RSBAC Changes in recent versions
--------------------------------
1.5.6:
  - Add IPC memfd
  - Add R_RENAME to IPC request group
  - Remove rklogd

1.5.5:
 - remove PAX and DAZ support

1.5.3:
 - net_temp: support INET6/IPv6 addresses

1.5.2:
 - Add new syscalls rsbac_api_min_version() and rsbac_api_max_version()
 - rsbac_jail parameter -T to set flag JAIL_allow_process_by_parent
 - Support RC log force feature

1.5.1:
 - Call RSBAC syscalls with API version, not tools version

1.5.0:
 - Support 64 Bit file offsets etc.
 - Add pointer checks and clear memory
 - Remove dac_disable, add allow_write_exec attribute

1.4.9:
 - rsbac_usershow: add -P = short list all users with pseudo and full names
 - rsbac_jail flag -F (JAIL_allow_netdev_mod_system), MODIFY_SYSTEM_DATA on
   NETDEV
 - all tools with user names: add parameter -z to not accept uids for usernames


1.4.8:
	- Remove PM and add UDF support

1.4.7:
	- Ensure that user parameters used as numeric really only contain numbers.
	- Add MOVETO to request_groups.h.
	- Add WRITE_OPEN to IPC request groups
1.4.6:
	- add --tag=CC to specify to libtool that we are processing C source
	  code somehow, newer versions of libtool (or unpatched, or patched
	  i'm not sure..) this or fail to detect the C source code. This is
	  not documented by libtool
	- Follow pam_*_session flag PAM_SILENT.
	- Add rsbac_jail parameter -K for allow_netlink flag
	- Correct uninstall target
	- Fix pseudo output.
	- Fix off-by-one string allocation size errors in useradd and
	  usermod.
	- Support password history length settings in rsbac_user* tools with
	  -i.
	- Do not cleanup PAM password after auth fail, might be needed by
	  next module.
	- Add rsbac_usershow parameters to list users with shell or full
	  name.
	- Fix user listings in rsbac_usershow and add new -B parameter for
	  shell+full
	- Improve given user parameter value check: Only use as numeric, if
	  it really is
	- Change version strings to 1.4.6

1.4.5:
	- Fix NSS lockup and several compile warnings
	- Make -G, -H and -I work in rsbac_useradd and rsbac_usermod with
	  multiple users
	- New rsbac_usershow option to list users with full name or with
	  shell
	- Sort group member list and extra group membership list
	- Allow to limit attr_back_user to some modules with -M
	- Add -- parameter to rsbac_usershow and rsbac_groupshow to stop
	  flag processing

1.4.4:
	- pam_rsbac: check old password before asking for new one

1.4.3:
	- nss: only require 10 extra bytes, if virtual set, and add missing buflen check.
	- Sort assign_roles etc. list in rsbac_rc_role_menu.
	- Add gid replacement code to rsbac_groupadd and rsbac_groupshow.
	- Also backup empty extra group list.
	- Use -I to backup extra groups in rsbac_usershow backup mode.
	- New rsbac_usermod parameter -I to set a list of extra groups.
	- Add rsbac_usershow -r parameter to add -r to rsbac_useradd in backup mode.
	- Add rsbac_useradd -r and -R parameters to (un)conditionally replace existing.
	- Fix subrole / subtype number read in rc_get_item.

1.4.2:
	- Fix warnings with GCC 4.3
	- Add some missing progname arguments in USAGE
1.4.1:
	- Support NETLINK protocol ANY to match any proto.
	- Various fixes in menus (thanks zbyniu)
	- Do not backup SCD names.
	- Append cross-referenced per-type list of role rights to rc_get_item htmlprint.
	- Fix rc_get_item -0 backup: Really print lines without rights.
	- Start RBAC REG sample - going to be an RBAC standard model implementation.
	- Add SCD target videomem.
1.4.0:
	- Added support for VUM.
	- PAM module does not send a message "User not authenticated" anymore if authentication failed. (To match other PAM modules behavior).
	- Made PAM password prompt standard and definable to RSBAC's custom prompt if the user wants it only.
	- OTP support for UM.
	- rsbac_useradd -K to copy a user with password.
	Upports from 1.3:
	- Autodetect if architecture is x86_64, in which case LIBDIR becomes /lib64 by default. (User setting still can override this).
	- Removed the IPC menu call from rsbac_process_menu.
	- Updated REG samples to par with the kernel.
	- Added missing request to group request groups.
1.3.5:
	- Libs install again in /usr. Distros will have to link and move files around. Sorry FHS, libtool doesn't like you :)
	- Add tools version strings to rsbac_version output.
1.3.4:
	- rsbac_version missing in rsbac-admin debian package
	- Fix user attribute backup and menu for cap_ld_env.
	- Fix UM password backup output with rsbac_usershow -b -p
	- Uniformized library directory with the LIBDIR variable (make LIBDIR=/lib64 e.g.)
	  Old variables are still functional but are deprecated.
	- Libraries install to /lib by default (especially for UM)
	  Feel free to change to /usr if you aren't using UM or nothing in RSBAC that must run at boot time
1.3.3:
	- English spelling
	- libtool fixes
	- mo files were not generated from target 'all', installation would fail in some cases
1.3.2:
	- Fixed name typo USER=>GROUP in rc_get_item see issue #84
1.3.1:
	- rewritten the way rsbac_jail is entering new namespace.now it works like it
should.

1.3.0:
	- Correct right detection for check list menues.
	- Support role password. Support request type AUTHENTICATE.
	- Add rsbac_version tool to get tools and kernel version.
	- Fix sorting of RC roles in backup.
	- Allow to specify an additional title for rc_get_item htmlprint.
	- Mark invalid rights in "rc_get_item htmlprint" in dark brown.
	- Support cap_ld_env in attr_back_fd.
	- Sort rc_get_item output.
	- Removed custom _syscall* functions you need glibc 2.1+ or uclibc or something that has fPIC aware syscall functions now.
	- Include sys/types.h + asm/types.h instead of linux/types.h for userlan
	- Added a global uninstall target.
	- Small reformatting. Do not show -U option in rsbac_jail help.
	- Explicitely sets HOME SHELL PATH LOGNAME env vars (the whole env being cleared or not).
	- Echo's "Login incorrect" even if user does not exists (no information leak).
	- Preserve TERM env variable in all cases.
	- New JAIL parameter -N, for enclosing jailed process in its private namespace.
	- Add -i option to attr_get_ipc to list all ipcs with non-default attributes
	- Change network template tool net_temp to support multiple INET
addresses and port ranges, remove UNIX address support.
	- Add flag -A to net_temp to add new addresses or ports instead of replacing the old list.

1.2.5:
        - New make based build system.
        - Add attr_{get|set|back}_group, rsbac_group_menu
        - Make all tools print help screen with -h
	- rsbac_list_ta now can now prompt for a password.
	- Tools now attempt to lock passwords into physical memory.
	- New rsbac_auth tool for Squid.
        - Fix RSBAC NSS lib bug related to additional user groups (e.g. id -G
          <user> crashes with segmentation fault).

1.2.4:  - Add user management tools with all {user|group}{add|mod|del}
          functionality
        - Add GROUP target to tools
        - Add PAM and NSSwitch modules to access the new user management
          to contrib dir
        - Cross linked HTML output in rc_get_item htmlprint.
        - Add rsbac_list_ta tool for transaction support for administration:
          begin, add a set of desired changes, commit atomically or forget.
          Change all existing tools to use transaction numbers.
        - Correct role and type values in rc_getname item parameters.
        - Add rc_copy_type
        - Add RC type copying to rsbac_rc_type_menu
        - Add PaX default value switch to attr_back_fd, because PaX defaults
          are now configurable.

1.2.3:  - Made librsbac.a a dynamic lib librsbac.so with version numbers
        - Added PaX module support
        - Added support for new attributes
        - RC pretty-print config output with rc_get_item print
        - Reject unknown usernames in all tools instead of using numerical
          value 0.
        - Fix admin tools segfault when using -V without parameter
        - New rc_get_current_role
        - New mac_set_trusted tool for mac_trusted_for_user with list instead
          of single user.
        - Change ''rsbac_jail'' syntax to make ''chroot()'' and IP address optional
        - New optional rsbac_jail parameter max_caps, which limits the Linux
          capabilities of all processes in the jail
        - New JAIL module regression suite in contrib
        - Added backup of RES user settings
  
1.2.2:  - Added MS need_scan attribute
        - Syscall version numbers
        - New attributes for RES module
        - rsbac_init tool for delayed init
        - New AUTH caps for eff/fd owner in FD menu
        - MAC wrap and attribute changes for new MAC implementation
        - New system role Auditor in user menu

1.2.1:  - Removed target type checks, which are now all in kernel (including
          FD target type).
        - Added recursion support for attr_back_dev.
        - Added JAIL module support
        - Added logging of all RSBAC setting modifications through menues
          (RSBACLOGFILE setting)

1.2.0:  - Added module parameter to all rsbac_get/set_attr calls
        - Updated user menu to use new mac_role etc. instead of system_role
        - Added min/max_cap attributes
        - Changed RC menues to support unlimited roles and types and 32 Bit
          values
        - Added rsbac_dialog, a copy of standard dialog with several
          enhancements (like --menu3 with help button)
        - Changed menues and tools to support new NET targets
        - Added help to all menues
        - Added network and network template menues
        - Added ttl support to ACL tools and menues
        - Added ttl support in RC tools
	- Updated rsbac_dialog and moved to subdir (Thanks to Stanislav again)

1.1.2:  - Changed build process to autoconf/automake (Stanislav Ievlev)
        - Added dialog tool check to menues
        - Added SYMLINK target support to most tools and menues
        - Got REG samples moved from kernel part to examples/reg
        - Removed write_list feature from rsbac_pm
        - added rc_initial_role to FD tools
        - added ff_flag append_only
        - changed tmp file allocation to mktemp
        - added contrib/rsu (RC role-su) by Stanislav Ievlev
        - added linux2acl, a Linux rights to ACL converter
        - attr_back_fd now supports MAC with and without def_inherit

1.1.1:  - Support for FIFO targets added
        - Internationalization added for command line tools, languages ru
          and de
        - attr_[gs]et_fd now support FD target
        - *_back_* now need a switch for *not* writing to stdout

1.1.0:  - 'copy rights to type' added to rc_set_item and rsbac_rc_role_menu

1.0.9c: - acl_rm_user added
        - file/dir selection changed in menues
        - examples/backup_all added
        - new rsbac-klogd

1.0.9b: - Support for 32 Bit Uids/Gids
        - Support for new attributes log_program_based and log_user_based
        - Support for AUTH cap ranges
        - Support for new MAC security levels 0-252
        - Removed obsolete useraci file installation
        - Russian menues and man pages added
          (thanks to our Russian team, see rus/README)

1.0.9a: - Added acl_group for full ACL group administration
        - Updated and changed RC tools for new separation of duty
        - Added ACL menu tools, with necessary additions to command
          line tools
        - Updated menues for new RC force role inherit_up_mixed

1.0.9:  - Added support for long file/dir names and for those with spaces
          to rsbac_fd_menu
        - Changed rc_get_item, rc_set_item and rsbac_rc_role_menu to
          support the changed RC model. The new model distinguishes
          between all requests for role to type compatibility, allowing
          for much finer security settings.
        - Added acl_rights, acl_tlists, acl_grant and acl_mask for
          complete ACL model administration

1.0.8:  - Added RC attributes
        - Wrote RC admin tools: rc_copy_role, rc_get_item, rc_set_item,
          rc_role_wrap
        - Wrote rsbac_rc_role_menu and rsbac_rc_type_menu
        - Added AUTH attributes to file/dir and process tools
        - Wrote AUTH admin tools auth_set_cap and auth_back_cap
        - Added MAC category support to most tools and to most menus
        - Wrote mac_wrap_cat, a simple category wrapper similar to
          mac_wrap for security levels.
        - Made tools compliant to glibc

1.0.7a: - Added recursion to attr_set_fd
        - Added recursive attr_rm_fd and attr_rm_file_dir to reset all
          attribute values to defaults for a target by removing the list
          entry.
        - Added resetting to rsbac_fd_menu

1.0.7:  - Added inherit values to security_level, object_category and
          data_type in rsbac_fd_menu
        - Added menu item to change between effective and real attribute
          values
        - Added support for different screen sizes - if LINES and COLUMNS
          are exported from bash (e.g. in /etc/profile)

1.0.6:  - Changed rsbac_fd_menu and rsbac_process_menu to tristate
          ms_trusted
        - Added attribute ff_flags with bit values to rsbac_fd_menu
        - Added rsbac_check to call sys_rsbac_check(), which checks
          attribute consistency

1.0.5:  - rsbac_write added to call sys_rsbac_write = save attributes now
        - mac_wrap added to start a program with changed maximum security
          level (not the process owner's), e.g. from inetd
        - user_aci.sh added to set default roles with maintenance kernel

1.0.4:  - Attributes mac_trusted_for_user, ms_sock_trusted_tcp/udp added to
          FILE utils
        - Attributes ms_sock_trusted_tcp/udp added to process utils
        - Attributes ms_trusted, ms_sockbuf, ms_str_nr, ms_str_offset,
          ms_scanned added to ipc utils
        - Attribute object_type removed from ipc utils, as in kernel - was
          IPC all the time anyway
        - Adjusted syscall return value interpretation to 2.1 kernels

1.0.3:  - Target DEV added to file/dir utilities. rsbac_dev_menu added.
          Now devices can get their own attributes based
          on major/minor numbers, not only based on their file representations
          in /dev, which can be easily duplicated.
        - Attribute object_type removed from rsbac_fd_menu, was not used anyway
          and removed in rsbac/kernel.
        - attr_back_fd added. (Recursive) backup of all attribute values for
          those files/dirs given in command line. Only non-default values are
          saved. Output script file contains all attr_set_file_dir calls needed
          to restore.
        - Similar attr_back_user and attr_back_dev added.
        - Attributes log_array_low and log_array_high added to file/dir/dev
          utils.
        - Administration menu for (file/dir/dev X request) log levels
          added to rsbac_fd_menu and rsbac_dev_menu.
        - Command line utils also got log_level special options.

20/Apr/2001
Amon Ott <ao@rsbac.org>
