[selinux-policy: 1814/3172] trunk: Add support for setting the unknown permissions handling.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:41:54 UTC 2010 

commit 8acfcbcc2a7c7217b128de88eba5a13ce16bae3a
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Sep 27 13:41:09 2007 +0000

    trunk: Add support for setting the unknown permissions handling.

 Changelog        |    1 +
 Makefile         |    3 +++
 Rules.modular    |    3 +++
 Rules.monolithic |    6 ++++++
 build.conf       |    8 ++++++++
 5 files changed, 21 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 1908de9..1d9bd96 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add support for setting the unknown permissions handling.
 - Fix XML building for external reference builds and headers builds.
 - Patch to add missing requirements in userdomain interfaces from Shintaro
   Fujiwara.
diff --git a/Makefile b/Makefile
index e0b190a..2708a78 100644
--- a/Makefile
+++ b/Makefile
@@ -201,6 +201,9 @@ endif
 # if not set, use the type as the name.
 NAME ?= $(TYPE)
 
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
 ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif
diff --git a/Rules.modular b/Rules.modular
index 4a4ebc5..a63a006 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -96,6 +96,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
 	@test -d $(builddir) || mkdir -p $(builddir)
 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
 
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
 $(base_mod): $(base_conf)
 	@echo "Compiling $(NAME) base module"
 	$(verbose) $(CHECKMODULE) $^ -o $@
diff --git a/Rules.monolithic b/Rules.monolithic
index c6973fb..d93524e 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -63,6 +63,9 @@ resetlabels:  $(fcpath)
 #
 # Build a binary policy locally
 #
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
 $(polver): $(policy_conf)
 	@echo "Compiling $(NAME) $(polver)"
 ifneq ($(pv),$(kv))
@@ -76,6 +79,9 @@ endif
 #
 # Install a binary policy
 #
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
 $(loadpath): $(policy_conf)
 	@mkdir -p $(policypath)
 	@echo "Compiling and installing $(NAME) $(loadpath)"
diff --git a/build.conf b/build.conf
index ba35983..b824ee5 100644
--- a/build.conf
+++ b/build.conf
@@ -31,6 +31,14 @@ NAME = refpolicy
 # Fedora users should enable redhat.
 #DISTRO = redhat
 
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy.  The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+#UNK_PERMS = deny
+
 # Direct admin init
 # Setting this will allow sysadm to directly
 # run init scripts, instead of requring run_init.

More information about the scm-commits mailing list