Always use the unknown permissions handling build option.

This compile-time feature is in the minimum-required checkpolicy/checkmodule for building the policy, so it should always be used.
2025-02-03 05:12:01 +00:00 · 2014-06-19 10:48:38 -04:00 · 2014-06-19 10:48:38 -04:00 · cce73689ea
commit cce73689ea
parent 13b837fc15
4 changed files with 5 additions and 14 deletions
--- a/2
+++ b/2
@ -207,7 +207,7 @@ endif
 NAME ?= $(TYPE)

 # default unknown permissions setting
-#UNK_PERMS ?= deny
+UNK_PERMS ?= deny

 ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
--- a/Rules.modular
+++ b/Rules.modular
@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
 	@test -d $(builddir) || mkdir -p $(builddir)
 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers

-ifneq "$(UNK_PERMS)" ""
-$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
-endif
 $(base_mod): $(base_conf)
 	@echo "Compiling $(NAME) base module"
-	$(verbose) $(CHECKMODULE) $^ -o $@
+	$(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@

 $(tmpdir)/seusers: $(seusers)
 	@mkdir -p $(tmpdir)
--- a/Rules.monolithic
+++ b/Rules.monolithic
@ -63,9 +63,6 @@ resetlabels:  $(fcpath)
 #
 # Build a binary policy locally
 #
-ifneq "$(UNK_PERMS)" ""
-$(polver): CHECKPOLICY += -U $(UNK_PERMS)
-endif
 $(polver): $(policy_conf)
 	@echo "Compiling $(NAME) $(polver)"
 ifneq ($(pv),$(kv))
@ -73,15 +70,12 @@ ifneq ($(pv),$(kv))
 	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
 	@echo
 endif
-	$(verbose) $(CHECKPOLICY) $^ -o $@
+	$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@

 ########################################
 #
 # Install a binary policy
 #
-ifneq "$(UNK_PERMS)" ""
-$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
-endif
 $(loadpath): $(policy_conf)
 	@echo "Compiling and installing $(NAME) $(loadpath)"
 ifneq ($(pv),$(kv))
@ -90,7 +84,7 @@ ifneq ($(pv),$(kv))
 	@echo
 endif
 	@$(INSTALL) -d -m 0755 $(@D)
-	$(verbose) $(CHECKPOLICY) $^ -o $@
+	$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS)  $^ -o $@

 ########################################
 #
--- a/build.conf
+++ b/build.conf
@ -35,7 +35,7 @@ NAME = refpolicy
 # can either be allowed, denied, or the policy loading
 # can be rejected.
 # allow, deny, and reject are current options.
-#UNK_PERMS = deny
+UNK_PERMS = deny

 # Direct admin init
 # Setting this will allow sysadm to directly