rpms/selinux-policy/F-8 policy-20070703.patch,1.234,1.235

Tue Dec 9 19:33:49 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31032

Modified Files:
	policy-20070703.patch 
Log Message:
* Thu Nov 13 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-127
- Add pki policy


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.234
retrieving revision 1.235
diff -u -r1.234 -r1.235

--- policy-20070703.patch	13 Nov 2008 23:22:18 -0000	1.234
+++ policy-20070703.patch	9 Dec 2008 19:33:46 -0000	1.235
@@ -1,55 +1,3 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
---- nsaserefpolicy/Rules.modular	2008-06-12 23:37:58.000000000 -0400
-+++ serefpolicy-3.0.8/Rules.modular	2008-10-20 16:22:16.000000000 -0400
-@@ -96,6 +96,9 @@
- 	@test -d $(builddir) || mkdir -p $(builddir)
- 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
- 
-+ifneq "$(UNK_PERMS)" ""
-+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
-+endif
- $(base_mod): $(base_conf)
- 	@echo "Compiling $(NAME) base module"
- 	$(verbose) $(CHECKMODULE) $^ -o $@
-@@ -144,6 +147,7 @@
- 
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
-+	$(verbose) echo "" > $@
- 	$(call parse-rolemap,base,$@)
- 
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.0.8/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic	2008-06-12 23:37:58.000000000 -0400
-+++ serefpolicy-3.0.8/Rules.monolithic	2008-10-20 16:22:16.000000000 -0400
-@@ -63,6 +63,9 @@
- #
- # Build a binary policy locally
- #
-+ifneq "$(UNK_PERMS)" ""
-+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
-+endif
- $(polver): $(policy_conf)
- 	@echo "Compiling $(NAME) $(polver)"
- ifneq ($(pv),$(kv))
-@@ -76,6 +79,9 @@
- #
- # Install a binary policy
- #
-+ifneq "$(UNK_PERMS)" ""
-+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
-+endif
- $(loadpath): $(policy_conf)
- 	@mkdir -p $(policypath)
- 	@echo "Compiling and installing $(NAME) $(loadpath)"
-@@ -127,6 +133,7 @@
- 	@echo "divert" >> $@
- 
- $(tmpdir)/rolemap.conf: $(rolemap)
-+	$(verbose) echo "" > $@
- 	$(call parse-rolemap,base,$@)
- 
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.0.8/config/appconfig-mcs/default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/default_contexts	2008-06-12 23:37:54.000000000 -0400
 +++ serefpolicy-3.0.8/config/appconfig-mcs/default_contexts	2008-10-20 16:22:16.000000000 -0400
@@ -144,6 +92,12 @@
 +staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
 +sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
 +sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context
+--- nsaserefpolicy/config/appconfig-mcs/userhelper_context	2008-06-12 23:37:54.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context	2008-10-20 16:22:16.000000000 -0400
+@@ -1 +1 @@
+-system_u:sysadm_r:sysadm_t:s0
++system_u:system_r:unconfined_t:s0	
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts	2008-10-20 16:22:16.000000000 -0400
@@ -155,12 +109,6 @@
 +system_r:xdm_t:s0		system_r:unconfined_t:s0 user_r:user_t:s0
 +user_r:user_su_t:s0		system_r:unconfined_t:s0 user_r:user_t:s0
 +user_r:user_sudo_t:s0		system_r:unconfined_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context
---- nsaserefpolicy/config/appconfig-mcs/userhelper_context	2008-06-12 23:37:54.000000000 -0400
-+++ serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context	2008-10-20 16:22:16.000000000 -0400
-@@ -1 +1 @@
--system_u:sysadm_r:sysadm_t:s0
-+system_u:system_r:unconfined_t:s0	
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts	2008-10-20 16:22:16.000000000 -0400
@@ -2487,6 +2435,80 @@
  
  userdom_use_all_users_fds(rpm_script_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.8/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if	2008-06-12 23:37:55.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/sudo.if	2008-10-20 16:22:16.000000000 -0400
+@@ -55,7 +55,7 @@
+ 	#
+ 
+ 	# Use capabilities.
+-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 	allow $1_sudo_t self:process { setexec setrlimit };
+ 	allow $1_sudo_t self:fd use;
+@@ -68,7 +68,6 @@
+ 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ 	allow $1_sudo_t self:unix_dgram_socket sendto;
+ 	allow $1_sudo_t self:unix_stream_socket connectto;
+-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
+ 	allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ 	# Enter this derived domain from the user domain
+@@ -76,6 +75,7 @@
+ 
+ 	# By default, revert to the calling domain when a shell is executed.
+ 	corecmd_shell_domtrans($1_sudo_t,$2)
++	corecmd_bin_domtrans($1_sudo_t,$2)
+ 	allow $2 $1_sudo_t:fd use;
+ 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ 	allow $2 $1_sudo_t:process sigchld;
+@@ -89,9 +89,11 @@
+ 	fs_search_auto_mountpoints($1_sudo_t)
+ 	fs_getattr_xattr_fs($1_sudo_t)
+ 
+-	auth_domtrans_chk_passwd($1_sudo_t)
++	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
++	auth_run_upd_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ 	# sudo stores a token in the pam_pid directory
+ 	auth_manage_pam_pid($1_sudo_t)
++	auth_search_key($1_sudo_t)
+ 
+ 	corecmd_read_bin_symlinks($1_sudo_t)
+ 	corecmd_getattr_all_executables($1_sudo_t)
+@@ -106,18 +108,21 @@
+ 	files_getattr_usr_files($1_sudo_t)
+ 	# for some PAM modules and for cwd
+ 	files_dontaudit_search_home($1_sudo_t)
++	files_list_tmp($1_sudo_t)
+ 
+ 	init_rw_utmp($1_sudo_t)
+ 
+ 	libs_use_ld_so($1_sudo_t)
+ 	libs_use_shared_libs($1_sudo_t)
+ 
++	logging_send_audit_msgs($1_sudo_t)
+ 	logging_send_syslog_msg($1_sudo_t)
+ 
+ 	miscfiles_read_localization($1_sudo_t)
+ 
+ 	userdom_manage_user_home_content_files($1,$1_sudo_t)
+ 	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
++
+ 	userdom_manage_user_tmp_files($1,$1_sudo_t)
+ 	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
+ 	userdom_use_user_terminals($1,$1_sudo_t)
+@@ -126,6 +131,10 @@
+ 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+ 
+ 	optional_policy(`
++		locallogin_search_keys($1_sudo_t)
++	')
++
++	optional_policy(`
+ 		nis_use_ypbind($1_sudo_t)
+ 	')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.0.8/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2008-06-12 23:37:55.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/su.if	2008-10-20 16:22:16.000000000 -0400
@@ -2585,80 +2607,6 @@
  	ifdef(`TODO',`
  	allow $1_su_t $1_home_t:file manage_file_perms;
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.8/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if	2008-06-12 23:37:55.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/sudo.if	2008-10-20 16:22:16.000000000 -0400
-@@ -55,7 +55,7 @@
- 	#
- 
- 	# Use capabilities.
--	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- 	allow $1_sudo_t self:process { setexec setrlimit };
- 	allow $1_sudo_t self:fd use;
-@@ -68,7 +68,6 @@
- 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- 	allow $1_sudo_t self:unix_dgram_socket sendto;
- 	allow $1_sudo_t self:unix_stream_socket connectto;
--	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
- 	allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
- 
- 	# Enter this derived domain from the user domain
-@@ -76,6 +75,7 @@
- 
- 	# By default, revert to the calling domain when a shell is executed.
- 	corecmd_shell_domtrans($1_sudo_t,$2)
-+	corecmd_bin_domtrans($1_sudo_t,$2)
- 	allow $2 $1_sudo_t:fd use;
- 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
- 	allow $2 $1_sudo_t:process sigchld;
-@@ -89,9 +89,11 @@
- 	fs_search_auto_mountpoints($1_sudo_t)
- 	fs_getattr_xattr_fs($1_sudo_t)
- 
--	auth_domtrans_chk_passwd($1_sudo_t)
-+	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
-+	auth_run_upd_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- 	# sudo stores a token in the pam_pid directory
- 	auth_manage_pam_pid($1_sudo_t)
-+	auth_search_key($1_sudo_t)
- 
- 	corecmd_read_bin_symlinks($1_sudo_t)
- 	corecmd_getattr_all_executables($1_sudo_t)
-@@ -106,18 +108,21 @@
- 	files_getattr_usr_files($1_sudo_t)
- 	# for some PAM modules and for cwd
- 	files_dontaudit_search_home($1_sudo_t)
-+	files_list_tmp($1_sudo_t)
- 
- 	init_rw_utmp($1_sudo_t)
- 
- 	libs_use_ld_so($1_sudo_t)
- 	libs_use_shared_libs($1_sudo_t)
- 
-+	logging_send_audit_msgs($1_sudo_t)
- 	logging_send_syslog_msg($1_sudo_t)
- 
- 	miscfiles_read_localization($1_sudo_t)
- 
- 	userdom_manage_user_home_content_files($1,$1_sudo_t)
- 	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
-+
- 	userdom_manage_user_tmp_files($1,$1_sudo_t)
- 	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
- 	userdom_use_user_terminals($1,$1_sudo_t)
-@@ -126,6 +131,10 @@
- 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
- 
- 	optional_policy(`
-+		locallogin_search_keys($1_sudo_t)
-+	')
-+
-+	optional_policy(`
- 		nis_use_ypbind($1_sudo_t)
- 	')
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2008-06-12 23:37:55.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te	2008-10-20 16:22:16.000000000 -0400
@@ -14053,7 +14001,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-11-03 15:38:58.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-12-02 11:34:41.000000000 -0500
 @@ -1,5 +1,5 @@
  
 -policy_module(networkmanager,1.7.1)
@@ -14157,7 +14105,7 @@
  libs_use_ld_so(NetworkManager_t)
  libs_use_shared_libs(NetworkManager_t)
  
-@@ -98,26 +128,40 @@
+@@ -98,26 +128,39 @@
  
  seutil_read_config(NetworkManager_t)
  
@@ -14184,7 +14132,6 @@
  # Read gnome-keyring
  userdom_read_unpriv_users_home_content_files(NetworkManager_t)
 +userdom_unpriv_users_stream_connect(NetworkManager_t)
-+
 +userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
 +
 +cron_read_system_job_lib_files(NetworkManager_t)
@@ -14205,7 +14152,7 @@
  ')
  
  optional_policy(`
-@@ -129,15 +173,19 @@
+@@ -129,15 +172,19 @@
  ')
  
  optional_policy(`
@@ -14234,7 +14181,7 @@
  ')
  
  optional_policy(`
-@@ -145,39 +193,86 @@
+@@ -145,39 +192,86 @@
  ')
  
  optional_policy(`
@@ -18752,6 +18699,32 @@
 -allow rlogind_t userpty_type:chr_file setattr;
 +	kerberos_manage_host_rcache(rlogind_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te	2008-10-20 16:22:16.000000000 -0400
+@@ -21,11 +21,13 @@
+ # rpcbind local policy
+ #
+ 
+-allow rpcbind_t self:capability setuid;
++allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_file_perms;
+ allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+ allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow rpcbind_t self:udp_socket create_socket_perms;
++# BROKEN ...
++dontaudit rpcbind_t self:udp_socket listen;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+ 
+ manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +39,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+ 
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+ 
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2008-06-12 23:37:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/rpc.if	2008-10-20 16:22:16.000000000 -0400
@@ -18887,32 +18860,6 @@
  tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_unpriv_users_tmp(gssd_t) 
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te	2008-10-20 16:22:16.000000000 -0400
-@@ -21,11 +21,13 @@
- # rpcbind local policy
- #
- 
--allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
- allow rpcbind_t self:fifo_file rw_file_perms;
- allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
- allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow rpcbind_t self:udp_socket create_socket_perms;
-+# BROKEN ...
-+dontaudit rpcbind_t self:udp_socket listen;
- allow rpcbind_t self:tcp_socket create_stream_socket_perms;
- 
- manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-@@ -37,6 +39,7 @@
- manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
- 
-+kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
- 
- corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2008-06-12 23:37:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/rshd.te	2008-10-20 16:22:16.000000000 -0400
@@ -29721,6 +29668,58 @@
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
+--- nsaserefpolicy/Rules.modular	2008-06-12 23:37:58.000000000 -0400
++++ serefpolicy-3.0.8/Rules.modular	2008-10-20 16:22:16.000000000 -0400
+@@ -96,6 +96,9 @@
+ 	@test -d $(builddir) || mkdir -p $(builddir)
+ 	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+ 
++ifneq "$(UNK_PERMS)" ""
++$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
++endif
+ $(base_mod): $(base_conf)
+ 	@echo "Compiling $(NAME) base module"
+ 	$(verbose) $(CHECKMODULE) $^ -o $@
+@@ -144,6 +147,7 @@
+ 
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
++	$(verbose) echo "" > $@
+ 	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.0.8/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic	2008-06-12 23:37:58.000000000 -0400
++++ serefpolicy-3.0.8/Rules.monolithic	2008-10-20 16:22:16.000000000 -0400
+@@ -63,6 +63,9 @@
+ #
+ # Build a binary policy locally
+ #
++ifneq "$(UNK_PERMS)" ""
++$(polver): CHECKPOLICY += -U $(UNK_PERMS)
++endif
+ $(polver): $(policy_conf)
+ 	@echo "Compiling $(NAME) $(polver)"
+ ifneq ($(pv),$(kv))
+@@ -76,6 +79,9 @@
+ #
+ # Install a binary policy
+ #
++ifneq "$(UNK_PERMS)" ""
++$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
++endif
+ $(loadpath): $(policy_conf)
+ 	@mkdir -p $(policypath)
+ 	@echo "Compiling and installing $(NAME) $(loadpath)"
+@@ -127,6 +133,7 @@
+ 	@echo "divert" >> $@
+ 
+ $(tmpdir)/rolemap.conf: $(rolemap)
++	$(verbose) echo "" > $@
+ 	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.8/support/Makefile.devel
 --- nsaserefpolicy/support/Makefile.devel	2008-06-12 23:37:58.000000000 -0400
 +++ serefpolicy-3.0.8/support/Makefile.devel	2008-10-20 16:22:16.000000000 -0400


