Always use the unknown permissions handling build option.
This compile-time feature is in the minimum-required checkpolicy/checkmodule for building the policy, so it should always be used.
This commit is contained in:
Chris PeBenito
parent
13b837fc15
commit
cce73689ea
2
Makefile
2
Makefile
|
|
@ -207,7 +207,7 @@ endif
|
|||
NAME ?= $(TYPE)
|
||||
|
||||
# default unknown permissions setting
|
||||
#UNK_PERMS ?= deny
|
||||
UNK_PERMS ?= deny
|
||||
|
||||
ifeq ($(DIRECT_INITRC),y)
|
||||
M4PARAM += -D direct_sysadm_daemon
|
||||
|
|
|
|||
|
|
@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
|
|||
@test -d $(builddir) || mkdir -p $(builddir)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
|
||||
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(base_mod): $(base_conf)
|
||||
@echo "Compiling $(NAME) base module"
|
||||
$(verbose) $(CHECKMODULE) $^ -o $@
|
||||
$(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
|
||||
|
||||
$(tmpdir)/seusers: $(seusers)
|
||||
@mkdir -p $(tmpdir)
|
||||
|
|
|
|||
|
|
@ -63,9 +63,6 @@ resetlabels: $(fcpath)
|
|||
#
|
||||
# Build a binary policy locally
|
||||
#
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(polver): CHECKPOLICY += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(polver): $(policy_conf)
|
||||
@echo "Compiling $(NAME) $(polver)"
|
||||
ifneq ($(pv),$(kv))
|
||||
|
|
@ -73,15 +70,12 @@ ifneq ($(pv),$(kv))
|
|||
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
|
||||
@echo
|
||||
endif
|
||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
||||
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install a binary policy
|
||||
#
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(loadpath): $(policy_conf)
|
||||
@echo "Compiling and installing $(NAME) $(loadpath)"
|
||||
ifneq ($(pv),$(kv))
|
||||
|
|
@ -90,7 +84,7 @@ ifneq ($(pv),$(kv))
|
|||
@echo
|
||||
endif
|
||||
@$(INSTALL) -d -m 0755 $(@D)
|
||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
||||
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ NAME = refpolicy
|
|||
# can either be allowed, denied, or the policy loading
|
||||
# can be rejected.
|
||||
# allow, deny, and reject are current options.
|
||||
#UNK_PERMS = deny
|
||||
UNK_PERMS = deny
|
||||
|
||||
# Direct admin init
|
||||
# Setting this will allow sysadm to directly
|
||||
|
|
|
|||
Loading…
Reference in New Issue