Always use the unknown permissions handling build option.
This compile-time feature is in the minimum-required checkpolicy/checkmodule for building the policy, so it should always be used.
This commit is contained in:
Chris PeBenito
parent
13b837fc15
commit
cce73689ea
2
Makefile
2
Makefile
|
|
@ -207,7 +207,7 @@ endif
|
||||||
NAME ?= $(TYPE)
|
NAME ?= $(TYPE)
|
||||||
|
|
||||||
# default unknown permissions setting
|
# default unknown permissions setting
|
||||||
#UNK_PERMS ?= deny
|
UNK_PERMS ?= deny
|
||||||
|
|
||||||
ifeq ($(DIRECT_INITRC),y)
|
ifeq ($(DIRECT_INITRC),y)
|
||||||
M4PARAM += -D direct_sysadm_daemon
|
M4PARAM += -D direct_sysadm_daemon
|
||||||
|
|
|
||||||
|
|
@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
|
||||||
@test -d $(builddir) || mkdir -p $(builddir)
|
@test -d $(builddir) || mkdir -p $(builddir)
|
||||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
|
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
|
||||||
|
|
||||||
ifneq "$(UNK_PERMS)" ""
|
|
||||||
$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
|
|
||||||
endif
|
|
||||||
$(base_mod): $(base_conf)
|
$(base_mod): $(base_conf)
|
||||||
@echo "Compiling $(NAME) base module"
|
@echo "Compiling $(NAME) base module"
|
||||||
$(verbose) $(CHECKMODULE) $^ -o $@
|
$(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
|
||||||
|
|
||||||
$(tmpdir)/seusers: $(seusers)
|
$(tmpdir)/seusers: $(seusers)
|
||||||
@mkdir -p $(tmpdir)
|
@mkdir -p $(tmpdir)
|
||||||
|
|
|
||||||
|
|
@ -63,9 +63,6 @@ resetlabels: $(fcpath)
|
||||||
#
|
#
|
||||||
# Build a binary policy locally
|
# Build a binary policy locally
|
||||||
#
|
#
|
||||||
ifneq "$(UNK_PERMS)" ""
|
|
||||||
$(polver): CHECKPOLICY += -U $(UNK_PERMS)
|
|
||||||
endif
|
|
||||||
$(polver): $(policy_conf)
|
$(polver): $(policy_conf)
|
||||||
@echo "Compiling $(NAME) $(polver)"
|
@echo "Compiling $(NAME) $(polver)"
|
||||||
ifneq ($(pv),$(kv))
|
ifneq ($(pv),$(kv))
|
||||||
|
|
@ -73,15 +70,12 @@ ifneq ($(pv),$(kv))
|
||||||
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
|
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
|
||||||
@echo
|
@echo
|
||||||
endif
|
endif
|
||||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Install a binary policy
|
# Install a binary policy
|
||||||
#
|
#
|
||||||
ifneq "$(UNK_PERMS)" ""
|
|
||||||
$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
|
|
||||||
endif
|
|
||||||
$(loadpath): $(policy_conf)
|
$(loadpath): $(policy_conf)
|
||||||
@echo "Compiling and installing $(NAME) $(loadpath)"
|
@echo "Compiling and installing $(NAME) $(loadpath)"
|
||||||
ifneq ($(pv),$(kv))
|
ifneq ($(pv),$(kv))
|
||||||
|
|
@ -90,7 +84,7 @@ ifneq ($(pv),$(kv))
|
||||||
@echo
|
@echo
|
||||||
endif
|
endif
|
||||||
@$(INSTALL) -d -m 0755 $(@D)
|
@$(INSTALL) -d -m 0755 $(@D)
|
||||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ NAME = refpolicy
|
||||||
# can either be allowed, denied, or the policy loading
|
# can either be allowed, denied, or the policy loading
|
||||||
# can be rejected.
|
# can be rejected.
|
||||||
# allow, deny, and reject are current options.
|
# allow, deny, and reject are current options.
|
||||||
#UNK_PERMS = deny
|
UNK_PERMS = deny
|
||||||
|
|
||||||
# Direct admin init
|
# Direct admin init
|
||||||
# Setting this will allow sysadm to directly
|
# Setting this will allow sysadm to directly
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue