	iscsi (Dan Walsh)

	ricci (Dan Walsh)

* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018

- Patch from Russell Coker Thu, 5 Oct 2006

- Move range transitions to modules.

- Make number of MLS sensitivities, and number of MLS and MCS

  categories configurable as build options.

- Add role infrastructure.

- Debian updates from Erich Schubert.

- Add nscd_socket_use() to auth_use_nsswitch().

- Remove old selopt rules.

- Full support for netfilter_contexts.

- MRTG patch for daemon operation from Stefan.

- Add authlogin interface to abstract common access for login programs.

- Remove setbool auditallow, except for RHEL4.

- Change eventpollfs to task SID labeling.

- Add key support from Michael LeMay.

- Add ftpdctl domain to ftp, from Paul Howarth.

- Fix build system to not move type declarations out of optionals.

- Add gcc-config domain to portage.

- Add packet object class and support in corenetwork.

- Add a copy of genhomedircon for monolithic policy building, so that a

  policycoreutils package update is not required for RHEL4 systems.

- Add appletalk sockets for use in cups.

- Add Make target to validate module linking.

- Make duplicate template and interface declarations a fatal error.

- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.

- Move xconsole_device_t from devices to xserver since it is

  not actually a device, it is a named pipe.

- Handle nonexistant .fc and .if files in devel Makefile by

  automatically creating empty files.

- Remove unused devfs_control_t.

- Add rhel4 distro, which also implies redhat distro.

- Remove unneeded range_transition for su_exec_t and move the

  type declaration back to the su module.

- Constrain transitions in MCS so unconfined_t cannot have

  arbitrary category sets.

- Change reiserfs from xattr filesystem to genfscon as it's xattrs

  are currently nonfunctional.

- Change files and filesystem modules to use their own interfaces.

- Add user fonts to xserver.

- Additional interfaces in corecommands, miscfiles, and userdomain

  from Joy Latten.

- Miscellaneous fixes from Thomas Bleher.

- Deprecate module name as first parameter of optional_policy()

  now that optionals are allowed everywhere.

- Enable optional blocks in base module and monolithic policy.

  This requires checkpolicy 1.30.1.

- Fix vpn module declaration.

- Numerous fixes from Dan Walsh.

- Change build order to preserve m4 line number information so policy

  compile errors are useful again.

- Additional MLS interfaces from Chad Hanson.

- Move some rules out of domain_type() and domain_base_type()

  to the TE file, to use the domain attribute to take advantage

  of space savings from attribute use.

- Add global stack smashing protector rule for urandom access from

  Petre Rodan.

- Fix temporary rules at the bottom of portmap.

- Updated comments in mls file from Chad Hanson.

- Patches from Dan Walsh:

	Fri, 17 Mar 2006

	Wed, 29 Mar 2006

	Tue, 11 Apr 2006

	Fri, 14 Apr 2006

	Tue, 18 Apr 2006

	Thu, 20 Apr 2006

	Tue, 02 May 2006

	Mon, 15 May 2006

	Thu, 18 May 2006

	Tue, 06 Jun 2006

	Mon, 12 Jun 2006

	Tue, 20 Jun 2006

	Wed, 26 Jul 2006

	Wed, 23 Aug 2006

	Thu, 31 Aug 2006

	Fri, 01 Sep 2006

	Tue, 05 Sep 2006

	Wed, 20 Sep 2006

	Fri, 22 Sep 2006

	Mon, 25 Sep 2006

- Added modules:

	afs

	amavis (Erich Schubert)

	apt (Erich Schubert)

	asterisk

	audioentropy

	authbind

	backup

	calamaris

	cipe

	clamav (Erich Schubert)

	clockspeed (Petre Rodan)

	courier

	dante

	dcc

	ddclient

	dpkg (Erich Schubert)

	dnsmasq

	ethereal

	evolution

	games

	gatekeeper

	gift

	gnome (James Carter)

	imaze

	ircd

	jabber

	monop

	mozilla

	mplayer

	munin

	nagios

	nessus

	netlabel (Paul Moore)

	nsd

	ntop

	nx

	oav

	oddjob (Dan Walsh)

	openca

	openvpn (Petre Rodan)

	perdition

	portslave

	postgrey

	pxe

	pyzor (Dan Walsh)

	qmail (Petre Rodan)

	razor

	resmgr

	rhgb

	rssh

	snort

	soundserver

	speedtouch

	sxid

	thunderbird

	tor (Erich Schubert)

	transproxy

	tripwire

	uptime

	uwimap

	vmware

	watchdog

	xen (Dan Walsh)

	xprint

	yam

* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307

- Make all interface parameters required.

- Move boot_t, system_map_t, and modules_object_t to files module,

  and move bootloader to admin layer.

- Add semanage policy for semodule from Dan Walsh.

- Remove allow_execmem from targeted policy domain_base_type().

- Add users_extra and seusers support.

- Postfix fixes from Serge Hallyn.

- Run python and shell directly to interpret scripts so policy

  sources need not be executable.

- Add desc tag XML to booleans and tunables, and add summary

  to param XML tag, to make future translations possible.

- Remove unused lvm_vg_t.

- Many interface renames to improve naming consistency.

- Merge xdm into xserver.

- Remove kernel module reversed interfaces.

- Add filename attribute to module XML tag and lineno attribute to

  interface XML tag.

- Changed QUIET build option to a yes or no option.

- Add a Makefile used for compiling loadable modules in a

  user's development environment, building against policy headers.

- Add Make target for installing policy headers.

- Separate per-userdomain template expansion from the userdomain

  module and add infrastructure to expand templates in the modules

  that own the template.

- Enable secadm only for MLS policies.

- Remove role change rules in su and sudo since this functionality has been

  removed from these programs.

- Add ctags Make target from Thomas Bleher.

- Collapse commands with grep piped to sed into one sed command.

- Fix type_change bug in term_user_pty().

- Move ice_tmp_t from miscfiles to xserver.

- Login fixes from Serge Hallyn.

- Move xserver_log_t from xdm to xserver.

- Add lpr per-userdomain policy to lpd.

- Miscellaneous fixes from Dan Walsh.

- Change initrc_var_run_t interface noun from script_pid to utmp,

  for greater clarity.

- Added modules:

	certwatch

	mono (Dan Walsh)

	mrtg

	portage

	tvtime

	userhelper

	usernetctl

	wine (Dan Walsh)

	xserver

* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117

- Adds support for generating corenetwork interfaces based on attributes 

  in addition to types.

- Permits the listing of multiple nodes in a network_node() that will be

  given the same type.

- Add two new permission sets for stream sockets.

- Rename file type transition interfaces verb from create to

  filetrans to differentiate it from create interfaces without

  type transitions.

- Fix expansion of interfaces from disabled modules.

- Rsync can be long running from init,

  added rules to allow this.

- Add polyinstantiation build option.

- Add setcontext to the association object class.

- Add apache relay and db connect tunables.

- Rename texrel_shlib_t to textrel_shlib_t.

- Add swat to samba module.

- Numerous miscellaneous fixes from Dan Walsh.

- Added modules:

	alsa

	automount

	cdrecord

	daemontools (Petre Rodan)

	ddcprobe

	djbdns (Petre Rodan)

	fetchmail

	irc

	java

	lockdev

	logwatch (Dan Walsh)

	openct

	prelink (Dan Walsh)

	publicfile (Petre Rodan)

	readahead

	roundup

	screen

	slocate (Dan Walsh)

	slrnpull

	smartmon

	sysstat

	ucspitcp (Petre Rodan)

	usbmodules

	vbetool (Dan Walsh)

* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207

- Add unlabeled IPSEC association rule to domains with

  networking permissions.

- Merge systemuser back in to users, as these files

  do not need to be split.

- Add check for duplicate interface/template definitions.

- Move domain, files, and corecommands modules to kernel

  layer to resolve some layering inconsistencies.

- Move policy build options out of Makefile into build.conf.

- Add yppasswd to nis module.

- Change optional_policy() to refer to the module name

  rather than modulename.te.

- Fix labeling targets to use installed file_contexts rather

  than partial file_contexts in the policy source directory.

- Fix build process to use make's internal vpath functions

  to detect modules rather than using subshells and find.

- Add install target for modular policy.

- Add load target for modular policy.

- Add appconfig dependency to the load target.

- Miscellaneous fixes from Dan Walsh.

- Fix corenetwork gen_context()'s to expand during the policy

  build phase instead of during the generation phase.  

- Added policies:

	amanda

	avahi

	canna

	cyrus

	dbskk

	dovecot

	distcc

	i18n_input

	irqbalance

	lpd

	networkmanager

	pegasus

	postfix

	procmail

	radius

	rdisc

	rpc

	spamassassin

	timidity

	xdm

	xfs

* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019

- Many fixes to make loadable modules build.

- Add targets for sechecker.

- Updated to sedoctool to read bool files and tunable

  files separately.

- Changed the xml tag of <boolean> to <bool> to be consistent

  with gen_bool().

- Modified the implementation of segenxml to use regular

  expressions.

- Rename context_template() to gen_context() to clarify

  that its not a Reference Policy template, but a support

  macro.

- Add disable_*_trans bool support for targeted policy.

- Add MLS module to handle MLS constraint exceptions,

  such as reading up and writing down.

- Fix errors uncovered by sediff.

- Added policies:

	anaconda

	apache

	apm

	arpwatch

	bluetooth

	dmidecode

	finger

	ftp

	kudzu

	mailman

	ppp

	radvd

	sasl

	webalizer

* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922

- Make logrotate, sendmail, sshd, and rpm policies

  unconfined in the targeted policy so no special

  modules.conf is required.

- Add experimental MCS support.

- Add appconfig for MLS.

- Add equivalents for old can_resolve(), can_ldap(), and

  can_portmap() to sysnetwork.

- Fix base module compile issues.

- Added policies:

	cpucontrol

	cvs

	ktalk

	portmap

	postgresql

	rlogin

	samba

	snmp

	stunnel

	telnet

	tftp

	uucp

	vpn

	zebra

* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907

- Fix errors uncovered by sediff.

- Doc tool will explicitly say a module does not have interfaces

  or templates on the module page.

- Added policies:

	comsat

	dbus

	dhcp

	dictd

	hal

	inn

	ntp

	squid

* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826

- Add Makefile support for building loadable modules.

- Add genclassperms.py tool to add require blocks

  for loadable modules.

- Change sedoctool to make required modules part of base

  by default, otherwise make as modules, in modules.conf.

- Fix segenxml to handle modules with no interfaces.

- Rename ipsec connect interface for consistency.

- Add missing parts of unix stream socket connect interface

  of ipsec.

- Rename inetd connect interface for consistency.

- Rename interface for purging contents of tmp, for clarity,

  since it allows deletion of classes other than file.

- Misc. cleanups.

- Added policies:

	acct

	bind

	firstboot

	gpm

	howl

	ldap

	loadkeys

	mysql

	privoxy

	quota

	rshd

	rsync

	su

	sudo

	tcpd

	tmpreaper

	updfstab

* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802

- Fix comparison bug in fc_sort.

- Fix handling of ordered and unordered HTML lists.

- Corenetwork now supports multiple network interfaces having the

  same type.

- Doc tool now creates pages for global Booleans and global tunables.

- Doc tool now links directly to the interface/template in the

  module page when it is selected in the interface/template index.

- Added support for layer summaries.

- Added policies:

	ipsec

	nscd

	pcmcia

	raid

* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707

- Changed xml to have modules encapsulated by layer tags, rather

  than putting layer="foo" in the module tags.  Also in the future

  we can put a summary and description for each layer.

- Added tool to infer interface, module, and layer tags.  This will

  now list all interfaces, even if they are missing xml docs.

- Shortened xml tag names.

- Added macros to declare interfaces and templates.

- Added interface call trace.

- Updated all xml documentation for shorter and inferred tags.

- Doc tool now displays templates in the web pages.

- Doc tool retains the user's settings in modules.conf and

  tunables.conf if the files already exist.

- Modules.conf behavior has been changed to be a list of all

  available modules, and the user can specify if the module is

  built as a loadable module, included in the monolithic policy,

  or excluded.

- Added policies:

	fstools (fsck, mkfs, swapon, etc. tools)

	logrotate

	inetd

	kerberos

	nis (ypbind and ypserv)

	ssh (server, client, and agent)

	unconfined

- Added infrastructure for targeted policy support, only missing

	transition boolean support.

* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615

	- Initial release