diff --git a/Changelog b/Changelog index 1908de9d1..1d9bd9675 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add support for setting the unknown permissions handling. - Fix XML building for external reference builds and headers builds. - Patch to add missing requirements in userdomain interfaces from Shintaro Fujiwara. diff --git a/Makefile b/Makefile index e0b190a4b..2708a7829 100644 --- a/Makefile +++ b/Makefile @@ -201,6 +201,9 @@ endif # if not set, use the type as the name. NAME ?= $(TYPE) +# default unknown permissions setting +#UNK_PERMS ?= deny + ifeq ($(DIRECT_INITRC),y) M4PARAM += -D direct_sysadm_daemon endif diff --git a/Rules.modular b/Rules.modular index 4a4ebc56a..a63a00617 100644 --- a/Rules.modular +++ b/Rules.modular @@ -96,6 +96,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers @test -d $(builddir) || mkdir -p $(builddir) $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers +ifneq "$(UNK_PERMS)" "" +$(base_mod): CHECKMODULE += -U $(UNK_PERMS) +endif $(base_mod): $(base_conf) @echo "Compiling $(NAME) base module" $(verbose) $(CHECKMODULE) $^ -o $@ diff --git a/Rules.monolithic b/Rules.monolithic index c6973fbc5..d93524ea9 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -63,6 +63,9 @@ resetlabels: $(fcpath) # # Build a binary policy locally # +ifneq "$(UNK_PERMS)" "" +$(polver): CHECKPOLICY += -U $(UNK_PERMS) +endif $(polver): $(policy_conf) @echo "Compiling $(NAME) $(polver)" ifneq ($(pv),$(kv)) @@ -76,6 +79,9 @@ endif # # Install a binary policy # +ifneq "$(UNK_PERMS)" "" +$(loadpath): CHECKPOLICY += -U $(UNK_PERMS) +endif $(loadpath): $(policy_conf) @mkdir -p $(policypath) @echo "Compiling and installing $(NAME) $(loadpath)" diff --git a/build.conf b/build.conf index ba35983a7..b824ee505 100644 --- a/build.conf +++ b/build.conf @@ -31,6 +31,14 @@ NAME = refpolicy # Fedora users should enable redhat. #DISTRO = redhat +# Unknown Permissions Handling +# The behavior for handling permissions defined in the +# kernel but missing from the policy. The permissions +# can either be allowed, denied, or the policy loading +# can be rejected. +# allow, deny, and reject are current options. +#UNK_PERMS = deny + # Direct admin init # Setting this will allow sysadm to directly # run init scripts, instead of requring run_init.