[gentoo-commits] repo/gentoo:master commit in: sec-policy/selinux-base/

[Jason Zaman]

commit:     da8b7c85dee97c773d1595d2f4e41e4426ca8b13
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 16 12:23:23 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Dec 21 14:00:44 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da8b7c85

sec-policy/selinux-base: Add unknown-perms policy capability

Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 sec-policy/selinux-base/metadata.xml             |  1 +
 sec-policy/selinux-base/selinux-base-9999.ebuild | 15 ++++++---------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/sec-policy/selinux-base/metadata.xml 
b/sec-policy/selinux-base/metadata.xml
index 16f3d9c00e6..cf565be6f04 100644
--- a/sec-policy/selinux-base/metadata.xml
+++ b/sec-policy/selinux-base/metadata.xml
@@ -14,5 +14,6 @@
                <flag name="open_perms">Enable the open permissions for file 
object classes (SELinux policy capability).</flag>
                <flag name="ubac">Enable User Based Access Control (UBAC) in 
the SELinux policy</flag>
                <flag name="unconfined">Enable support for the unconfined 
SELinux module</flag>
+               <flag name="unknown-perms">Default allow unknown classes in 
kernels newer than the policy (SELinux policy capability).</flag>
        </use>
 </pkgmetadata>

diff --git a/sec-policy/selinux-base/selinux-base-9999.ebuild 
b/sec-policy/selinux-base/selinux-base-9999.ebuild
index 16ee9f2b2ab..5342853efec 100644
--- a/sec-policy/selinux-base/selinux-base-9999.ebuild
+++ b/sec-policy/selinux-base/selinux-base-9999.ebuild
@@ -16,7 +16,7 @@ else
        KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
 fi
 
-IUSE="doc +open_perms +peer_perms systemd +ubac +unconfined"
+IUSE="doc +unknown-perms systemd +ubac +unconfined"
 
 DESCRIPTION="Gentoo base policy for SELinux"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux";
@@ -48,14 +48,11 @@ src_configure() {
 
        # Update the SELinux refpolicy capabilities based on the users' USE 
flags.
 
-       if ! use peer_perms; then
-               sed -i -e '/network_peer_controls/d' \
-                       "${S}/refpolicy/policy/policy_capabilities" || die
-       fi
-
-       if ! use open_perms; then
-               sed -i -e '/open_perms/d' \
-                       "${S}/refpolicy/policy/policy_capabilities" || die
+       if use unknown-perms; then
+               sed -i -e '/^UNK_PERMS/s/deny/allow/' 
"${S}/refpolicy/build.conf" \
+                       || die "Failed to allow Unknown Permissions Handling"
+               sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" 
\
+                       || die "Failed to allow Unknown Permissions Handling"
        fi
 
        if ! use ubac; then