sec-policy/selinux-base: Add unknown-perms policy capability

Package-Manager: Portage-2.3.79, Repoman-2.3.16 Signed-off-by: Jason Zaman <perfinion@gentoo.org>
author: Jason Zaman <perfinion@gentoo.org> 2019-12-16 20:23:23 +0800
committer: Jason Zaman <perfinion@gentoo.org> 2019-12-21 22:00:44 +0800
commit: da8b7c85dee97c773d1595d2f4e41e4426ca8b13 (patch)
tree: 77ed326c12b88bc305ec2f959a8a3f3f3b4d74e2 /sec-policy
parent: sys-apps/policycoreutils: Add support for /usr-merge (diff)
download: gentoo-da8b7c85dee97c773d1595d2f4e41e4426ca8b13.tar.gz
gentoo-da8b7c85dee97c773d1595d2f4e41e4426ca8b13.tar.bz2
gentoo-da8b7c85dee97c773d1595d2f4e41e4426ca8b13.zip
2 files changed, 7 insertions, 9 deletions
diff --git a/sec-policy/selinux-base/metadata.xml b/sec-policy/selinux-base/metadata.xml
index 16f3d9c00e66..cf565be6f044 100644
--- a/sec-policy/selinux-base/metadata.xml
+++ b/sec-policy/selinux-base/metadata.xml
@@ -14,5 +14,6 @@
 		<flag name="open_perms">Enable the open permissions for file object classes (SELinux policy capability).</flag>
 		<flag name="ubac">Enable User Based Access Control (UBAC) in the SELinux policy</flag>
 		<flag name="unconfined">Enable support for the unconfined SELinux module</flag>
+		<flag name="unknown-perms">Default allow unknown classes in kernels newer than the policy (SELinux policy capability).</flag>
 	</use>
 </pkgmetadata>
diff --git a/sec-policy/selinux-base/selinux-base-9999.ebuild b/sec-policy/selinux-base/selinux-base-9999.ebuild
index 16ee9f2b2abb..5342853efec5 100644
--- a/sec-policy/selinux-base/selinux-base-9999.ebuild
+++ b/sec-policy/selinux-base/selinux-base-9999.ebuild
@@ -16,7 +16,7 @@ else
 	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
 fi
 
-IUSE="doc +open_perms +peer_perms systemd +ubac +unconfined"
+IUSE="doc +unknown-perms systemd +ubac +unconfined"
 
 DESCRIPTION="Gentoo base policy for SELinux"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
@@ -48,14 +48,11 @@ src_configure() {
 
 	# Update the SELinux refpolicy capabilities based on the users' USE flags.
 
-	if ! use peer_perms; then
-		sed -i -e '/network_peer_controls/d' \
-			"${S}/refpolicy/policy/policy_capabilities" || die
-	fi
-
-	if ! use open_perms; then
-		sed -i -e '/open_perms/d' \
-			"${S}/refpolicy/policy/policy_capabilities" || die
+	if use unknown-perms; then
+		sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \
+			|| die "Failed to allow Unknown Permissions Handling"
+		sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \
+			|| die "Failed to allow Unknown Permissions Handling"
 	fi
 
 	if ! use ubac; then
author	Jason Zaman <perfinion@gentoo.org>	2019-12-16 20:23:23 +0800
committer	Jason Zaman <perfinion@gentoo.org>	2019-12-21 22:00:44 +0800
commit	da8b7c85dee97c773d1595d2f4e41e4426ca8b13 (patch)
tree	77ed326c12b88bc305ec2f959a8a3f3f3b4d74e2 /sec-policy
parent	sys-apps/policycoreutils: Add support for /usr-merge (diff)
download	gentoo-da8b7c85dee97c773d1595d2f4e41e4426ca8b13.tar.gz gentoo-da8b7c85dee97c773d1595d2f4e41e4426ca8b13.tar.bz2 gentoo-da8b7c85dee97c773d1595d2f4e41e4426ca8b13.zip