trunk: Add support for setting the unknown permissions handling.

Changelog

@@ -1,3 +1,4 @@
+- Add support for setting the unknown permissions handling.
 - Fix XML building for external reference builds and headers builds.
 - Patch to add missing requirements in userdomain interfaces from Shintaro
   Fujiwara.

Makefile

@@ -201,6 +201,9 @@ endif
 # if not set, use the type as the name.
 NAME ?= $(TYPE)
 
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
 ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif

Rules.modular

@@ -96,6 +96,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
 	@test -d $(builddir) || mkdir -p $(builddir)
 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
 
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
 $(base_mod): $(base_conf)
 	@echo "Compiling $(NAME) base module"
 	$(verbose) $(CHECKMODULE) $^ -o $@

Rules.monolithic

@@ -63,6 +63,9 @@ resetlabels:  $(fcpath)
 #
 # Build a binary policy locally
 #
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
 $(polver): $(policy_conf)
 	@echo "Compiling $(NAME) $(polver)"
 ifneq ($(pv),$(kv))
@@ -76,6 +79,9 @@ endif
 #
 # Install a binary policy
 #
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
 $(loadpath): $(policy_conf)
 	@mkdir -p $(policypath)
 	@echo "Compiling and installing $(NAME) $(loadpath)"

build.conf

@@ -31,6 +31,14 @@ NAME = refpolicy
 # Fedora users should enable redhat.
 #DISTRO = redhat
 
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy.  The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+#UNK_PERMS = deny
+
 # Direct admin init
 # Setting this will allow sysadm to directly
 # run init scripts, instead of requring run_init.