diff options
author | Austin Seipp <aseipp@pobox.com> | 2015-04-13 17:11:29 -0500 |
---|---|---|
committer | Austin Seipp <aseipp@pobox.com> | 2015-04-13 17:11:29 -0500 |
commit | 8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2 (patch) | |
tree | 4ee97072c7972b11b52cb90f32d32d9e507947c7 /nixos/modules | |
parent | b86f6a3ed6d4acf5e50411502efb9260c490bb0e (diff) | |
parent | 3e847d512d9ab1c27f07b3a2bb531a3a324ad4fc (diff) | |
download | nixlib-8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2.tar nixlib-8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2.tar.gz nixlib-8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2.tar.bz2 nixlib-8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2.tar.lz nixlib-8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2.tar.xz nixlib-8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2.tar.zst nixlib-8d3b8d0dc8b6fa5f29eb417676706d83099a3ae2.zip |
Merge pull request #7149 from joachifm/grsec-gradm-optional
grsecurity module: configure gradm iff RBAC is enabled
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 25 |
1 files changed, 12 insertions, 13 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index f305d8f523b5..b116d8bfef28 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -276,22 +276,21 @@ in # }; # }; - system.activationScripts.grsec = - '' - mkdir -p /etc/grsec - if [ ! -f /etc/grsec/learn_config ]; then - cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec - fi - if [ ! -f /etc/grsec/policy ]; then - cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec - fi - chmod -R 0600 /etc/grsec - ''; + system.activationScripts = lib.optionalAttrs (!cfg.config.disableRBAC) { grsec = '' + mkdir -p /etc/grsec + if [ ! -f /etc/grsec/learn_config ]; then + cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec + fi + if [ ! -f /etc/grsec/policy ]; then + cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec + fi + chmod -R 0600 /etc/grsec + ''; }; # Enable AppArmor, gradm udev rules, and utilities security.apparmor.enable = true; boot.kernelPackages = customGrsecPkg; - services.udev.packages = [ pkgs.gradm ]; - environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ]; + services.udev.packages = lib.optional (!cfg.config.disableRBAC) pkgs.gradm; + environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm; }; } |