[people/stevee/selinux-policy.git] / refpolicy / Makefile

#
# Makefile for the security policy.
#
# Targets:
# 
# install       - compile and install the policy configuration, and context files.
# load          - compile, install, and load the policy configuration.
# reload        - compile, install, and load/reload the policy configuration.
# relabel       - relabel filesystems based on the file contexts configuration.
# checklabels   - check filesystems against the file context configuration
# restorelabels - check filesystems against the file context configuration
#                 and restore the label of files with incorrect labels
# policy        - compile the policy configuration locally for testing/development.
#
# The default target is 'policy'.
#

########################################
#
# Configurable portions of the Makefile
#

# Override default policy version
OUTPUT_POLICY = 18

# Policy Type
# strict, targeted, strict-mls, targeted-mls
# strict and strict-mls are currently supported.
TYPE = strict

# If set, this will be used as the policy
# name.  Otherwise the policy type will be
# used for the name.
NAME = 

# Build monolithic policy.  Putting n here
# will build a loadable module policy.
# Only monolithic policies are currently supported.
MONOLITHIC=y

# Uncomment this to disable command echoing
#QUIET:=@

########################################
#
# NO OPTIONS BELOW HERE
#

# executable paths
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy
LOADPOLICY := $(SBINDIR)/load_policy
SETFILES := $(SBINDIR)/setfiles

XMLLINT := $(BINDIR)/xmllint

# enable MLS if requested.
ifneq ($(findstring mls,$(TYPE)),)
	override M4PARAM += -D enable_mls
	CHECKPOLICY += -M
endif

# compile targeted policy if requested.
ifneq ($(findstring targeted,$(TYPE)),)
	override M4PARAM += -D targeted_policy
endif

ifeq ($(MONOLITHIC),y)
	override M4PARAM += -D monolithic_policy
endif

ifneq ($(OUTPUT_POLICY),)
	CHECKPOLICY += -c $(OUTPUT_POLICY)
endif

ifeq ($(NAME),)
	NAME := $(TYPE)
endif

# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)

# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq ($(KV),)
	KV := $(PV)
endif

FC := file_contexts
POLVER := policy.$(PV)

# install paths
TOPDIR = $(DESTDIR)/etc/selinux
INSTALLDIR = $(TOPDIR)/$(NAME)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template

POLDIR = policy
MODDIR = $(POLDIR)/modules

BASE_MODULE = $(MODDIR)/kernel
FLASKDIR = $(POLDIR)/flask
APPCONF = config/appconfig
M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt)

APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/users 

DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS))

PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls
ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints

ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))

POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf

DOCTOOLS = doctools
XMLDTD = $(DOCTOOLS)/policy.dtd
HTMLHEAD = $(DOCTOOLS)/header.html
HTMLFOOT = $(DOCTOOLS)/footer.html
HTMLCSS = $(DOCTOOLS)/style.css
HTMLOUT = $(DOCTOOLS)/html

########################################
#
# default action: build policy locally
#
default: policy

policy: $(POLVER)

install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users

load: tmp/load

########################################
#
# Build a binary policy locally
#
$(POLVER): policy.conf
	@echo "Compiling $(NAME) $(POLVER)"
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $^ -o $@

########################################
#
# Install a binary policy
#
$(LOADPATH): policy.conf
	@mkdir -p $(POLICYPATH)
	@echo "Compiling and installing $(NAME) $(LOADPATH)"
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $^ -o $@

########################################
#
# Load the binary policy
#
reload tmp/load: $(LOADPATH) $(FCPATH)
	@echo "Loading $(NAME) $(LOADPATH)"
	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	@touch tmp/load

########################################
#
# Construct a monolithic policy.conf
#
policy.conf: $(POLICY_SECTIONS)
	@echo "Creating $(NAME) policy.conf"
# checkpolicy can use the #line directives provided by -s for error reporting:
	$(QUIET) m4 $(M4PARAM) -s $^ > tmp/$@.tmp
	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
# the ordering of these ocontexts matters:
	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true

tmp/pre_te_files.conf: $(PRE_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
# per-userdomain templates:
	@test -d tmp || mkdir -p tmp
	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \
		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
			>> $@ ;\
	done
	$(QUIET) echo "')" >> $@
# define foo.te
	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
		echo "define(\`$$i')" >> $@ ;\
	done
# generate network interfaces
	$(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
		| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \
		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
# this is so the xml works:
	$(QUIET) echo "## </module>" >> $@

tmp/all_interfaces.conf: $(ALL_INTERFACES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/all_te_files.conf: $(ALL_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/post_te_files.conf: $(POST_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

# extract attributes and put them first. extract post te stuff
# like genfscon and put last.  portcon, nodecon, and netifcon
# is delayed since they are generated by m4
tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
	$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
			-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
			< tmp/all_te_files.conf > tmp/only_te_rules.conf

########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: policy.conf
	@test -d tmp || mkdir -p tmp
	@echo "Removing dontaudit rules from policy.conf"
	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	$(QUIET) mv tmp/policy.audit policy.conf

########################################
#
# Construct file_contexts
#
$(FC): $(M4SUPPORT) $(ALL_FC_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) m4 $(M4PARAM) $^ > $@

########################################
#
# Install file_contexts
#
$(FCPATH): $(FC) $(USERPATH)/system.users 
	@mkdir -p $(CONTEXTPATH)/files
	$(QUIET) install -m 644 $(FC) $(FCPATH)
#	$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
#	$(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)

########################################
#
# Filesystem labeling
#
FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`

checklabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)

restorelabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)

relabel:  $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)

########################################
#
# Documentation generation
#

tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
	@echo "Creating $@"
	@cp $(XMLDTD) tmp
	$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
	$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
	$(QUIET) echo "<policy>" >> $@
# process this through m4 to eliminate the generated definitions templates.
# currently these are only in corenetwork.if
	$(QUIET) m4 $^ | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@
	$(QUIET) echo "</policy>" >> $@
	$(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
		$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
	fi

########################################
#
# Runtime binary policy patching of users
#
$(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf
	@mkdir -p $(USERPATH)
	@echo "Installing system.users"
	@echo "# " > tmp/system.users
	@echo "# Do not edit this file. " >> tmp/system.users
	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
	@echo "# Please edit local.users to make local changes." >> tmp/system.users
	@echo "#" >> tmp/system.users
	$(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \
		egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users
	$(QUIET) install -m 644 tmp/system.users $@

$(USERPATH)/local.users: local.users
	@mkdir -p $(USERPATH)
	@echo "Installing local.users"
	$(QUIET) install -C -b -m 644 $< $@

########################################
#
# Appconfig files
#
install-appconfig: $(APPFILES)

$(CONTEXTPATH)/files/media: $(APPCONF)/media
	mkdir -p $(CONTEXTPATH)/files/
	install -m 644 $< $@

$(APPDIR)/default_contexts: $(APPCONF)/default_contexts
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/removable_context: $(APPCONF)/removable_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/customizable_types: policy.conf
	mkdir -p $(APPDIR)
	@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
	install -m 644 tmp/customizable_types $@ 

$(APPDIR)/default_type: $(APPCONF)/default_type
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/initrc_context: $(APPCONF)/initrc_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/users/root: $(APPCONF)/root_default_contexts
	mkdir -p $(APPDIR)/users
	install -m 644 $< $@

clean:
	rm -fR tmp
	rm -f policy.xml
	rm -f policy.conf
	rm -f policy.$(PV)
	rm -f $(FC)

.PHONY: default policy install reload enableaudit checklabels restorelabels relabel clean
Commit	Line	Data
88d14a22 CP	1	#
	2	# Makefile for the security policy.
	3	#
	4	# Targets:
	5	#
	6	# install - compile and install the policy configuration, and context files.
	7	# load - compile, install, and load the policy configuration.
	8	# reload - compile, install, and load/reload the policy configuration.
	9	# relabel - relabel filesystems based on the file contexts configuration.
	10	# checklabels - check filesystems against the file context configuration
	11	# restorelabels - check filesystems against the file context configuration
	12	# and restore the label of files with incorrect labels
	13	# policy - compile the policy configuration locally for testing/development.
	14	#
	15	# The default target is 'policy'.
	16	#
	17
b4cd1533 CP	18	########################################
	19	#
	20	# Configurable portions of the Makefile
	21	#
	22
b67488e3 CP	23	# Override default policy version
b67488e3 CP	24	OUTPUT_POLICY = 18
134191be	25
b67488e3 CP	26	# Policy Type
	27	# strict, targeted, strict-mls, targeted-mls
	28	# strict and strict-mls are currently supported.
	29	TYPE = strict
b4cd1533	30
b67488e3 CP	31	# If set, this will be used as the policy
	32	# name. Otherwise the policy type will be
	33	# used for the name.
	34	NAME =
	35
	36	# Build monolithic policy. Putting n here
	37	# will build a loadable module policy.
	38	# Only monolithic policies are currently supported.
	39	MONOLITHIC=y
b4cd1533 CP	40
	41	# Uncomment this to disable command echoing
	42	#QUIET:=@
	43
	44	########################################
	45	#
b67488e3	46	# NO OPTIONS BELOW HERE
b4cd1533 CP	47	#
	48
	49	# executable paths
	50	PREFIX := /usr
	51	BINDIR := $(PREFIX)/bin
	52	SBINDIR := $(PREFIX)/sbin
	53	CHECKPOLICY := $(BINDIR)/checkpolicy
547283e2	54	LOADPOLICY := $(SBINDIR)/load_policy
b4cd1533	55	SETFILES := $(SBINDIR)/setfiles
0447352a	56
004db90d	57	XMLLINT := $(BINDIR)/xmllint
b4cd1533	58
134191be	59	# enable MLS if requested.
b67488e3	60	ifneq ($(findstring mls,$(TYPE)),)
134191be CP	61	override M4PARAM += -D enable_mls
	62	CHECKPOLICY += -M
	63	endif
	64
b67488e3 CP	65	# compile targeted policy if requested.
	66	ifneq ($(findstring targeted,$(TYPE)),)
	67	override M4PARAM += -D targeted_policy
	68	endif
	69
	70	ifeq ($(MONOLITHIC),y)
	71	override M4PARAM += -D monolithic_policy
	72	endif
	73
	74	ifneq ($(OUTPUT_POLICY),)
	75	CHECKPOLICY += -c $(OUTPUT_POLICY)
	76	endif
	77
	78	ifeq ($(NAME),)
	79	NAME := $(TYPE)
134191be CP	80	endif
134191be CP	81
b4cd1533	82	# determine the policy version and current kernel version if possible
134191be	83	PV := $(shell $(CHECKPOLICY) -V \|cut -f 1 -d ' ')
b4cd1533 CP	84	KV := $(shell cat /selinux/policyvers)
	85
	86	# dont print version warnings if we are unable to determine
	87	# the currently running kernel's policy version
	88	ifeq ($(KV),)
134191be	89	KV := $(PV)
b4cd1533 CP	90	endif
	91
	92	FC := file_contexts
	93	POLVER := policy.$(PV)
b4cd1533 CP	94
	95	# install paths
	96	TOPDIR = $(DESTDIR)/etc/selinux
b67488e3	97	INSTALLDIR = $(TOPDIR)/$(NAME)
b4cd1533 CP	98	POLICYPATH = $(INSTALLDIR)/policy
	99	SRCPATH = $(INSTALLDIR)/src
	100	USERPATH = $(INSTALLDIR)/users
	101	CONTEXTPATH = $(INSTALLDIR)/contexts
	102	LOADPATH = $(POLICYPATH)/$(POLVER)
	103	FCPATH = $(CONTEXTPATH)/files/file_contexts
	104	HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
	105
b67488e3 CP	106	POLDIR = policy
	107	MODDIR = $(POLDIR)/modules
	108
	109	BASE_MODULE = $(MODDIR)/kernel
	110	FLASKDIR = $(POLDIR)/flask
09693356	111	APPCONF = config/appconfig
b67488e3	112	M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt)
b4cd1533	113
c9a26b3e CP	114	APPDIR := $(CONTEXTPATH)
c9a26b3e CP	115	APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
2926f9c7	116	CONTEXTFILES += $(wildcard $(APPCONF)/_context) $(APPCONF)/media
b67488e3	117	USER_FILES := $(POLDIR)/users
c9a26b3e	118
b67488e3 CP	119	DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
b67488e3 CP	120	ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS))
b4cd1533	121
b67488e3	122	PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls
2926f9c7 CP	123	ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
2926f9c7 CP	124	ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
b67488e3	125	POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
b4cd1533	126
2926f9c7	127	ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))
b4cd1533	128
f66a1af9	129	POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf
b4cd1533	130
36e54b81 CP	131	DOCTOOLS = doctools
	132	XMLDTD = $(DOCTOOLS)/policy.dtd
	133	HTMLHEAD = $(DOCTOOLS)/header.html
	134	HTMLFOOT = $(DOCTOOLS)/footer.html
	135	HTMLCSS = $(DOCTOOLS)/style.css
	136	HTMLOUT = $(DOCTOOLS)/html
36e54b81	137
b4cd1533 CP	138	########################################
	139	#
	140	# default action: build policy locally
	141	#
	142	default: policy
	143
	144	policy: $(POLVER)
	145
44cda51b	146	install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
c9a26b3e CP	147
c9a26b3e CP	148	load: tmp/load
b4cd1533 CP	149
	150	########################################
	151	#
	152	# Build a binary policy locally
	153	#
	154	$(POLVER): policy.conf
b67488e3	155	@echo "Compiling $(NAME) $(POLVER)"
b4cd1533 CP	156	ifneq ($(PV),$(KV))
b4cd1533 CP	157	@echo
b67488e3	158	@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
b4cd1533 CP	159	@echo
b4cd1533 CP	160	endif
134191be	161	$(QUIET) $(CHECKPOLICY) $^ -o $@
b4cd1533 CP	162
	163	########################################
	164	#
	165	# Install a binary policy
	166	#
	167	$(LOADPATH): policy.conf
	168	@mkdir -p $(POLICYPATH)
b67488e3	169	@echo "Compiling and installing $(NAME) $(LOADPATH)"
b4cd1533 CP	170	ifneq ($(PV),$(KV))
b4cd1533 CP	171	@echo
b67488e3	172	@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
b4cd1533 CP	173	@echo
b4cd1533 CP	174	endif
134191be	175	$(QUIET) $(CHECKPOLICY) $^ -o $@
b4cd1533	176
88d14a22 CP	177	########################################
	178	#
	179	# Load the binary policy
	180	#
	181	reload tmp/load: $(LOADPATH) $(FCPATH)
b67488e3	182	@echo "Loading $(NAME) $(LOADPATH)"
88d14a22 CP	183	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	184	@touch tmp/load
	185
b4cd1533 CP	186	########################################
	187	#
	188	# Construct a monolithic policy.conf
	189	#
	190	policy.conf: $(POLICY_SECTIONS)
b67488e3	191	@echo "Creating $(NAME) policy.conf"
88c72f44	192	# checkpolicy can use the #line directives provided by -s for error reporting:
b67488e3	193	$(QUIET) m4 $(M4PARAM) -s $^ > tmp/$@.tmp
b4cd1533	194	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
88c72f44	195	# the ordering of these ocontexts matters:
b4cd1533 CP	196	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ \|\| true
	197	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ \|\| true
	198	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ \|\| true
	199
	200	tmp/pre_te_files.conf: $(PRE_TE_FILES)
	201	@test -d tmp \|\| mkdir -p tmp
	202	$(QUIET) cat $^ > $@
	203
2926f9c7	204	tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
44cda51b	205	# per-userdomain templates:
b4cd1533 CP	206	@test -d tmp \|\| mkdir -p tmp
b4cd1533 CP	207	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
0634b6e7	208	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \
b4cd1533 CP	209	echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
	210	>> $@ ;\
	211	done
	212	$(QUIET) echo "')" >> $@
44cda51b	213	# define foo.te
b4cd1533 CP	214	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
	215	echo "define(\`$$i')" >> $@ ;\
	216	done
44cda51b	217	# generate network interfaces
c9a26b3e	218	$(QUIET) egrep "^network_(interface\|node\|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
de96491b	219	\| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \
bd202fe1	220	\| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
88c72f44 CP	221	# this is so the xml works:
88c72f44 CP	222	$(QUIET) echo "## </module>" >> $@
b4cd1533 CP	223
	224	tmp/all_interfaces.conf: $(ALL_INTERFACES)
	225	@test -d tmp \|\| mkdir -p tmp
	226	$(QUIET) cat $^ > $@
	227
	228	tmp/all_te_files.conf: $(ALL_TE_FILES)
	229	@test -d tmp \|\| mkdir -p tmp
	230	$(QUIET) cat $^ > $@
	231
	232	tmp/post_te_files.conf: $(POST_TE_FILES)
	233	@test -d tmp \|\| mkdir -p tmp
	234	$(QUIET) cat $^ > $@
	235
	236	# extract attributes and put them first. extract post te stuff
	237	# like genfscon and put last. portcon, nodecon, and netifcon
	238	# is delayed since they are generated by m4
f66a1af9 CP	239	tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	240	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf \|\| true
	241	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
b4cd1533	242	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
cabfa520 CP	243	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf \|\| true
cabfa520 CP	244	$(QUIET) egrep '^fs_use_(xattr\|task\|trans)' tmp/all_te_files.conf >> tmp/all_post.conf \|\| true
b4cd1533	245	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf \|\| true
cabfa520 CP	246	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
	247	-e '/^sid /d' -e '/^fs_use_(xattr\|task\|trans)/d' \
	248	< tmp/all_te_files.conf > tmp/only_te_rules.conf
b4cd1533	249
88d14a22 CP	250	########################################
	251	#
	252	# Remove the dontaudit rules from the policy.conf
	253	#
	254	enableaudit: policy.conf
	255	@test -d tmp \|\| mkdir -p tmp
	256	@echo "Removing dontaudit rules from policy.conf"
	257	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	258	$(QUIET) mv tmp/policy.audit policy.conf
	259
6d314fd3 CP	260	########################################
	261	#
	262	# Construct file_contexts
	263	#
de96491b	264	$(FC): $(M4SUPPORT) $(ALL_FC_FILES)
6d314fd3 CP	265	@test -d tmp \|\| mkdir -p tmp
	266	$(QUIET) m4 $(M4PARAM) $^ > $@
	267
547283e2 CP	268	########################################
	269	#
	270	# Install file_contexts
	271	#
c9a26b3e	272	$(FCPATH): $(FC) $(USERPATH)/system.users
547283e2 CP	273	@mkdir -p $(CONTEXTPATH)/files
	274	$(QUIET) install -m 644 $(FC) $(FCPATH)
	275	# $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
	276	# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
	277
b4cd1533 CP	278	########################################
	279	#
	280	# Filesystem labeling
	281	#
88d14a22	282	FILESYSTEMS := `mount \| grep -v "context=" \| egrep -v '\((\|.,)bind(,.\|)\)' \| awk '/(ext[23]\| xfs\| jfs).*rw/{print $$3}';`
b4cd1533	283
88d14a22 CP	284	checklabels: $(FC) $(SETFILES)
	285	@if test -z "$(FILESYSTEMS)"; then \
	286	echo "No filesystems with extended attributes found!" ;\
	287	false ;\
	288	fi
b4cd1533 CP	289	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
b4cd1533 CP	290
88d14a22 CP	291	restorelabels: $(FC) $(SETFILES)
	292	@if test -z "$(FILESYSTEMS)"; then \
	293	echo "No filesystems with extended attributes found!" ;\
	294	false ;\
	295	fi
b4cd1533 CP	296	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
	297
	298	relabel: $(FC) $(SETFILES)
88d14a22 CP	299	@if test -z "$(FILESYSTEMS)"; then \
	300	echo "No filesystems with extended attributes found!" ;\
	301	false ;\
	302	fi
b4cd1533 CP	303	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
b4cd1533 CP	304
6d314fd3 CP	305	########################################
	306	#
	307	# Documentation generation
	308	#
	309
36e54b81	310	tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
88c72f44	311	@echo "Creating $@"
36e54b81	312	@cp $(XMLDTD) tmp
004db90d CP	313	$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
	314	$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
	315	$(QUIET) echo "<policy>" >> $@
44cda51b	316	# process this through m4 to eliminate the generated definitions templates.
3c62aa31	317	# currently these are only in corenetwork.if
004db90d	318	$(QUIET) m4 $^ \| egrep -h "^##[[:blank:]]" \| sed -e 's/^##[[:blank:]]//g' >> $@
88c72f44	319	$(QUIET) echo "</policy>" >> $@
0447352a CP	320	$(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
0447352a CP	321	$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
004db90d	322	fi
6d314fd3	323
c9a26b3e CP	324	########################################
	325	#
	326	# Runtime binary policy patching of users
	327	#
	328	$(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf
	329	@mkdir -p $(USERPATH)
	330	@echo "Installing system.users"
	331	@echo "# " > tmp/system.users
	332	@echo "# Do not edit this file. " >> tmp/system.users
	333	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
	334	@echo "# Please edit local.users to make local changes." >> tmp/system.users
	335	@echo "#" >> tmp/system.users
	336	$(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) \| \
	337	egrep -v "^[[:space:]]*($$\|#)" >> tmp/system.users
	338	$(QUIET) install -m 644 tmp/system.users $@
	339
	340	$(USERPATH)/local.users: local.users
	341	@mkdir -p $(USERPATH)
	342	@echo "Installing local.users"
	343	$(QUIET) install -C -b -m 644 $< $@
	344
	345	########################################
	346	#
	347	# Appconfig files
	348	#
	349	install-appconfig: $(APPFILES)
	350
2926f9c7	351	$(CONTEXTPATH)/files/media: $(APPCONF)/media
c9a26b3e CP	352	mkdir -p $(CONTEXTPATH)/files/
	353	install -m 644 $< $@
	354
2926f9c7	355	$(APPDIR)/default_contexts: $(APPCONF)/default_contexts
c9a26b3e CP	356	mkdir -p $(APPDIR)
	357	install -m 644 $< $@
	358
2926f9c7	359	$(APPDIR)/removable_context: $(APPCONF)/removable_context
c9a26b3e CP	360	mkdir -p $(APPDIR)
	361	install -m 644 $< $@
	362
	363	$(APPDIR)/customizable_types: policy.conf
	364	mkdir -p $(APPDIR)
	365	@grep "^type .*customizable" $< \| cut -d',' -f1 \| cut -d' ' -f2 > tmp/customizable_types
	366	install -m 644 tmp/customizable_types $@
	367
2926f9c7	368	$(APPDIR)/default_type: $(APPCONF)/default_type
c9a26b3e CP	369	mkdir -p $(APPDIR)
	370	install -m 644 $< $@
	371
2926f9c7	372	$(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
c9a26b3e CP	373	mkdir -p $(APPDIR)
	374	install -m 644 $< $@
	375
2926f9c7	376	$(APPDIR)/initrc_context: $(APPCONF)/initrc_context
c9a26b3e CP	377	mkdir -p $(APPDIR)
	378	install -m 644 $< $@
	379
2926f9c7	380	$(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
c9a26b3e CP	381	mkdir -p $(APPDIR)
	382	install -m 644 $< $@
	383
2926f9c7	384	$(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
c9a26b3e CP	385	mkdir -p $(APPDIR)
	386	install -m 644 $< $@
	387
2926f9c7	388	$(APPDIR)/users/root: $(APPCONF)/root_default_contexts
c9a26b3e CP	389	mkdir -p $(APPDIR)/users
	390	install -m 644 $< $@
	391
b4cd1533 CP	392	clean:
b4cd1533 CP	393	rm -fR tmp
6d314fd3	394	rm -f policy.xml
b4cd1533 CP	395	rm -f policy.conf
	396	rm -f policy.$(PV)
	397	rm -f $(FC)
	398
b67488e3	399	.PHONY: default policy install reload enableaudit checklabels restorelabels relabel clean