Archive old Changelog for log format change

1 files changed, 952 insertions, 0 deletions

diff --git a/Changelog.old b/Changelog.old
new file mode 100644
index 000000000..672e632aa
--- /dev/null
+++ b/Changelog.old
@@ -0,0 +1,952 @@
+- Mcelog update from Guido Trentalancia.
+- Added contrib modules:
+	bird (Dominick Grift)
+
+* Wed Jul 25 2012 Chris PeBenito <selinux@tresys.com> - 2.20120725
+- Rename epollwakeup capability2 permission to block_suspend to match the
+  corresponding kernel capability rename.
+- Udev and init changes to support /run, from Sven Vermeulen.
+- auth_use_nsswitch updates from Miroslav Grepl.
+- Mount runtime files fix from Guido Trentalancia.
+- Update Python scripts to support Python 3, from Sven Vermeulen.
+- Update capability2 object class for new wake_alarm and epollwakeup
+  capabilities.
+- SEPostgresql updates from Kohei KaiGai.
+- Simplify file contexts based on file context path substitutions, from Sven
+  Vermeulen.
+- Add optional name for kernel and system filetrans interfaces.
+- Non-auth file attribute to eliminate set expressions, from James Carter.
+- Virt updates from Sven Vermeulen.
+- Various dontaudits from Sven Vermeulen.
+- Fix base module and monolithic role declaration ordering issue now that
+  role declarations must be explicit, from Harry Ciao.
+- Added contrib modules:
+	bacula (Stan Sander/Sven Vermeulen)
+	bcfg2 (Miroslav Grepl)
+	blueman (Miroslav Grepl)
+
+* Wed Feb 15 2012 Chris PeBenito <selinux@tresys.com> - 2.20120215
+- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
+- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
+- Add userdom interfaces for user application domains, user tmp files,
+  and user tmpfs files.
+- Asterisk administration fixes from Sven Vermeulen.
+- Fix makefiles to install files with the correct DAC permissions if the
+  umask is not 022.
+- Remove deprecated support macros.
+- Remove rolemap and per-role template support.
+- Change corenetwork port declaration to apply the reserved port type
+  attribute only, when the type has ports above and below 1024.
+- Change secure_mode_policyload to disable only toggling of this Boolean
+  rather than disabling all Boolean toggling permissions.
+- Use role attributes to assist with domain transitions in interactive
+  programs.
+- Milter ports patch from Paul Howarth.
+- Separate portage fetch rules out of portage_run() and portage_domtrans()
+  from Sven Vermeulen.
+- Enhance corenetwork network_port() macro to support ports that do not have
+  a well defined port number, such as stunnel.
+- Opendkim support in dkim module from Paul Howarth.
+- Wireshark updates from Sven Vermeulen.
+- Change secure_mode_insmod to control sys_module capability rather than
+  controlling domain transitions to insmod.
+- Openrc and portage updates from Sven Vermeulen.
+- Allow user and role changes on dynamic transitions with the same
+  constraints as regular transitions.
+- New git service features from Dominick Grift.
+- Corenetwork policy size optimization from Dan Walsh.
+- Silence spurious udp_socket listen denials.
+- Fix unexpanded MLS/MCS fields in monolithic seusers file.
+- Type transition fix in Postgresql database objects from KaiGai Kohei.
+- Support for file context path substitutions (file_contexts.subs).
+- Added contrib modules:
+	glance (Dan Walsh)
+	rhsmcertd (Dan Walsh)
+	sanlock (Dan Walsh)
+	sblim (Dan Walsh)
+	uuidd (Dan Walsh)
+	vdagent (Dan Walsh)
+
+* Tue Jul 26 2011 Chris PeBenito <selinux@tresys.com> - 2.20110726
+- Fix role declarations to handle role attribute compilers.
+- Rename audioentropy module to entropyd due to haveged support.
+- Add haveged support from Sven Vermeulen.
+- Authentication file patch from Matthew Ife.
+- Add agent support to zabbix from Sven Vermeulen.
+- Cyrus file context update for Gentoo from Corentin Labbe.
+- Portage updates from Sven Vermeulen.
+- Fix init_system_domain() description, pointed out by Elia Pinto.
+- Postgresql selabel_lookup update from KaiGai Kohei.
+- Dovecot managesieve support from Mika Pfluger.
+- Semicolon after interface/template calls cleanup from Elia Pinto.
+- Gentoo courier updates from Sven Vermeulen.
+- Amavis patch for connecting to nslcd from Miroslav Grepl.
+- Shorewall patch from Miroslav Grepl.
+- Cpufreqselector dbus patch from Guido Trentalancia.
+- Cron pam_namespace and pam_loginuid support from Harry Ciao.
+- Xserver update for startx from Sven Vermeulen.
+- Fix MLS constraint for contains permission from Harry Ciao.
+- Apache user webpages fix from Dominick Grift.
+- Change default build.conf to modular policy from Stephen Smalley.
+- Xen refinement patch from Stephen Smalley.
+- Sudo timestamp file location update from Sven Vermeulen.
+- XServer keyboard event patch from Sven Vermeulen.
+- RAID uevent patch from Sven Vermeulen.
+- Gentoo ALSA init script usage patch from Sven Vermeulen.
+- LVM semaphore usage patch from Sven Vermeulen.
+- Module load request patch for insmod from Sven Vermeulen.
+- Cron default contexts fix from Harry Ciao.
+- Man page fixes from Justin Mattock.
+- Add syslog capability.
+- Support for logging in to /dev/console, from Harry Ciao.
+- Database object class updates and associated SEPostgreSQL changes from
+  KaiGai Kohei.
+- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
+- Mount updates from Harry Ciao.
+- Semanage update for MLS systems from Harry Ciao.
+- Vlock terminal use update from Harry Ciao.
+- Hadoop CDH3 updates from Paul Nuzzi.
+- Add sepgsql_contexts appconfig files from KaiGai Kohei.
+- Added modules:
+	aiccu
+	bugzilla (Dan Walsh)
+	colord (Dan Walsh)
+	cmirrord (Miroslav Grepl)
+	mediawiki (Miroslav Grepl)
+	mpd (Miroslav Grepl)
+	ncftool
+	passenger (Miroslav Grepl)
+	qpid (Dan Walsh)
+	samhain (Harry Ciao)
+	telepathy (Dominick Grift)
+	tcsd (Stephen Smalley)
+	vnstatd (Dan Walsh)
+	zarafa (Miroslav Grepl)
+
+* Mon Dec 13 2010 Chris PeBenito <selinux@tresys.com> - 2.20101213
+- Git man page from Dominick Grift.
+- Alsa and oident home content cleanup from Dominick Grift.
+- Add support for custom build options.
+- Unconditional staff and user oidentd home config access from Dominick Grift.
+- Conditional mmap_zero support from Dominick Grift.
+- Added devtmpfs support.
+- Dbadm updates from KaiGai Kohei.
+- Virtio disk file context update from Mika Pfluger.
+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
+- Add JIT usage for freshclam.
+- Remove ethereal module since the application was renamed to wireshark.
+- Remove duplicate/redundant rules, from Russell Coker.
+- Increased default number of categories to 1024, from Russell Coker.
+- Added modules:
+	accountsd (Dan Walsh)
+	cgroup (Dominick Grift)
+	hadoop (Paul Nuzzi)
+	kdumpgui (Dan Walsh)
+	livecd (Dan Walsh)
+	mojomojo (Iain Arnell)
+	sambagui (Dan Walsh)
+	shutdown (Dan Walsh)
+	sosreport (Dan Walsh)
+	vlock (Harry Ciao)
+
+* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
+- Merged a significant portion of Fedora policy.
+- Move rules from mta mailserver delivery from interface to .te to use
+  attributes.
+- Remove concept of users from terminal module interfaces since the
+  attributes are not specific to users.
+- Add non-drawing X client support, for consolekit usage.
+- Misc Gentoo fixes from Chris Richards.
+- AFS and abrt fixes from Dominick Grift.
+- Improved the XML docs of 55 most-used interfaces.
+- Apcupsd and amavis fixes from Dominick Grift.
+- Fix network_port() in corenetwork to correctly handle port ranges.
+- SE-Postgresql updates from KaiGai Kohei.
+- X object manager revisions from Eamon Walsh.
+- Added modules:
+	aisexec (Dan Walsh)
+	chronyd (Miroslav Grepl)
+	cobbler (Dominick Grift)
+	corosync (Dan Walsh)
+	dbadm (KaiGai Kohei)
+	denyhosts (Dan Walsh)
+	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
+	likewise (Scott Salley)
+	plymouthd (Dan Walsh)
+	pyicqt (Stefan Schulze Frielinghaus)
+	rhcs (Dan Walsh)
+	rgmanager (Dan Walsh)
+	sectoolm (Miroslav Grepl)
+	usbmuxd (Dan Walsh)
+	vhostmd (Dan Walsh)
+
+* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
+- Add separate x_pointer and x_keyboard classes inheriting from x_device. 
+  From Eamon Walsh.
+- Deprecated the userdom_xwindows_client_template().
+- Misc Gentoo fixes from Corentin Labbe.
+- Debian policykit fixes from Martin Orr.
+- Fix unconfined_r use of unconfined_java_t.
+- Add missing x_device rules for XI2 functions, from Eamon Walsh.
+- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+- Add btrfs and ext4 to labeling targets.
+- Fix infrastructure to expand macros in initrc_context when installing.
+- Handle unix_chkpwd usage by useradd and groupadd.
+- Add missing compatibility aliases for xdm_xserver*_t types.
+- Added modules:
+	abrt (Dan Walsh)
+	dkim (Stefan Schulze Frielinghaus)
+	gitosis (Miroslav Grepl)
+	gnomeclock (Dan Walsh)
+	hddtemp (Dan Walsh)
+	kdump (Dan Walsh)
+	modemmanager(Dan Walsh)
+	nslcd (Dan Walsh)
+	puppet (Craig Grube)
+	rtkit (Dan Walsh)
+	seunshare (Dan Walsh)
+	shorewall (Dan Walsh)
+	tgtd (Matthew Ife)
+	tuned (Miroslav Grepl)
+	xscreensaver (Corentin Labbe)
+
+* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
+- Gentoo fixes for init scripts and system startup.
+- Remove read_default_t tunable.
+- Greylist milter from Paul Howarth.
+- Crack db access for su to handle password expiration, from Brandon Whalen.
+- Misc fixes for unix_update from Brandon Whalen.
+- Add x_device permissions for XI2 functions, from Eamon Walsh.
+- MLS constraints for the x_selection class, from Eamon Walsh.
+- Postgresql updates from KaiGai Kohei.
+- Milter state directory patch from Paul Howarth.
+- Add MLS constrains for ingress/egress and secmark from Paul Moore.
+- Drop write permission from fs_read_rpc_sockets().
+- Remove unused udev_runtime_t type.
+- Patch for RadSec port from Glen Turner.
+- Enable network_peer_controls policy capability from Paul Moore.
+- Btrfs xattr support from Paul Moore.
+- Add db_procedure install permission from KaiGai Kohei.
+- Add support for network interfaces with access controlled by a Boolean
+  from the CLIP project.
+- Several fixes from the CLIP project.
+- Add support for labeled Booleans.
+- Remove node definitions and change node usage to generic nodes.
+- Add kernel_service access vectors, from Stephen Smalley.
+- Added modules:
+	certmaster (Dan Walsh)
+	cpufreqselector (Dan Walsh)
+	devicekit (Dan Walsh)
+	fprintd (Dan Walsh)
+	git (Dan Walsh)
+	gpsd (Miroslav Grepl)
+	guest (Dan Walsh)
+	ifplugd (Dan Walsh)
+	lircd (Miroslav Grepl)
+	logadm (Dan Walsh)
+	pads (Dan Walsh)
+	pingd (Dan Walsh)
+	policykit (Dan Walsh)
+	pulseaudio (Dan Walsh)
+	psad (Dan Walsh)
+	portreserve (Dan Walsh)
+	sssd (Dan Walsh)
+	ulogd (Dan Walsh)
+	varnishd (Dan Walsh)
+	webadm (Dan Walsh)
+	wm (Dan Walsh)
+	xguest (Dan Walsh)
+	zosremote (Dan Walsh)
+
+* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
+- Fix consistency of audioentropy and iscsi module naming.
+- Debian file context fix for xen from Russell Coker.
+- Xserver MLS fix from Eamon Walsh.
+- Add omapi port for dhcpcd.
+- Deprecate per-role templates and rolemap support.
+- Implement user-based access control for use as role separations.
+- Move shared library calls from individual modules to the domain module.
+- Enable open permission checks policy capability.
+- Remove hierarchy from portage module as it is not a good example of
+  hieararchy.
+- Remove enableaudit target from modular build as semodule -DB supplants it.
+- Added modules:
+	milter (Paul Howarth)
+
+* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
+- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
+- Logrotate and Bind updates from Vaclav Ovsik.
+- Init script file and domain support.
+- Glibc 2.7 fix from Vaclav Ovsik.
+- Samba/winbind update from Mike Edenfield.
+- Policy size optimization with a non-security file attribute from James
+  Carter.
+- Database labeled networking update from KaiGai Kohei.
+- Several misc changes from the Fedora policy, cherry picked by David
+  Hardeman.
+- Large whitespace fix from Dominick Grift.
+- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
+- Issuing commands to upstart is over a datagram socket, not the initctl
+  named pipe.  Updated init_telinit() to match.
+- Added modules:
+	cyphesis (Dan Walsh)
+	memcached (Dan Walsh)
+	oident (Dominick Grift)
+	w3c (Dan Walsh)
+
+* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
+- Fix httpd_enable_homedirs to actually provide the access it is supposed to
+  provide.
+- Add unused interface/template parameter metadata in XML.
+- Patch to handle postfix data_directory from Vaclav Ovsik.
+- SE-Postgresql policy from KaiGai Kohei.
+- Patch for X.org dbus support from Martin Orr.
+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
+- Module loading now requires setsched on kernel threads.
+- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
+- X application data class from Eamon Walsh and Ted Toth.
+- Move user roles into individual modules.
+- Make hald_log_t a log file.
+- Cryptsetup runs shell scripts.  Patch from Martin Orr.
+- Add file for enabling policy capabilities.
+- Patch to fix leaky interface/template call depth calculator from Vaclav
+  Ovsik.
+- Added modules:
+	kerneloops (Dan Walsh)
+	kismet (Dan Walsh)
+	podsleuth (Dan Walsh)
+	prelude (Dan Walsh)
+	qemu (Dan Walsh)
+	virt (Dan Walsh)
+
+* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
+- Add core Security Enhanced X Windows support.
+- Fix winbind socket connection interface for default location of the
+  sock_file.
+- Add wireshark module based on ethereal module.
+- Revise upstart support in init module to use a tunable, as upstart is now
+  used in Fedora too.
+- Add iferror.m4 rather generate it out of the Makefiles.
+- Definitions for open permisson on file and similar objects from Eric
+  Paris.
+- Apt updates for ptys and logs, from Martin Orr.
+- RPC update from Vaclav Ovsik.
+- Exim updates on Debian from Devin Carrawy.
+- Pam and samba updates from Stefan Schulze Frielinghaus.
+- Backup update on Debian from Vaclav Ovsik.
+- Cracklib update on Debian from Vaclav Ovsik.
+- Label /proc/kallsyms with system_map_t.
+- 64-bit capabilities from Stephen Smalley.
+- Labeled networking peer object class updates.
+
+* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
+- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
+- Improve several tunables descriptions from Dan Walsh.
+- Patch to clean up ns switch usage in the policy from Dan Walsh.
+- More complete labeled networking infrastructure from KaiGai Kohei.
+- Add interface for libselinux constructor, for libselinux-linked
+  SELinux-enabled programs.
+- Patch to restructure user role templates to create restricted user roles
+  from Dan Walsh.
+- Russian man page translations from Andrey Markelov.
+- Remove unused types from dbus.
+- Add infrastructure for managing all user web content.
+- Deprecate some old file and dir permission set macros in favor of the
+  newer, more consistently-named macros.
+- Patch to clean up unescaped periods in several file context entries from
+  Jan-Frode Myklebust.
+- Merge shlib_t into lib_t.
+- Merge strict and targeted policies.  The policy will now behave like the
+  strict policy if the unconfined module is not present.  If it is, it will
+  behave like the targeted policy.  Added an unconfined role to have a mix
+  of confined and unconfined users.
+- Added modules:
+	exim (Dan Walsh)
+	postfixpolicyd (Jan-Frode Myklebust)
+
+* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
+- Add support for setting the unknown permissions handling.
+- Fix XML building for external reference builds and headers builds.
+- Patch to add missing requirements in userdomain interfaces from Shintaro
+  Fujiwara.
+- Add tcpd_wrapped_domain() for services that use tcp wrappers.
+- Update MLS constraints from LSPP evaluated policy.
+- Allow initrc_t file descriptors to be inherited regardless of MLS level.
+  Accordingly drop MLS permissions from daemons that inherit from any level.
+- Files and radvd updates from Stefan Schulze Frielinghaus.
+- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
+  mls_write_all_levels() and mls_read_all_levels(), for consistency.
+- Add make kernel and init ranged interfaces pass the range transition MLS
+  constraints.  Also remove calls to mls_rangetrans_target() in modules that use
+  the kernel and init interfaces, since its redundant.
+- Add interfaces for all MLS attributes except X object classes.
+- Require all sensitivities and categories for MLS and MCS policies, not just
+  the low and high sensitivity and category.
+- Database userspace object manager classes from KaiGai Kohei.
+- Add third-party interface for Apache CGI.
+- Add getserv and shmemserv nscd permissions.
+- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
+- Added modules:
+	application
+	awstats (Stefan Schulze Frielinghaus)
+	bitlbee (Devin Carraway)
+	brctl (Dan Walsh)
+
+* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
+- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
+  libraries module.
+- Unified labeled networking policy from Paul Moore.
+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
+- Xen updates from Dan Walsh.
+- Filesystem updates from Dan Walsh.
+- Large samba update from Dan Walsh.
+- Drop snmpd_etc_t.
+- Confine sendmail and logrotate on targeted.
+- Tunable connection to postgresql for users from KaiGai Kohei.
+- Memprotect support patch from Stephen Smalley.
+- Add logging_send_audit_msgs() interface and deprecate
+  send_audit_msgs_pattern().
+- Openct updates patch from Dan Walsh.
+- Merge restorecon into setfiles.
+- Patch to begin separating out hald helper programs from Dan Walsh.
+- Fixes for squid, dovecot, and snmp from Dan Walsh.
+- Miscellaneous consolekit fixes from Dan Walsh.
+- Patch to have avahi use the nsswitch interface rather than individual
+  permissions from Dan Walsh.
+- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
+  to handle usage from userhelper from Dan Walsh.
+- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+- Patch to allow slocate to getattr other filesystems and directories on those
+  filesystems from Dan Walsh.
+- Fixes for RHEL4 from the CLIP project.
+- Replace the old lrrd fc entries with munin ones.
+- Move program admin template usage out of userdom_admin_user_template() to
+  sysadm policy in userdomain.te to fix usage of the template for third
+  parties.
+- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+  template instead of an interface.
+- Added modules:
+	amtu (Dan Walsh)
+	apcupsd (Dan Walsh)
+	rpcbind (Dan Walsh)
+	rwho (Nalin Dahyabhai)
+
+* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
+- Patch for sasl's use of kerberos from Dan Walsh.
+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
+- Man page updates from Dan Walsh.
+- Two patches from Paul Moore to for ipsec to remove redundant rules and
+  have setkey read the config file.
+- Move booleans and tunables to modules when it is only used in a single
+  module.
+- Add support for tunables and booleans local to a module.
+- Merge sbin_t and ls_exec_t into bin_t.
+- Remove disable_trans booleans.
+- Output different header sets for kernel and userland from flask headers.
+- Marked the pax class as deprecated, changed it to userland so
+  it will be removed from the kernel.
+- Stop including netfilter contexts by default.
+- Add dontaudits for init fds and console to init_daemon_domain().
+- Patch to allow gpg to create user keys dir.
+- Patch to support kvmfs from Dan Walsh.
+- Patch for misc fixes in sudo from Dan Walsh.
+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
+- Patch for handling restart of nscd when ran from useradd, groupadd, and
+  admin passwd, from Dan Walsh.
+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
+- Patch for setroubleshoot for validating file contexts from Dan Walsh.
+- Patch for gssd fixes from Dan Walsh.
+- Patch for lvm fixes from Dan Walsh.
+- Patch for ricci fixes from Dan Walsh.
+- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
+- Patch for kerberized telnet fixes from Dan Walsh.
+- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
+- Patch for an additional wine executable from Dan Walsh.
+- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
+  corecommands, devices, and java from Dan Walsh.
+- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
+- Patch for misc fixes to bluetooth from Dan Walsh.
+- Patch for misc fixes to kerberos from Dan Walsh.
+- Patch to start deprecating usercanread attribute from Ryan Bradetich.
+- Add dccp_socket object class which was added in kernel 2.6.20.
+- Patch for prelink relabefrom it's temp files from Dan Walsh.
+- Patch for capability fix for auditd and networking fix for syslogd from
+  Dan Walsh.
+- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
+- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
+- Patch to allow apmd to telinit from Dan Walsh.
+- Patch for additional labeling of samba files from Stefan Schulze
+  Frielinghaus.
+- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
+- Fix ptys and ttys to be device nodes.
+- Fix explicit use of httpd_t in openca_domtrans().
+- Clean up file context regexes in apache and java, from Eamon Walsh.
+- Patches from Dan Walsh:
+	Thu, 25 Jan 2007
+- Added modules:
+	consolekit (Dan Walsh)
+	fail2ban (Dan Walsh)
+	zabbix (Dan Walsh)
+
+* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
+- Add policy patterns support macros.  This changes the behavior of
+  the create_dir_perms and create_file_perms permission sets.
+- Association polmatch MLS constraint making unlabeled_t an exception
+  is no longer needed, patch from Venkat Yekkirala.
+- Context contains checking for PAM and cron from James Antill.
+- Add a reload target to Modules.devel and change the load
+  target to only insert modules that were changed.
+- Allow semanage to read from /root on strict non-MLS for
+  local policy modules.
+- Gentoo init script fixes for udev.
+- Allow udev to read kernel modules.inputmap.
+- Dnsmasq fixes from testing.
+- Allow kernel NFS server to getattr filesystems so df can work
+  on clients.
+- Patch from Matt Anderson for a MLS constraint exemption on a
+  file that can be written to from a subject whose range is
+  within the object's range.
+- Enhanced setransd support from Darrel Goeddel.
+- Patches from Dan Walsh:
+	Tue, 24 Oct 2006
+	Wed, 29 Nov 2006
+- Added modules:
+	aide (Matt Anderson)
+	ccs (Dan Walsh)
+	iscsi (Dan Walsh)
+	ricci (Dan Walsh)
+
+* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
+- Patch from Russell Coker Thu, 5 Oct 2006
+- Move range transitions to modules.
+- Make number of MLS sensitivities, and number of MLS and MCS
+  categories configurable as build options.
+- Add role infrastructure.
+- Debian updates from Erich Schubert.
+- Add nscd_socket_use() to auth_use_nsswitch().
+- Remove old selopt rules.
+- Full support for netfilter_contexts.
+- MRTG patch for daemon operation from Stefan.
+- Add authlogin interface to abstract common access for login programs.
+- Remove setbool auditallow, except for RHEL4.
+- Change eventpollfs to task SID labeling.
+- Add key support from Michael LeMay.
+- Add ftpdctl domain to ftp, from Paul Howarth.
+- Fix build system to not move type declarations out of optionals.
+- Add gcc-config domain to portage.
+- Add packet object class and support in corenetwork.
+- Add a copy of genhomedircon for monolithic policy building, so that a
+  policycoreutils package update is not required for RHEL4 systems.
+- Add appletalk sockets for use in cups.
+- Add Make target to validate module linking.
+- Make duplicate template and interface declarations a fatal error.
+- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
+- Move xconsole_device_t from devices to xserver since it is
+  not actually a device, it is a named pipe.
+- Handle nonexistant .fc and .if files in devel Makefile by
+  automatically creating empty files.
+- Remove unused devfs_control_t.
+- Add rhel4 distro, which also implies redhat distro.
+- Remove unneeded range_transition for su_exec_t and move the
+  type declaration back to the su module.
+- Constrain transitions in MCS so unconfined_t cannot have
+  arbitrary category sets.
+- Change reiserfs from xattr filesystem to genfscon as it's xattrs
+  are currently nonfunctional.
+- Change files and filesystem modules to use their own interfaces.
+- Add user fonts to xserver.
+- Additional interfaces in corecommands, miscfiles, and userdomain
+  from Joy Latten.
+- Miscellaneous fixes from Thomas Bleher.
+- Deprecate module name as first parameter of optional_policy()
+  now that optionals are allowed everywhere.
+- Enable optional blocks in base module and monolithic policy.
+  This requires checkpolicy 1.30.1.
+- Fix vpn module declaration.
+- Numerous fixes from Dan Walsh.
+- Change build order to preserve m4 line number information so policy
+  compile errors are useful again.
+- Additional MLS interfaces from Chad Hanson.
+- Move some rules out of domain_type() and domain_base_type()
+  to the TE file, to use the domain attribute to take advantage
+  of space savings from attribute use.
+- Add global stack smashing protector rule for urandom access from
+  Petre Rodan.
+- Fix temporary rules at the bottom of portmap.
+- Updated comments in mls file from Chad Hanson.
+- Patches from Dan Walsh:
+	Fri, 17 Mar 2006
+	Wed, 29 Mar 2006
+	Tue, 11 Apr 2006
+	Fri, 14 Apr 2006
+	Tue, 18 Apr 2006
+	Thu, 20 Apr 2006
+	Tue, 02 May 2006
+	Mon, 15 May 2006
+	Thu, 18 May 2006
+	Tue, 06 Jun 2006
+	Mon, 12 Jun 2006
+	Tue, 20 Jun 2006
+	Wed, 26 Jul 2006
+	Wed, 23 Aug 2006
+	Thu, 31 Aug 2006
+	Fri, 01 Sep 2006
+	Tue, 05 Sep 2006
+	Wed, 20 Sep 2006
+	Fri, 22 Sep 2006
+	Mon, 25 Sep 2006
+- Added modules:
+	afs
+	amavis (Erich Schubert)
+	apt (Erich Schubert)
+	asterisk
+	audioentropy
+	authbind
+	backup
+	calamaris
+	cipe
+	clamav (Erich Schubert)
+	clockspeed (Petre Rodan)
+	courier
+	dante
+	dcc
+	ddclient
+	dpkg (Erich Schubert)
+	dnsmasq
+	ethereal
+	evolution
+	games
+	gatekeeper
+	gift
+	gnome (James Carter)
+	imaze
+	ircd
+	jabber
+	monop
+	mozilla
+	mplayer
+	munin
+	nagios
+	nessus
+	netlabel (Paul Moore)
+	nsd
+	ntop
+	nx
+	oav
+	oddjob (Dan Walsh)
+	openca
+	openvpn (Petre Rodan)
+	perdition
+	portslave
+	postgrey
+	pxe
+	pyzor (Dan Walsh)
+	qmail (Petre Rodan)
+	razor
+	resmgr
+	rhgb
+	rssh
+	snort
+	soundserver
+	speedtouch
+	sxid
+	thunderbird
+	tor (Erich Schubert)
+	transproxy
+	tripwire
+	uptime
+	uwimap
+	vmware
+	watchdog
+	xen (Dan Walsh)
+	xprint
+	yam
+
+* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
+- Make all interface parameters required.
+- Move boot_t, system_map_t, and modules_object_t to files module,
+  and move bootloader to admin layer.
+- Add semanage policy for semodule from Dan Walsh.
+- Remove allow_execmem from targeted policy domain_base_type().
+- Add users_extra and seusers support.
+- Postfix fixes from Serge Hallyn.
+- Run python and shell directly to interpret scripts so policy
+  sources need not be executable.
+- Add desc tag XML to booleans and tunables, and add summary
+  to param XML tag, to make future translations possible.
+- Remove unused lvm_vg_t.
+- Many interface renames to improve naming consistency.
+- Merge xdm into xserver.
+- Remove kernel module reversed interfaces.
+- Add filename attribute to module XML tag and lineno attribute to
+  interface XML tag.
+- Changed QUIET build option to a yes or no option.
+- Add a Makefile used for compiling loadable modules in a
+  user's development environment, building against policy headers.
+- Add Make target for installing policy headers.
+- Separate per-userdomain template expansion from the userdomain
+  module and add infrastructure to expand templates in the modules
+  that own the template.
+- Enable secadm only for MLS policies.
+- Remove role change rules in su and sudo since this functionality has been
+  removed from these programs.
+- Add ctags Make target from Thomas Bleher.
+- Collapse commands with grep piped to sed into one sed command.
+- Fix type_change bug in term_user_pty().
+- Move ice_tmp_t from miscfiles to xserver.
+- Login fixes from Serge Hallyn.
+- Move xserver_log_t from xdm to xserver.
+- Add lpr per-userdomain policy to lpd.
+- Miscellaneous fixes from Dan Walsh.
+- Change initrc_var_run_t interface noun from script_pid to utmp,
+  for greater clarity.
+- Added modules:
+	certwatch
+	mono (Dan Walsh)
+	mrtg
+	portage
+	tvtime
+	userhelper
+	usernetctl
+	wine (Dan Walsh)
+	xserver
+
+* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
+- Adds support for generating corenetwork interfaces based on attributes 
+  in addition to types.
+- Permits the listing of multiple nodes in a network_node() that will be
+  given the same type.
+- Add two new permission sets for stream sockets.
+- Rename file type transition interfaces verb from create to
+  filetrans to differentiate it from create interfaces without
+  type transitions.
+- Fix expansion of interfaces from disabled modules.
+- Rsync can be long running from init,
+  added rules to allow this.
+- Add polyinstantiation build option.
+- Add setcontext to the association object class.
+- Add apache relay and db connect tunables.
+- Rename texrel_shlib_t to textrel_shlib_t.
+- Add swat to samba module.
+- Numerous miscellaneous fixes from Dan Walsh.
+- Added modules:
+	alsa
+	automount
+	cdrecord
+	daemontools (Petre Rodan)
+	ddcprobe
+	djbdns (Petre Rodan)
+	fetchmail
+	irc
+	java
+	lockdev
+	logwatch (Dan Walsh)
+	openct
+	prelink (Dan Walsh)
+	publicfile (Petre Rodan)
+	readahead
+	roundup
+	screen
+	slocate (Dan Walsh)
+	slrnpull
+	smartmon
+	sysstat
+	ucspitcp (Petre Rodan)
+	usbmodules
+	vbetool (Dan Walsh)
+
+* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
+- Add unlabeled IPSEC association rule to domains with
+  networking permissions.
+- Merge systemuser back in to users, as these files
+  do not need to be split.
+- Add check for duplicate interface/template definitions.
+- Move domain, files, and corecommands modules to kernel
+  layer to resolve some layering inconsistencies.
+- Move policy build options out of Makefile into build.conf.
+- Add yppasswd to nis module.
+- Change optional_policy() to refer to the module name
+  rather than modulename.te.
+- Fix labeling targets to use installed file_contexts rather
+  than partial file_contexts in the policy source directory.
+- Fix build process to use make's internal vpath functions
+  to detect modules rather than using subshells and find.
+- Add install target for modular policy.
+- Add load target for modular policy.
+- Add appconfig dependency to the load target.
+- Miscellaneous fixes from Dan Walsh.
+- Fix corenetwork gen_context()'s to expand during the policy
+  build phase instead of during the generation phase.  
+- Added policies:
+	amanda
+	avahi
+	canna
+	cyrus
+	dbskk
+	dovecot
+	distcc
+	i18n_input
+	irqbalance
+	lpd
+	networkmanager
+	pegasus
+	postfix
+	procmail
+	radius
+	rdisc
+	rpc
+	spamassassin
+	timidity
+	xdm
+	xfs
+
+* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
+- Many fixes to make loadable modules build.
+- Add targets for sechecker.
+- Updated to sedoctool to read bool files and tunable
+  files separately.
+- Changed the xml tag of <boolean> to <bool> to be consistent
+  with gen_bool().
+- Modified the implementation of segenxml to use regular
+  expressions.
+- Rename context_template() to gen_context() to clarify
+  that its not a Reference Policy template, but a support
+  macro.
+- Add disable_*_trans bool support for targeted policy.
+- Add MLS module to handle MLS constraint exceptions,
+  such as reading up and writing down.
+- Fix errors uncovered by sediff.
+- Added policies:
+	anaconda
+	apache
+	apm
+	arpwatch
+	bluetooth
+	dmidecode
+	finger
+	ftp
+	kudzu
+	mailman
+	ppp
+	radvd
+	sasl
+	webalizer
+
+* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
+- Make logrotate, sendmail, sshd, and rpm policies
+  unconfined in the targeted policy so no special
+  modules.conf is required.
+- Add experimental MCS support.
+- Add appconfig for MLS.
+- Add equivalents for old can_resolve(), can_ldap(), and
+  can_portmap() to sysnetwork.
+- Fix base module compile issues.
+- Added policies:
+	cpucontrol
+	cvs
+	ktalk
+	portmap
+	postgresql
+	rlogin
+	samba
+	snmp
+	stunnel
+	telnet
+	tftp
+	uucp
+	vpn
+	zebra
+
+* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
+- Fix errors uncovered by sediff.
+- Doc tool will explicitly say a module does not have interfaces
+  or templates on the module page.
+- Added policies:
+	comsat
+	dbus
+	dhcp
+	dictd
+	hal
+	inn
+	ntp
+	squid
+
+* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
+- Add Makefile support for building loadable modules.
+- Add genclassperms.py tool to add require blocks
+  for loadable modules.
+- Change sedoctool to make required modules part of base
+  by default, otherwise make as modules, in modules.conf.
+- Fix segenxml to handle modules with no interfaces.
+- Rename ipsec connect interface for consistency.
+- Add missing parts of unix stream socket connect interface
+  of ipsec.
+- Rename inetd connect interface for consistency.
+- Rename interface for purging contents of tmp, for clarity,
+  since it allows deletion of classes other than file.
+- Misc. cleanups.
+- Added policies:
+	acct
+	bind
+	firstboot
+	gpm
+	howl
+	ldap
+	loadkeys
+	mysql
+	privoxy
+	quota
+	rshd
+	rsync
+	su
+	sudo
+	tcpd
+	tmpreaper
+	updfstab
+
+* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
+- Fix comparison bug in fc_sort.
+- Fix handling of ordered and unordered HTML lists.
+- Corenetwork now supports multiple network interfaces having the
+  same type.
+- Doc tool now creates pages for global Booleans and global tunables.
+- Doc tool now links directly to the interface/template in the
+  module page when it is selected in the interface/template index.
+- Added support for layer summaries.
+- Added policies:
+	ipsec
+	nscd
+	pcmcia
+	raid
+
+* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
+- Changed xml to have modules encapsulated by layer tags, rather
+  than putting layer="foo" in the module tags.  Also in the future
+  we can put a summary and description for each layer.
+- Added tool to infer interface, module, and layer tags.  This will
+  now list all interfaces, even if they are missing xml docs.
+- Shortened xml tag names.
+- Added macros to declare interfaces and templates.
+- Added interface call trace.
+- Updated all xml documentation for shorter and inferred tags.
+- Doc tool now displays templates in the web pages.
+- Doc tool retains the user's settings in modules.conf and
+  tunables.conf if the files already exist.
+- Modules.conf behavior has been changed to be a list of all
+  available modules, and the user can specify if the module is
+  built as a loadable module, included in the monolithic policy,
+  or excluded.
+- Added policies:
+	fstools (fsck, mkfs, swapon, etc. tools)
+	logrotate
+	inetd
+	kerberos
+	nis (ypbind and ypserv)
+	ssh (server, client, and agent)
+	unconfined
+- Added infrastructure for targeted policy support, only missing
+	transition boolean support.
+
+* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
+	- Initial release