From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-706715-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 6D3B613877A
	for <garchives@archives.gentoo.org>; Wed, 25 Jun 2014 19:07:42 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 1C505E0AE0;
	Wed, 25 Jun 2014 19:07:02 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 8DAB3E0B6D
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Jun 2014 19:06:56 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6609033FFEE
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Jun 2014 19:06:48 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id 7FDC31914A
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Jun 2014 19:06:46 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1403722753.fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: Makefile Rules.modular Rules.monolithic build.conf
X-VCS-Directories: /
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514
X-VCS-Branch: master
Date: Wed, 25 Jun 2014 19:06:46 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 548108cc-c7af-4e72-9fb4-a85b9648e797
X-Archives-Hash: c3dd4de07f9e7e0a8812542c0a077e06

commit:     fbd16c79b07f6bc3fa4b7555d395d9eb8f2d0514
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jun 19 14:48:38 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 18:59:13 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fbd16c79

Always use the unknown permissions handling build option.

This compile-time feature is in the minimum-required checkpolicy/checkmodule
for building the policy, so it should always be used.

---
 Makefile         |  2 +-
 Rules.modular    |  5 +----
 Rules.monolithic | 10 ++--------
 build.conf       |  2 +-
 4 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/Makefile b/Makefile
index 7e5bf4b..70b213a 100644
--- a/Makefile
+++ b/Makefile
@@ -209,7 +209,7 @@ endif
 NAME ?= $(TYPE)
 
 # default unknown permissions setting
-#UNK_PERMS ?= deny
+UNK_PERMS ?= deny
 
 ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon

diff --git a/Rules.modular b/Rules.modular
index b2d2ac4..c3c914a 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -94,12 +94,9 @@ $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
 	@test -d $(builddir) || mkdir -p $(builddir)
 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
 
-ifneq "$(UNK_PERMS)" ""
-$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
-endif
 $(base_mod): $(base_conf)
 	@echo "Compiling $(NAME) base module"
-	$(verbose) $(CHECKMODULE) $^ -o $@
+	$(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
 
 $(tmpdir)/seusers: $(seusers)
 	@mkdir -p $(tmpdir)

diff --git a/Rules.monolithic b/Rules.monolithic
index b8d180e..6505550 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -63,9 +63,6 @@ resetlabels:  $(fcpath)
 #
 # Build a binary policy locally
 #
-ifneq "$(UNK_PERMS)" ""
-$(polver): CHECKPOLICY += -U $(UNK_PERMS)
-endif
 $(polver): $(policy_conf)
 	@echo "Compiling $(NAME) $(polver)"
 ifneq ($(pv),$(kv))
@@ -73,15 +70,12 @@ ifneq ($(pv),$(kv))
 	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
 	@echo
 endif
-	$(verbose) $(CHECKPOLICY) $^ -o $@
+	$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
 
 ########################################
 #
 # Install a binary policy
 #
-ifneq "$(UNK_PERMS)" ""
-$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
-endif
 $(loadpath): $(policy_conf)
 	@echo "Compiling and installing $(NAME) $(loadpath)"
 ifneq ($(pv),$(kv))
@@ -90,7 +84,7 @@ ifneq ($(pv),$(kv))
 	@echo
 endif
 	@$(INSTALL) -d -m 0755 $(@D)
-	$(verbose) $(CHECKPOLICY) $^ -o $@
+	$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS)  $^ -o $@
 
 ########################################
 #

diff --git a/build.conf b/build.conf
index 5a521c4..0fffc2a 100644
--- a/build.conf
+++ b/build.conf
@@ -35,7 +35,7 @@ NAME = refpolicy
 # can either be allowed, denied, or the policy loading
 # can be rejected.
 # allow, deny, and reject are current options.
-#UNK_PERMS = deny
+UNK_PERMS = deny
 
 # Direct admin init
 # Setting this will allow sysadm to directly