[selinux-policy: 1814/3172] trunk: Add support for setting the unknown permissions handling.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:41:54 UTC 2010
commit 8acfcbcc2a7c7217b128de88eba5a13ce16bae3a
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Sep 27 13:41:09 2007 +0000
trunk: Add support for setting the unknown permissions handling.
Changelog | 1 +
Makefile | 3 +++
Rules.modular | 3 +++
Rules.monolithic | 6 ++++++
build.conf | 8 ++++++++
5 files changed, 21 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 1908de9..1d9bd96 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add support for setting the unknown permissions handling.
- Fix XML building for external reference builds and headers builds.
- Patch to add missing requirements in userdomain interfaces from Shintaro
Fujiwara.
diff --git a/Makefile b/Makefile
index e0b190a..2708a78 100644
--- a/Makefile
+++ b/Makefile
@@ -201,6 +201,9 @@ endif
# if not set, use the type as the name.
NAME ?= $(TYPE)
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
diff --git a/Rules.modular b/Rules.modular
index 4a4ebc5..a63a006 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -96,6 +96,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
$(base_mod): $(base_conf)
@echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@
diff --git a/Rules.monolithic b/Rules.monolithic
index c6973fb..d93524e 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -63,6 +63,9 @@ resetlabels: $(fcpath)
#
# Build a binary policy locally
#
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
$(polver): $(policy_conf)
@echo "Compiling $(NAME) $(polver)"
ifneq ($(pv),$(kv))
@@ -76,6 +79,9 @@ endif
#
# Install a binary policy
#
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
$(loadpath): $(policy_conf)
@mkdir -p $(policypath)
@echo "Compiling and installing $(NAME) $(loadpath)"
diff --git a/build.conf b/build.conf
index ba35983..b824ee5 100644
--- a/build.conf
+++ b/build.conf
@@ -31,6 +31,14 @@ NAME = refpolicy
# Fedora users should enable redhat.
#DISTRO = redhat
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy. The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+#UNK_PERMS = deny
+
# Direct admin init
# Setting this will allow sysadm to directly
# run init scripts, instead of requring run_init.
More information about the scm-commits
mailing list