1 |
commit: fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514 |
2 |
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com> |
3 |
AuthorDate: Thu Jun 19 14:48:38 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jun 25 18:59:13 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fbd16c79 |
7 |
|
8 |
Always use the unknown permissions handling build option. |
9 |
|
10 |
This compile-time feature is in the minimum-required checkpolicy/checkmodule |
11 |
for building the policy, so it should always be used. |
12 |
|
13 |
--- |
14 |
Makefile | 2 +- |
15 |
Rules.modular | 5 +---- |
16 |
Rules.monolithic | 10 ++-------- |
17 |
build.conf | 2 +- |
18 |
4 files changed, 5 insertions(+), 14 deletions(-) |
19 |
|
20 |
diff --git a/Makefile b/Makefile |
21 |
index 7e5bf4b..70b213a 100644 |
22 |
--- a/Makefile |
23 |
+++ b/Makefile |
24 |
@@ -209,7 +209,7 @@ endif |
25 |
NAME ?= $(TYPE) |
26 |
|
27 |
# default unknown permissions setting |
28 |
-#UNK_PERMS ?= deny |
29 |
+UNK_PERMS ?= deny |
30 |
|
31 |
ifeq ($(DIRECT_INITRC),y) |
32 |
M4PARAM += -D direct_sysadm_daemon |
33 |
|
34 |
diff --git a/Rules.modular b/Rules.modular |
35 |
index b2d2ac4..c3c914a 100644 |
36 |
--- a/Rules.modular |
37 |
+++ b/Rules.modular |
38 |
@@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers |
39 |
@test -d $(builddir) || mkdir -p $(builddir) |
40 |
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers |
41 |
|
42 |
-ifneq "$(UNK_PERMS)" "" |
43 |
-$(base_mod): CHECKMODULE += -U $(UNK_PERMS) |
44 |
-endif |
45 |
$(base_mod): $(base_conf) |
46 |
@echo "Compiling $(NAME) base module" |
47 |
- $(verbose) $(CHECKMODULE) $^ -o $@ |
48 |
+ $(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@ |
49 |
|
50 |
$(tmpdir)/seusers: $(seusers) |
51 |
@mkdir -p $(tmpdir) |
52 |
|
53 |
diff --git a/Rules.monolithic b/Rules.monolithic |
54 |
index b8d180e..6505550 100644 |
55 |
--- a/Rules.monolithic |
56 |
+++ b/Rules.monolithic |
57 |
@@ -63,9 +63,6 @@ resetlabels: $(fcpath) |
58 |
# |
59 |
# Build a binary policy locally |
60 |
# |
61 |
-ifneq "$(UNK_PERMS)" "" |
62 |
-$(polver): CHECKPOLICY += -U $(UNK_PERMS) |
63 |
-endif |
64 |
$(polver): $(policy_conf) |
65 |
@echo "Compiling $(NAME) $(polver)" |
66 |
ifneq ($(pv),$(kv)) |
67 |
@@ -73,15 +70,12 @@ ifneq ($(pv),$(kv)) |
68 |
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" |
69 |
@echo |
70 |
endif |
71 |
- $(verbose) $(CHECKPOLICY) $^ -o $@ |
72 |
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ |
73 |
|
74 |
######################################## |
75 |
# |
76 |
# Install a binary policy |
77 |
# |
78 |
-ifneq "$(UNK_PERMS)" "" |
79 |
-$(loadpath): CHECKPOLICY += -U $(UNK_PERMS) |
80 |
-endif |
81 |
$(loadpath): $(policy_conf) |
82 |
@echo "Compiling and installing $(NAME) $(loadpath)" |
83 |
ifneq ($(pv),$(kv)) |
84 |
@@ -90,7 +84,7 @@ ifneq ($(pv),$(kv)) |
85 |
@echo |
86 |
endif |
87 |
@$(INSTALL) -d -m 0755 $(@D) |
88 |
- $(verbose) $(CHECKPOLICY) $^ -o $@ |
89 |
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ |
90 |
|
91 |
######################################## |
92 |
# |
93 |
|
94 |
diff --git a/build.conf b/build.conf |
95 |
index 5a521c4..0fffc2a 100644 |
96 |
--- a/build.conf |
97 |
+++ b/build.conf |
98 |
@@ -35,7 +35,7 @@ NAME = refpolicy |
99 |
# can either be allowed, denied, or the policy loading |
100 |
# can be rejected. |
101 |
# allow, deny, and reject are current options. |
102 |
-#UNK_PERMS = deny |
103 |
+UNK_PERMS = deny |
104 |
|
105 |
# Direct admin init |
106 |
# Setting this will allow sysadm to directly |