diff --git a/Makefile b/Makefile
index e668ece5e..dc32e9a58 100644
--- a/Makefile
+++ b/Makefile
@@ -207,7 +207,7 @@ endif
 NAME ?= $(TYPE)
 
 # default unknown permissions setting
-#UNK_PERMS ?= deny
+UNK_PERMS ?= deny
 
 ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
diff --git a/Rules.modular b/Rules.modular
index b2d2ac438..c3c914a01 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
 	@test -d $(builddir) || mkdir -p $(builddir)
 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
 
-ifneq "$(UNK_PERMS)" ""
-$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
-endif
 $(base_mod): $(base_conf)
 	@echo "Compiling $(NAME) base module"
-	$(verbose) $(CHECKMODULE) $^ -o $@
+	$(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
 
 $(tmpdir)/seusers: $(seusers)
 	@mkdir -p $(tmpdir)
diff --git a/Rules.monolithic b/Rules.monolithic
index b8d180e14..6505550d0 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -63,9 +63,6 @@ resetlabels:  $(fcpath)
 #
 # Build a binary policy locally
 #
-ifneq "$(UNK_PERMS)" ""
-$(polver): CHECKPOLICY += -U $(UNK_PERMS)
-endif
 $(polver): $(policy_conf)
 	@echo "Compiling $(NAME) $(polver)"
 ifneq ($(pv),$(kv))
@@ -73,15 +70,12 @@ ifneq ($(pv),$(kv))
 	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
 	@echo
 endif
-	$(verbose) $(CHECKPOLICY) $^ -o $@
+	$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
 
 ########################################
 #
 # Install a binary policy
 #
-ifneq "$(UNK_PERMS)" ""
-$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
-endif
 $(loadpath): $(policy_conf)
 	@echo "Compiling and installing $(NAME) $(loadpath)"
 ifneq ($(pv),$(kv))
@@ -90,7 +84,7 @@ ifneq ($(pv),$(kv))
 	@echo
 endif
 	@$(INSTALL) -d -m 0755 $(@D)
-	$(verbose) $(CHECKPOLICY) $^ -o $@
+	$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS)  $^ -o $@
 
 ########################################
 #
diff --git a/build.conf b/build.conf
index 5a521c46b..0fffc2a4d 100644
--- a/build.conf
+++ b/build.conf
@@ -35,7 +35,7 @@ NAME = refpolicy
 # can either be allowed, denied, or the policy loading
 # can be rejected.
 # allow, deny, and reject are current options.
-#UNK_PERMS = deny
+UNK_PERMS = deny
 
 # Direct admin init
 # Setting this will allow sysadm to directly