SMP issues in the module have been fixed. The policy compiler now has a fairly solid warning mechanism. Support for CAP_SETPCAP was removed due to security issues.
This version fixes a few bugs in the policy compiler,
including one that caused it to have problems using the
'users' group. Symlink handling has also been much
improved.
Rule checks are done at program load rather than for each system call, so there is less overhead. The policy can specify which rules should cause audit data to be produced. The policy compiler has much better error checking. Several bugs in the module were fixed, including a memory leak, and a race that occurred when using path checks.
Processes can now be authorized based on the path of the executable. The
policy mechanism has been completely redesigned, and is significantly
more flexible and powerful. Several bugs of varying severity have been
fixed. The documentation now includes a short howto on configuring a
policy for your site.