Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date: Wed, 25 Jun 2014 19:07:42
Message-Id: 1403722753.fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514.swift@gentoo
1 commit: fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514
2 Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
3 AuthorDate: Thu Jun 19 14:48:38 2014 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Wed Jun 25 18:59:13 2014 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fbd16c79
7
8 Always use the unknown permissions handling build option.
9
10 This compile-time feature is in the minimum-required checkpolicy/checkmodule
11 for building the policy, so it should always be used.
12
13 ---
14 Makefile | 2 +-
15 Rules.modular | 5 +----
16 Rules.monolithic | 10 ++--------
17 build.conf | 2 +-
18 4 files changed, 5 insertions(+), 14 deletions(-)
19
20 diff --git a/Makefile b/Makefile
21 index 7e5bf4b..70b213a 100644
22 --- a/Makefile
23 +++ b/Makefile
24 @@ -209,7 +209,7 @@ endif
25 NAME ?= $(TYPE)
26
27 # default unknown permissions setting
28 -#UNK_PERMS ?= deny
29 +UNK_PERMS ?= deny
30
31 ifeq ($(DIRECT_INITRC),y)
32 M4PARAM += -D direct_sysadm_daemon
33
34 diff --git a/Rules.modular b/Rules.modular
35 index b2d2ac4..c3c914a 100644
36 --- a/Rules.modular
37 +++ b/Rules.modular
38 @@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
39 @test -d $(builddir) || mkdir -p $(builddir)
40 $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
41
42 -ifneq "$(UNK_PERMS)" ""
43 -$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
44 -endif
45 $(base_mod): $(base_conf)
46 @echo "Compiling $(NAME) base module"
47 - $(verbose) $(CHECKMODULE) $^ -o $@
48 + $(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
49
50 $(tmpdir)/seusers: $(seusers)
51 @mkdir -p $(tmpdir)
52
53 diff --git a/Rules.monolithic b/Rules.monolithic
54 index b8d180e..6505550 100644
55 --- a/Rules.monolithic
56 +++ b/Rules.monolithic
57 @@ -63,9 +63,6 @@ resetlabels: $(fcpath)
58 #
59 # Build a binary policy locally
60 #
61 -ifneq "$(UNK_PERMS)" ""
62 -$(polver): CHECKPOLICY += -U $(UNK_PERMS)
63 -endif
64 $(polver): $(policy_conf)
65 @echo "Compiling $(NAME) $(polver)"
66 ifneq ($(pv),$(kv))
67 @@ -73,15 +70,12 @@ ifneq ($(pv),$(kv))
68 @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
69 @echo
70 endif
71 - $(verbose) $(CHECKPOLICY) $^ -o $@
72 + $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
73
74 ########################################
75 #
76 # Install a binary policy
77 #
78 -ifneq "$(UNK_PERMS)" ""
79 -$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
80 -endif
81 $(loadpath): $(policy_conf)
82 @echo "Compiling and installing $(NAME) $(loadpath)"
83 ifneq ($(pv),$(kv))
84 @@ -90,7 +84,7 @@ ifneq ($(pv),$(kv))
85 @echo
86 endif
87 @$(INSTALL) -d -m 0755 $(@D)
88 - $(verbose) $(CHECKPOLICY) $^ -o $@
89 + $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
90
91 ########################################
92 #
93
94 diff --git a/build.conf b/build.conf
95 index 5a521c4..0fffc2a 100644
96 --- a/build.conf
97 +++ b/build.conf
98 @@ -35,7 +35,7 @@ NAME = refpolicy
99 # can either be allowed, denied, or the policy loading
100 # can be rejected.
101 # allow, deny, and reject are current options.
102 -#UNK_PERMS = deny
103 +UNK_PERMS = deny
104
105 # Direct admin init
106 # Setting this will allow sysadm to directly