]>
Commit | Line | Data |
---|---|---|
fedd3caf CP |
1 | 1) Reference Policy make targets: |
2 | ||
3 | General Make targets: | |
4 | ||
5 | install-src Install the policy sources into | |
6 | /etc/selinux/NAME/src/policy, where NAME is defined in | |
7 | the Makefile. If not defined, the TYPE, as defined in | |
8 | the Makefile, is used. The default NAME is refpolicy. | |
9 | A pre-existing source policy will be moved to | |
10 | /etc/selinux/NAME/src/policy.bak. | |
11 | ||
12 | conf Regenerate policy.xml, and update/create modules.conf | |
13 | and booleans.conf. This should be done after adding | |
14 | or removing modules, or after running the bare target. | |
15 | If the configuration files exist, their settings will | |
16 | be preserved. This must be ran on policy sources that | |
17 | are checked out from the CVS repository before they can | |
18 | be used. | |
19 | ||
20 | clean Delete all temporary files, compiled policies, | |
21 | and file_contexts. Configuration files are left intact. | |
22 | ||
23 | bare Do the clean make target and also delete configuration | |
24 | files, web page documentation, and policy.xml. | |
25 | ||
26 | html Regenerate policy.xml and create web page documentation | |
27 | in the doc/html directory. | |
28 | ||
29 | Make targets specific to modular (loadable modules) policies: | |
30 | ||
31 | base Compile and package the base module. This is the | |
32 | default target for modular policies. | |
33 | ||
34 | modules Compile and package all Reference Policy modules | |
35 | configured to be built as loadable modules. | |
36 | ||
37 | MODULENAME.pp Compile and package the MODULENAME Reference Policy | |
38 | module. | |
39 | ||
c767b14c CP |
40 | all Compile and package the base module and all Reference |
41 | Policy modules configured to be built as loadable | |
42 | modules. | |
43 | ||
44 | install Compile, package, and install the base module and | |
45 | Reference Policy modules configured to be built as | |
46 | loadable modules. | |
47 | ||
48 | load Compile, package, and install the base module and | |
49 | Reference Policy modules configured to be built as | |
50 | loadable modules, then insert them into the module | |
51 | store. | |
52 | ||
ea5333d1 CP |
53 | validate Validate if the configured modules can successfully |
54 | link and expand. | |
55 | ||
f65ca5f9 CP |
56 | install-headers Install the policy headers into /usr/share/selinux/NAME. |
57 | The headers are sufficient for building a policy | |
58 | module locally, without requiring the complete | |
59 | Reference Policy sources. The build.conf settings | |
60 | for this policy configuration should be set before | |
61 | using this target. | |
62 | ||
fedd3caf CP |
63 | Make targets specific to monolithic policies: |
64 | ||
65 | policy Compile a policy locally for development and testing. | |
66 | This is the default target for monolithic policies. | |
67 | ||
68 | install Compile and install the policy and file contexts. | |
69 | ||
70 | load Compile and install the policy and file contexts, then | |
71 | load the policy. | |
72 | ||
73 | enableaudit Remove all dontaudit rules from policy.conf. | |
74 | ||
75 | relabel Relabel the filesystem. | |
76 | ||
77 | checklabels Check the labels on the filesystem, and report when | |
78 | a file would be relabeled, but do not change its label. | |
79 | ||
80 | restorelabels Relabel the filesystem and report each file that is | |
81 | relabeled. | |
97749e2a | 82 | |
75c1c261 CP |
83 | |
84 | 2) Reference Policy Build Options (build.conf) | |
85 | ||
350b6ab7 | 86 | TYPE String. Available options are standard, mls, and mcs. |
766617f6 | 87 | For a type enforcement only system, set standard. |
350b6ab7 | 88 | This optionally enables multi-level security (MLS) or |
75c1c261 | 89 | multi-category security (MCS) features. This option |
350b6ab7 | 90 | controls enable_mls, and enable_mcs policy blocks. |
75c1c261 CP |
91 | |
92 | NAME String (optional). Sets the name of the policy; the | |
93 | NAME is used when installing files to e.g., | |
94 | /etc/selinux/NAME and /usr/share/selinux/NAME. If not | |
95 | set, the policy type (TYPE) is used. | |
96 | ||
97 | DISTRO String (optional). Enable distribution-specific policy. | |
98 | Available options are redhat, rhel4, gentoo, debian, | |
99 | and suse. This option controls distro_redhat, | |
100 | distro_rhel4, distro_gentoo, distro_debian, and | |
101 | distro_suse policy blocks. | |
102 | ||
103 | MONOLITHIC Boolean. If set, a monolithic policy is built, | |
104 | otherwise a modular policy is built. | |
105 | ||
106 | DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly | |
107 | run init scripts, instead of requiring the run_init | |
108 | tool. This is a build option instead of a tunable since | |
109 | role transitions do not work in conditional policy. | |
110 | This option controls direct_sysadm_daemon policy | |
111 | blocks. | |
112 | ||
75c1c261 CP |
113 | OUTPUT_POLICY Integer. Set the version of the policy created when |
114 | building a monolithic policy. This option has no effect | |
115 | on modular policy. | |
116 | ||
766617f6 CP |
117 | UNK_PERMS String. Set the kernel behavior for handling of |
118 | permissions defined in the kernel but missing from the | |
119 | policy. The permissions can either be allowed, denied, | |
120 | or the policy loading can be rejected. | |
121 | ||
296273a7 CP |
122 | UBAC Boolean. If set, the SELinux user will be used |
123 | additionally for approximate role separation. | |
124 | ||
766617f6 CP |
125 | MLS_SENS Integer. Set the number of sensitivities in the MLS |
126 | policy. Ignored on standard and MCS policies. | |
127 | ||
128 | MLS_CATS Integer. Set the number of categories in the MLS | |
129 | policy. Ignored on standard and MCS policies. | |
130 | ||
131 | MCS_CATS Integer. Set the number of categories in the MCS | |
132 | policy. Ignored on standard and MLS policies. | |
133 | ||
75c1c261 CP |
134 | QUIET Boolean. If set, the build system will only display |
135 | status messages and error messages. This option has no | |
136 | effect on policy. | |
137 | ||
138 | ||
139 | 3) Reference Policy Files and Directories | |
97749e2a CP |
140 | All directories relative to the root of the Reference Policy sources directory. |
141 | ||
8e0ef1f9 CP |
142 | Makefile General rules for building the policy. |
143 | ||
35bb02ab CP |
144 | Rules.modular Makefile rules specific to building loadable module |
145 | policies. | |
8e0ef1f9 | 146 | |
35bb02ab | 147 | Rules.monolithic Makefile rules specific to building monolithic policies. |
8e0ef1f9 CP |
148 | |
149 | build.conf Options which influence the building of the policy, | |
350b6ab7 | 150 | such as the policy type and distribution. |
8e0ef1f9 | 151 | |
97749e2a CP |
152 | config/appconfig-* Application configuration files for all configurations |
153 | of the Reference Policy (targeted/strict with or without | |
154 | MLS or MCS). These are used by SELinux-aware programs. | |
155 | ||
156 | config/local.users The file read by load policy for adding SELinux users | |
157 | to the policy on the fly. | |
158 | ||
159 | doc/html/* This contains the contents of the in-policy XML | |
160 | documentation, presented in web page form. | |
161 | ||
162 | doc/policy.dtd The doc/policy.xml file is validated against this DTD. | |
163 | ||
164 | doc/policy.xml This file is generated/updated by the conf and html make | |
165 | targets. It contains the complete XML documentation | |
166 | included in the policy. | |
167 | ||
168 | doc/templates/* Templates used for documentation web pages. | |
169 | ||
170 | policy/booleans.conf This file is generated/updated by the conf make target. | |
171 | It contains the booleans in the policy, and their | |
172 | default values. If tunables are implemented as | |
173 | booleans, tunables will also be included. This file | |
174 | will be installed as the /etc/selinux/NAME/booleans | |
175 | file. | |
176 | ||
177 | policy/constraints This file defines additional constraints on permissions | |
178 | in the form of boolean expressions that must be | |
179 | satisfied in order for specified permissions to be | |
180 | granted. These constraints are used to further refine | |
181 | the type enforcement rules and the role allow rules. | |
182 | Typically, these constraints are used to restrict | |
183 | changes in user identity or role to certain domains. | |
184 | ||
185 | policy/global_booleans This file defines all booleans that have a global scope, | |
186 | their default value, and documentation. | |
187 | ||
188 | policy/global_tunables This file defines all tunables that have a global scope, | |
189 | their default value, and documentation. | |
190 | ||
97749e2a CP |
191 | policy/flask/initial_sids This file has declarations for each initial SID. |
192 | ||
193 | policy/flask/security_classes This file has declarations for each security class. | |
194 | ||
195 | policy/flask/access_vectors This file defines the access vectors. Common | |
196 | prefixes for access vectors may be defined at the | |
197 | beginning of the file. After the common prefixes are | |
198 | defined, an access vector may be defined for each | |
199 | security class. | |
200 | ||
35bb02ab CP |
201 | policy/mcs The multi-category security (MCS) configuration. |
202 | ||
203 | policy/mls The multi-level security (MLS) configuration. | |
204 | ||
97749e2a CP |
205 | policy/modules/* Each directory represents a layer in Reference Policy |
206 | all of the modules are contained in one of these layers. | |
207 | ||
208 | policy/modules.conf This file contains a listing of available modules, and | |
209 | how they will be used when building Reference Policy. To | |
210 | prevent a module from being used, set the module to | |
211 | "off". For monolithic policies, modules set to "base" | |
212 | and "module" will be included in the policy. For | |
213 | modular policies, modules set to "base" will be included | |
214 | in the base module; those set to "module" will be | |
215 | compiled as individual loadable modules. | |
216 | ||
6259d8e8 CP |
217 | policy/rolemap This file contains prefix and user domain type that |
218 | corresponds to each user role. The contents of this | |
219 | file will be used to expand the per-user domain | |
220 | templates for each module. | |
221 | ||
97749e2a CP |
222 | policy/support/* Support macros. |
223 | ||
35bb02ab CP |
224 | policy/users This file defines the users included in the policy. |
225 | ||
75c1c261 | 226 | support/* Tools used in the build process. |
f65ca5f9 CP |
227 | |
228 | ||
229 | 4) Building policy modules using Reference Policy headers: | |
230 | ||
231 | The system must first have the Reference Policy headers installed, typically | |
232 | by the distribution. Otherwise, the headers can be installed using the | |
233 | install-headers target from the full Reference Policy sources. | |
234 | ||
235 | To set up a directory to build a local module, one must simply place a .te | |
236 | file in a directory. A sample Makefile to use in the directory is the | |
237 | Makefile.example in the doc directory. This may be installed in | |
238 | /usr/share/doc, under the directory for the distribution's policy. | |
239 | Alternatively, the primary Makefile in the headers directory (typically | |
240 | /usr/share/selinux/NAME/Makefile) can be called directly, using make's -f | |
241 | option. | |
242 | ||
243 | Larger projects can set up a structure of layers, just as in Reference | |
244 | Policy, by creating policy/modules/LAYERNAME directories. Each layer also | |
245 | must have a metadata.xml file which is an XML file with a summary tag and | |
246 | optional desc (long description) tag. This should describe the purpose of | |
247 | the layer. | |
248 | ||
249 | Metadata.xml example: | |
250 | ||
251 | <summary>ABC modules for the XYZ components.</summary> | |
252 | ||
253 | Make targets for modules built from headers: | |
254 | ||
255 | MODULENAME.pp Compile and package the MODULENAME local module. | |
256 | ||
257 | all Compile and package the modules in the current | |
258 | directory. | |
259 | ||
260 | load Compile and package the modules in the current | |
261 | directory, then insert them into the module store. | |
262 | ||
263 | refresh Attempts to reinsert all modules that are currently | |
264 | in the module store from the local and system module | |
265 | packages. | |
266 | ||
267 | xml Build a policy.xml from the XML included with the | |
268 | base policy headers and any XML in the modules in | |
269 | the current directory. |