| 1 |
commit: fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514 |
| 2 |
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com> |
| 3 |
AuthorDate: Thu Jun 19 14:48:38 2014 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Jun 25 18:59:13 2014 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fbd16c79 |
| 7 |
|
| 8 |
Always use the unknown permissions handling build option. |
| 9 |
|
| 10 |
This compile-time feature is in the minimum-required checkpolicy/checkmodule |
| 11 |
for building the policy, so it should always be used. |
| 12 |
|
| 13 |
--- |
| 14 |
Makefile | 2 +- |
| 15 |
Rules.modular | 5 +---- |
| 16 |
Rules.monolithic | 10 ++-------- |
| 17 |
build.conf | 2 +- |
| 18 |
4 files changed, 5 insertions(+), 14 deletions(-) |
| 19 |
|
| 20 |
diff --git a/Makefile b/Makefile |
| 21 |
index 7e5bf4b..70b213a 100644 |
| 22 |
--- a/Makefile |
| 23 |
+++ b/Makefile |
| 24 |
@@ -209,7 +209,7 @@ endif |
| 25 |
NAME ?= $(TYPE) |
| 26 |
|
| 27 |
# default unknown permissions setting |
| 28 |
-#UNK_PERMS ?= deny |
| 29 |
+UNK_PERMS ?= deny |
| 30 |
|
| 31 |
ifeq ($(DIRECT_INITRC),y) |
| 32 |
M4PARAM += -D direct_sysadm_daemon |
| 33 |
|
| 34 |
diff --git a/Rules.modular b/Rules.modular |
| 35 |
index b2d2ac4..c3c914a 100644 |
| 36 |
--- a/Rules.modular |
| 37 |
+++ b/Rules.modular |
| 38 |
@@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers |
| 39 |
@test -d $(builddir) || mkdir -p $(builddir) |
| 40 |
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers |
| 41 |
|
| 42 |
-ifneq "$(UNK_PERMS)" "" |
| 43 |
-$(base_mod): CHECKMODULE += -U $(UNK_PERMS) |
| 44 |
-endif |
| 45 |
$(base_mod): $(base_conf) |
| 46 |
@echo "Compiling $(NAME) base module" |
| 47 |
- $(verbose) $(CHECKMODULE) $^ -o $@ |
| 48 |
+ $(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@ |
| 49 |
|
| 50 |
$(tmpdir)/seusers: $(seusers) |
| 51 |
@mkdir -p $(tmpdir) |
| 52 |
|
| 53 |
diff --git a/Rules.monolithic b/Rules.monolithic |
| 54 |
index b8d180e..6505550 100644 |
| 55 |
--- a/Rules.monolithic |
| 56 |
+++ b/Rules.monolithic |
| 57 |
@@ -63,9 +63,6 @@ resetlabels: $(fcpath) |
| 58 |
# |
| 59 |
# Build a binary policy locally |
| 60 |
# |
| 61 |
-ifneq "$(UNK_PERMS)" "" |
| 62 |
-$(polver): CHECKPOLICY += -U $(UNK_PERMS) |
| 63 |
-endif |
| 64 |
$(polver): $(policy_conf) |
| 65 |
@echo "Compiling $(NAME) $(polver)" |
| 66 |
ifneq ($(pv),$(kv)) |
| 67 |
@@ -73,15 +70,12 @@ ifneq ($(pv),$(kv)) |
| 68 |
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" |
| 69 |
@echo |
| 70 |
endif |
| 71 |
- $(verbose) $(CHECKPOLICY) $^ -o $@ |
| 72 |
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ |
| 73 |
|
| 74 |
######################################## |
| 75 |
# |
| 76 |
# Install a binary policy |
| 77 |
# |
| 78 |
-ifneq "$(UNK_PERMS)" "" |
| 79 |
-$(loadpath): CHECKPOLICY += -U $(UNK_PERMS) |
| 80 |
-endif |
| 81 |
$(loadpath): $(policy_conf) |
| 82 |
@echo "Compiling and installing $(NAME) $(loadpath)" |
| 83 |
ifneq ($(pv),$(kv)) |
| 84 |
@@ -90,7 +84,7 @@ ifneq ($(pv),$(kv)) |
| 85 |
@echo |
| 86 |
endif |
| 87 |
@$(INSTALL) -d -m 0755 $(@D) |
| 88 |
- $(verbose) $(CHECKPOLICY) $^ -o $@ |
| 89 |
+ $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ |
| 90 |
|
| 91 |
######################################## |
| 92 |
# |
| 93 |
|
| 94 |
diff --git a/build.conf b/build.conf |
| 95 |
index 5a521c4..0fffc2a 100644 |
| 96 |
--- a/build.conf |
| 97 |
+++ b/build.conf |
| 98 |
@@ -35,7 +35,7 @@ NAME = refpolicy |
| 99 |
# can either be allowed, denied, or the policy loading |
| 100 |
# can be rejected. |
| 101 |
# allow, deny, and reject are current options. |
| 102 |
-#UNK_PERMS = deny |
| 103 |
+UNK_PERMS = deny |
| 104 |
|
| 105 |
# Direct admin init |
| 106 |
# Setting this will allow sysadm to directly |
Archives