selinux-refpolicy/Changelog

* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
Chris PeBenito (78):
      Mcelog update from Guido Trentalancia.
      Add bird contrib module from Dominick Grift.
      Minor whitespace fix in udev.fc
      Module version bump for udev binary location update from Sven Vermeulen.
      clarify the file_contexts.subs_dist configuration file usage from Guido
         Trentalancia
      Update contrib.
      Remove trailing / from paths
      Module version bump for fc substitutions optimizations from Sven
         Vermeulen.
      Update contrib.
      Module version bump for /run/dhcpc directory creation by dhcp from Sven
         Vermeulen.
      Module version bump for fc fixes in devices module from Dominick Grift.
      Update contrib.
      Module version bump for /dev/mei type and label from Dominick Grift.
      Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
      Module version bump for lost+found labeling in /var/log from Guido
         Trentalancia.
      Module version bump for loop-control patch.
      Turn off all tunables by default, from Guido Trentalancia.
      Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
      Module version bump for various changes from Sven Vermeulen.
      Module version bump for ports update from Dominick Grift.
      Module version bump for Debian file context updates from Laurent
         Bigonville.
      Update contrib.
      Update contrib.
      split kmod fc into two lines.
      Module version bump for kmod fc from Laurent Bigonville.
      Module version bump for cfengine fc change from Dominick Grift.
      Module verision bump for Debian cert file fc update from Laurent
         Bigonville.
      Module version bump for ipsec net sysctls reading from Miroslav Grepl.
      Module version bump for srvloc port definition from Dominick Grift.
      Rename cachefiles_dev_t to cachefiles_device_t.
      Module version bump for cachefiles core support.
      Module version bump for changes from Dominick Grift and Sven Vermeulen.
      Module version bump for modutils patch from Dominick Grift.
      Module version bump for dhcp6 ports, from Russell Coker.
      Rearrange new xserver interfaces.
      Rename new xserver interfaces.
      Module version bump for xserver interfaces from Dominick Grift.
      Move kernel_stream_connect() declaration.
      Module version bump for kernel_stream_connect() from Dominick Grift.
      Rename logging_search_all_log_dirs to logging_search_all_logs
      Module version bump for minor logging and sysnet changes from Sven
         Vermeulen.
      Module version bump for dovecot libs from Mika Pflueger.
      Rearrange interfaces in files, clock, and udev.
      Module version bump for interfaces used by virt from Dominick Grift.
      Module version bump for arping setcap from Dominick Grift.
      Rearrange devices interfaces.
      Module version bump/contrib sync.
      Rearrange lines.
      Module version bump for user home content fixes from Dominick Grift.
      Rearrange files interfaces.
      Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
      Update contrib.
      Whitespace fix in miscfiles.fc.
      Adjust man cache interface names.
      Module version bump for man cache from Dominick Grift.
      Module version bump for Debian ssh-keysign location from Laurent
         Bigonville.
      Module version bump for userdomain portion of XDG updates from Dominick
         Grift.
      Module version bump for iptables fc entry from Sven Vermeulen and inn log
         from Dominick Grift.
      Module version bump for logging and tcpdump fixes from Sven Vermeulen.
      Move mcs_constrained() impementation.
      Module version bump for mcs_constrained from Dominick Grift.
      Update contrib.
      Module version bump from Debian changes from Laurent Bigonville.
      Module version bump for zfs labeling from Matthew Thode.
      Module version bump for misc updates from Sven Vermeulen.
      Update contrib.
      Module version bump for fixes from Dominick Grift.
      Module version bump for Debian updates from Laurent Bigonville.
      Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
      Update contrib
      Fix fc_sort.c warning uncovered by recent gcc
      Module version bump for chfn fixes from Sven Vermeulen.
      Add swapoff fc entry.
      Add conntrack fc entry.
      Update contrib.
      Update contrib
      Archive old Changelog for log format change.
      Bump module versions for release.

Dominick Grift (40):
      There can be more than a single watchdog interface
      Fix a suspected typo
      Intel® Active Management Technology
      Declare a loop control device node type and label /dev/loop-control
         accordingly
      Declare port types for ports used by Fedora but use /etc/services for port
         names rather than using fedora port names. If /etc/services does not
         have a port name for a port used by Fedora, skip for now.
      Remove var_log_t file context spec
      svrloc port type declaration from slpd policy module
      Declare a cachfiles device node type
      Implement files_create_all_files_as() for cachefilesd
      Restricted Xwindows user domains run windows managers in the windows
         managers domain
      Declare a cslistener port type for phpfpm
      Changes to the sysnetwork policy module
      Changes to the userdomain policy module
      Changes to the bootloader policy module
      Changes to the modutils policy module
      Changes to the xserver policy module
      Changes to various policy modules
      Changes to the kernel policy module
      For svirt_lxc_domain
      For svirt_lxc_domain
      For svirt_lxc_domain
      For virtd lxc
      For virtd_lxc
      For virtd_lxc
      For virtd lxc
      For virtd lxc
      For virtd
      Arping needs setcap to cap_set_proc
      For virtd
      Changes to the user domain policy module
      Samhain_admin() now requires a role for the role_transition from $1 to
         initrc_t via samhain_initrc_exec_t
      Changes to the user domain policy module
      Label /var/cache/man with a private man cache type for mandb
      Create a attribute user_home_content_type and assign it to all types that
         are classified userdom_user_home_content()
      These two attribute are unused
      System logger creates innd log files with a named file transition
      Implement mcs_constrained_type
      Changes to the init policy module
      Changes to the userdomain policy module
      NSCD related changes in various policy modules

Guido Trentalancia (1):
      add lost+found filesystem labels to support NSA security guidelines

Laurent Bigonville (21):
      Add Debian locations for GDM 3
      Add Debian location for udisks helpers
      Add insmod_exec_t label for kmod executable
      Add Debian location for PKI files
      Add Debian location for ssh-keysign
      Properly label all the ssh host keys
      Allow udev_t domain to read files labeled as consolekit_var_run_t
      authlogin.if: Add auth_create_pam_console_data_dirs and
         auth_pid_filetrans_pam_var_console interfaces
      Label /etc/rc.d/init.d/x11-common as xdm_exec_t
      Drop /etc/rc.d/init.d/xfree86-common filecontext definition
      Label /var/run/shm as tmpfs_t for Debian
      Label /var/run/motd.dynamic as initrc_var_run_t
      Label /var/run/initctl as initctl_t
      udev.if: Call files_search_pid instead of files_search_var_lib in
         udev_manage_pid_files
      Label executables in /usr/lib/NetworkManager/ as bin_t
      Add support for rsyslog
      Label var_lock_t as a mountpoint
      Add mount_var_run_t type and allow mount_t domain to manage the files and
         directories
      Add initrc_t to use block_suspend capability
      Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
      Label nut drivers that are installed in /lib/nut on Debian as bin_t

Matthew Thode (1):
      Implement zfs support

Mika Pflüger (2):
      Debian locations of gvfs and kde4 libexec binaries in /usr/lib
      Explicitly label dovecot libraries lib_t for debian

Miroslav Grepl (1):
      Allow ipsec to read kernel sysctl

Paul Moore (1):
      flask: add the attach_queue permission to the tun_socket object class

Russell Coker (1):
      Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
         client control

Sven Vermeulen (27):
      New location for udevd binary
      Use substititions for /usr/local/lib and /etc/init.d
      DHCP client's hooks create /run/dhcpc directory
      Introduce init_daemon_run_dir transformation
      Use the init_daemon_run_dir interface for udev
      Allow initrc_t to create run dirs for core modules
      Puppet uses mount output for verification
      Allow syslogd to create /var/lib/syslog and
         /var/lib/misc/syslog-ng.persist
      Gentoo's openrc does not require initrc_exec_t for runscripts anymore
      Allow init scripts to read courier configuration
      Allow search within postgresql var directory for the stream connect
         interface
      Introduce logging_getattr_all_logs interface
      Introduce logging_search_all_log_dirs interface
      Support flushing routing cache
      Allow init to set attributes on device_t
      Introduce files_manage_all_pids interface
      Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
      Update files_manage_generic_locks with directory permissions
      Run ipset in iptables domain
      tcpdump chroots into /var/lib/tcpdump
      Remove generic log label for cron location
      Postgresql 9.2 connects to its unix stream socket
      lvscan creates the /run/lock/lvm directory if nonexisting (v2)
      Allow syslogger to manage cron log files (v2)
      Allow initrc_t to read stunnel configuration
      Introduce exec-check interfaces for passwd binaries and useradd binaries
      chfn_t reads in file context information and executes nscd