On 6/20/16 9:04 AM, Daniel De Graaf wrote:
> When an unknown domctl, sysctl, or other operation is encountered in the
> FLASK security server, use the allow_unknown bit in the security policy
> to decide if the permission should be allowed or denied.  This allows
> new operations to be tested without needing to immediately add security
> checks; however, it is not flexible enough to avoid adding the actual
> permission checks.  An error message is printed to the hypervisor
> console when this fallback is encountered.
> 
> This patch will allow operations that are not handled by the existing
> hooks only if the policy was compiled with "checkpolicy -U allow".  In
> previous releases, this bit did nothing, and the default remains to deny
> the unknown operations.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Reviewed-by: Doug Goldstein <cardoe@cardoe.com>

-- 
Doug Goldstein