RSBAC Changes in recent versions
--------------------------------
1.2.4: - Add user management tools with all {user|group}{add|mod|del}
functionality
- Add GROUP target to tools
- Add PAM and NSSwitch modules to access the new user management
to contrib dir
- Cross linked HTML output in rc_get_item htmlprint.
- Add rsbac_list_ta tool for transaction support for administration:
begin, add a set of desired changes, commit atomically or forget.
Change all existing tools to use transaction numbers.
- Correct role and type values in rc_getname item parameters.
- Add rc_copy_type
- Add RC type copying to rsbac_rc_type_menu
- Add PaX default value switch to attr_back_fd, because PaX defaults
are now configurable.
1.2.3: - Made librsbac.a a dynamic lib librsbac.so with version numbers
- Added PaX module support
- Added support for new attributes
- RC pretty-print config output with rc_get_item print
- Reject unknown usernames in all tools instead of using numerical
value 0.
- Fix admin tools segfault when using -V without parameter
- New rc_get_current_role
- New mac_set_trusted tool for mac_trusted_for_user with list instead
of single user.
- Change ''rsbac_jail'' syntax to make ''chroot()'' and IP address optional
- New optional rsbac_jail parameter max_caps, which limits the Linux
capabilities of all processes in the jail
- New JAIL module regression suite in contrib
- Added backup of RES user settings
1.2.2: - Added MS need_scan attribute
- Syscall version numbers
- New attributes for RES module
- rsbac_init tool for delayed init
- New AUTH caps for eff/fd owner in FD menu
- MAC wrap and attribute changes for new MAC implementation
- New system role Auditor in user menu
1.2.1: - Removed target type checks, which are now all in kernel (including
FD target type).
- Added recursion support for attr_back_dev.
- Added JAIL module support
- Added logging of all RSBAC setting modifications through menues
(RSBACLOGFILE setting)
1.2.0: - Added module parameter to all rsbac_get/set_attr calls
- Updated user menu to use new mac_role etc. instead of system_role
- Added min/max_cap attributes
- Changed RC menues to support unlimited roles and types and 32 Bit
values
- Added rsbac_dialog, a copy of standard dialog with several
enhancements (like --menu3 with help button)
- Changed menues and tools to support new NET targets
- Added help to all menues
- Added network and network template menues
- Added ttl support to ACL tools and menues
- Added ttl support in RC tools
- Updated rsbac_dialog and moved to subdir (Thanks to Stanislav again)
1.1.2: - Changed build process to autoconf/automake (Stanislav Ievlev)
- Added dialog tool check to menues
- Added SYMLINK target support to most tools and menues
- Got REG samples moved from kernel part to examples/reg
- Removed write_list feature from rsbac_pm
- added rc_initial_role to FD tools
- added ff_flag append_only
- changed tmp file allocation to mktemp
- added contrib/rsu (RC role-su) by Stanislav Ievlev
- added linux2acl, a Linux rights to ACL converter
- attr_back_fd now supports MAC with and without def_inherit
1.1.1: - Support for FIFO targets added
- Internationalization added for command line tools, languages ru
and de
- attr_[gs]et_fd now support FD target
- *_back_* now need a switch for *not* writing to stdout
1.1.0: - 'copy rights to type' added to rc_set_item and rsbac_rc_role_menu
1.0.9c: - acl_rm_user added
- file/dir selection changed in menues
- examples/backup_all added
- new rsbac-klogd
1.0.9b: - Support for 32 Bit Uids/Gids
- Support for new attributes log_program_based and log_user_based
- Support for AUTH cap ranges
- Support for new MAC security levels 0-252
- Removed obsolete useraci file installation
- Russian menues and man pages added
(thanks to our Russian team, see rus/README)
1.0.9a: - Added acl_group for full ACL group administration
- Updated and changed RC tools for new separation of duty
- Added ACL menu tools, with necessary additions to command
line tools
- Updated menues for new RC force role inherit_up_mixed
1.0.9: - Added support for long file/dir names and for those with spaces
to rsbac_fd_menu
- Changed rc_get_item, rc_set_item and rsbac_rc_role_menu to
support the changed RC model. The new model distinguishes
between all requests for role to type compatibility, allowing
for much finer security settings.
- Added acl_rights, acl_tlists, acl_grant and acl_mask for
complete ACL model administration
1.0.8: - Added RC attributes
- Wrote RC admin tools: rc_copy_role, rc_get_item, rc_set_item,
rc_role_wrap
- Wrote rsbac_rc_role_menu and rsbac_rc_type_menu
- Added AUTH attributes to file/dir and process tools
- Wrote AUTH admin tools auth_set_cap and auth_back_cap
- Added MAC category support to most tools and to most menus
- Wrote mac_wrap_cat, a simple category wrapper similar to
mac_wrap for security levels.
- Made tools compliant to glibc
1.0.7a: - Added recursion to attr_set_fd
- Added recursive attr_rm_fd and attr_rm_file_dir to reset all
attribute values to defaults for a target by removing the list
entry.
- Added resetting to rsbac_fd_menu
1.0.7: - Added inherit values to security_level, object_category and
data_type in rsbac_fd_menu
- Added menu item to change between effective and real attribute
values
- Added support for different screen sizes - if LINES and COLUMNS
are exported from bash (e.g. in /etc/profile)
1.0.6: - Changed rsbac_fd_menu and rsbac_process_menu to tristate
ms_trusted
- Added attribute ff_flags with bit values to rsbac_fd_menu
- Added rsbac_check to call sys_rsbac_check(), which checks
attribute consistency
1.0.5: - rsbac_write added to call sys_rsbac_write = save attributes now
- mac_wrap added to start a program with changed maximum security
level (not the process owner's), e.g. from inetd
- user_aci.sh added to set default roles with maintenance kernel
1.0.4: - Attributes mac_trusted_for_user, ms_sock_trusted_tcp/udp added to
FILE utils
- Attributes ms_sock_trusted_tcp/udp added to process utils
- Attributes ms_trusted, ms_sockbuf, ms_str_nr, ms_str_offset,
ms_scanned added to ipc utils
- Attribute object_type removed from ipc utils, as in kernel - was
IPC all the time anyway
- Adjusted syscall return value interpretation to 2.1 kernels
1.0.3: - Target DEV added to file/dir utilities. rsbac_dev_menu added.
Now devices can get their own attributes based
on major/minor numbers, not only based on their file representations
in /dev, which can be easily duplicated.
- Attribute object_type removed from rsbac_fd_menu, was not used anyway
and removed in rsbac/kernel.
- attr_back_fd added. (Recursive) backup of all attribute values for
those files/dirs given in command line. Only non-default values are
saved. Output script file contains all attr_set_file_dir calls needed
to restore.
- Similar attr_back_user and attr_back_dev added.
- Attributes log_array_low and log_array_high added to file/dir/dev
utils.
- Administration menu for (file/dir/dev X request) log levels
added to rsbac_fd_menu and rsbac_dev_menu.
- Command line utils also got log_level special options.
20/Apr/2001
Amon Ott <ao@rsbac.org>
