]>
Commit | Line | Data |
---|---|---|
88d14a22 CP |
1 | # |
2 | # Makefile for the security policy. | |
3 | # | |
4 | # Targets: | |
5 | # | |
6 | # install - compile and install the policy configuration, and context files. | |
7 | # load - compile, install, and load the policy configuration. | |
8 | # reload - compile, install, and load/reload the policy configuration. | |
9 | # relabel - relabel filesystems based on the file contexts configuration. | |
10 | # checklabels - check filesystems against the file context configuration | |
11 | # restorelabels - check filesystems against the file context configuration | |
12 | # and restore the label of files with incorrect labels | |
13 | # policy - compile the policy configuration locally for testing/development. | |
14 | # | |
15 | # The default target is 'policy'. | |
16 | # | |
17 | ||
b4cd1533 CP |
18 | ######################################## |
19 | # | |
20 | # Configurable portions of the Makefile | |
21 | # | |
22 | ||
b67488e3 CP |
23 | # Override default policy version |
24 | OUTPUT_POLICY = 18 | |
134191be | 25 | |
b67488e3 CP |
26 | # Policy Type |
27 | # strict, targeted, strict-mls, targeted-mls | |
28 | # strict and strict-mls are currently supported. | |
29 | TYPE = strict | |
b4cd1533 | 30 | |
b67488e3 CP |
31 | # If set, this will be used as the policy |
32 | # name. Otherwise the policy type will be | |
33 | # used for the name. | |
34 | NAME = | |
35 | ||
36 | # Build monolithic policy. Putting n here | |
37 | # will build a loadable module policy. | |
38 | # Only monolithic policies are currently supported. | |
39 | MONOLITHIC=y | |
b4cd1533 CP |
40 | |
41 | # Uncomment this to disable command echoing | |
42 | #QUIET:=@ | |
43 | ||
44 | ######################################## | |
45 | # | |
b67488e3 | 46 | # NO OPTIONS BELOW HERE |
b4cd1533 CP |
47 | # |
48 | ||
49 | # executable paths | |
50 | PREFIX := /usr | |
51 | BINDIR := $(PREFIX)/bin | |
52 | SBINDIR := $(PREFIX)/sbin | |
53 | CHECKPOLICY := $(BINDIR)/checkpolicy | |
547283e2 | 54 | LOADPOLICY := $(SBINDIR)/load_policy |
b4cd1533 | 55 | SETFILES := $(SBINDIR)/setfiles |
0447352a | 56 | |
004db90d | 57 | XMLLINT := $(BINDIR)/xmllint |
b4cd1533 | 58 | |
134191be | 59 | # enable MLS if requested. |
b67488e3 | 60 | ifneq ($(findstring mls,$(TYPE)),) |
134191be CP |
61 | override M4PARAM += -D enable_mls |
62 | CHECKPOLICY += -M | |
63 | endif | |
64 | ||
b67488e3 CP |
65 | # compile targeted policy if requested. |
66 | ifneq ($(findstring targeted,$(TYPE)),) | |
67 | override M4PARAM += -D targeted_policy | |
68 | endif | |
69 | ||
70 | ifeq ($(MONOLITHIC),y) | |
71 | override M4PARAM += -D monolithic_policy | |
72 | endif | |
73 | ||
74 | ifneq ($(OUTPUT_POLICY),) | |
75 | CHECKPOLICY += -c $(OUTPUT_POLICY) | |
76 | endif | |
77 | ||
78 | ifeq ($(NAME),) | |
79 | NAME := $(TYPE) | |
134191be CP |
80 | endif |
81 | ||
b4cd1533 | 82 | # determine the policy version and current kernel version if possible |
134191be | 83 | PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') |
b4cd1533 CP |
84 | KV := $(shell cat /selinux/policyvers) |
85 | ||
86 | # dont print version warnings if we are unable to determine | |
87 | # the currently running kernel's policy version | |
88 | ifeq ($(KV),) | |
134191be | 89 | KV := $(PV) |
b4cd1533 CP |
90 | endif |
91 | ||
92 | FC := file_contexts | |
93 | POLVER := policy.$(PV) | |
b4cd1533 CP |
94 | |
95 | # install paths | |
96 | TOPDIR = $(DESTDIR)/etc/selinux | |
b67488e3 | 97 | INSTALLDIR = $(TOPDIR)/$(NAME) |
b4cd1533 CP |
98 | POLICYPATH = $(INSTALLDIR)/policy |
99 | SRCPATH = $(INSTALLDIR)/src | |
100 | USERPATH = $(INSTALLDIR)/users | |
101 | CONTEXTPATH = $(INSTALLDIR)/contexts | |
102 | LOADPATH = $(POLICYPATH)/$(POLVER) | |
103 | FCPATH = $(CONTEXTPATH)/files/file_contexts | |
104 | HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template | |
105 | ||
b67488e3 CP |
106 | POLDIR = policy |
107 | MODDIR = $(POLDIR)/modules | |
108 | ||
109 | BASE_MODULE = $(MODDIR)/kernel | |
110 | FLASKDIR = $(POLDIR)/flask | |
09693356 | 111 | APPCONF = config/appconfig |
b67488e3 | 112 | M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt) |
b4cd1533 | 113 | |
c9a26b3e CP |
114 | APPDIR := $(CONTEXTPATH) |
115 | APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media | |
2926f9c7 | 116 | CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media |
b67488e3 | 117 | USER_FILES := $(POLDIR)/users |
c9a26b3e | 118 | |
b67488e3 CP |
119 | DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d) |
120 | ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS)) | |
b4cd1533 | 121 | |
b67488e3 | 122 | PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls |
2926f9c7 CP |
123 | ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if)) |
124 | ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) | |
b67488e3 | 125 | POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints |
b4cd1533 | 126 | |
2926f9c7 | 127 | ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc)) |
b4cd1533 | 128 | |
f66a1af9 | 129 | POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf |
b4cd1533 | 130 | |
36e54b81 CP |
131 | DOCTOOLS = doctools |
132 | XMLDTD = $(DOCTOOLS)/policy.dtd | |
133 | HTMLHEAD = $(DOCTOOLS)/header.html | |
134 | HTMLFOOT = $(DOCTOOLS)/footer.html | |
135 | HTMLCSS = $(DOCTOOLS)/style.css | |
136 | HTMLOUT = $(DOCTOOLS)/html | |
36e54b81 | 137 | |
b4cd1533 CP |
138 | ######################################## |
139 | # | |
140 | # default action: build policy locally | |
141 | # | |
142 | default: policy | |
143 | ||
144 | policy: $(POLVER) | |
145 | ||
44cda51b | 146 | install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users |
c9a26b3e CP |
147 | |
148 | load: tmp/load | |
b4cd1533 CP |
149 | |
150 | ######################################## | |
151 | # | |
152 | # Build a binary policy locally | |
153 | # | |
154 | $(POLVER): policy.conf | |
b67488e3 | 155 | @echo "Compiling $(NAME) $(POLVER)" |
b4cd1533 CP |
156 | ifneq ($(PV),$(KV)) |
157 | @echo | |
b67488e3 | 158 | @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" |
b4cd1533 CP |
159 | @echo |
160 | endif | |
134191be | 161 | $(QUIET) $(CHECKPOLICY) $^ -o $@ |
b4cd1533 CP |
162 | |
163 | ######################################## | |
164 | # | |
165 | # Install a binary policy | |
166 | # | |
167 | $(LOADPATH): policy.conf | |
168 | @mkdir -p $(POLICYPATH) | |
b67488e3 | 169 | @echo "Compiling and installing $(NAME) $(LOADPATH)" |
b4cd1533 CP |
170 | ifneq ($(PV),$(KV)) |
171 | @echo | |
b67488e3 | 172 | @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" |
b4cd1533 CP |
173 | @echo |
174 | endif | |
134191be | 175 | $(QUIET) $(CHECKPOLICY) $^ -o $@ |
b4cd1533 | 176 | |
88d14a22 CP |
177 | ######################################## |
178 | # | |
179 | # Load the binary policy | |
180 | # | |
181 | reload tmp/load: $(LOADPATH) $(FCPATH) | |
b67488e3 | 182 | @echo "Loading $(NAME) $(LOADPATH)" |
88d14a22 CP |
183 | $(QUIET) $(LOADPOLICY) -q $(LOADPATH) |
184 | @touch tmp/load | |
185 | ||
b4cd1533 CP |
186 | ######################################## |
187 | # | |
188 | # Construct a monolithic policy.conf | |
189 | # | |
190 | policy.conf: $(POLICY_SECTIONS) | |
b67488e3 | 191 | @echo "Creating $(NAME) policy.conf" |
88c72f44 | 192 | # checkpolicy can use the #line directives provided by -s for error reporting: |
b67488e3 | 193 | $(QUIET) m4 $(M4PARAM) -s $^ > tmp/$@.tmp |
b4cd1533 | 194 | $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ |
88c72f44 | 195 | # the ordering of these ocontexts matters: |
b4cd1533 CP |
196 | $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true |
197 | $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true | |
198 | $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true | |
199 | ||
200 | tmp/pre_te_files.conf: $(PRE_TE_FILES) | |
201 | @test -d tmp || mkdir -p tmp | |
202 | $(QUIET) cat $^ > $@ | |
203 | ||
2926f9c7 | 204 | tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te |
44cda51b | 205 | # per-userdomain templates: |
b4cd1533 CP |
206 | @test -d tmp || mkdir -p tmp |
207 | $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ | |
0634b6e7 | 208 | $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \ |
b4cd1533 CP |
209 | echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ |
210 | >> $@ ;\ | |
211 | done | |
212 | $(QUIET) echo "')" >> $@ | |
44cda51b | 213 | # define foo.te |
b4cd1533 CP |
214 | $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ |
215 | echo "define(\`$$i')" >> $@ ;\ | |
216 | done | |
44cda51b | 217 | # generate network interfaces |
c9a26b3e | 218 | $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \ |
de96491b | 219 | | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \ |
bd202fe1 | 220 | | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ |
88c72f44 CP |
221 | # this is so the xml works: |
222 | $(QUIET) echo "## </module>" >> $@ | |
b4cd1533 CP |
223 | |
224 | tmp/all_interfaces.conf: $(ALL_INTERFACES) | |
225 | @test -d tmp || mkdir -p tmp | |
226 | $(QUIET) cat $^ > $@ | |
227 | ||
228 | tmp/all_te_files.conf: $(ALL_TE_FILES) | |
229 | @test -d tmp || mkdir -p tmp | |
230 | $(QUIET) cat $^ > $@ | |
231 | ||
232 | tmp/post_te_files.conf: $(POST_TE_FILES) | |
233 | @test -d tmp || mkdir -p tmp | |
234 | $(QUIET) cat $^ > $@ | |
235 | ||
236 | # extract attributes and put them first. extract post te stuff | |
237 | # like genfscon and put last. portcon, nodecon, and netifcon | |
238 | # is delayed since they are generated by m4 | |
f66a1af9 CP |
239 | tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf |
240 | $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true | |
241 | $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf | |
b4cd1533 | 242 | $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf |
cabfa520 CP |
243 | $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true |
244 | $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true | |
b4cd1533 | 245 | $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true |
cabfa520 CP |
246 | $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ |
247 | -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ | |
248 | < tmp/all_te_files.conf > tmp/only_te_rules.conf | |
b4cd1533 | 249 | |
88d14a22 CP |
250 | ######################################## |
251 | # | |
252 | # Remove the dontaudit rules from the policy.conf | |
253 | # | |
254 | enableaudit: policy.conf | |
255 | @test -d tmp || mkdir -p tmp | |
256 | @echo "Removing dontaudit rules from policy.conf" | |
257 | $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit | |
258 | $(QUIET) mv tmp/policy.audit policy.conf | |
259 | ||
6d314fd3 CP |
260 | ######################################## |
261 | # | |
262 | # Construct file_contexts | |
263 | # | |
de96491b | 264 | $(FC): $(M4SUPPORT) $(ALL_FC_FILES) |
6d314fd3 CP |
265 | @test -d tmp || mkdir -p tmp |
266 | $(QUIET) m4 $(M4PARAM) $^ > $@ | |
267 | ||
547283e2 CP |
268 | ######################################## |
269 | # | |
270 | # Install file_contexts | |
271 | # | |
c9a26b3e | 272 | $(FCPATH): $(FC) $(USERPATH)/system.users |
547283e2 CP |
273 | @mkdir -p $(CONTEXTPATH)/files |
274 | $(QUIET) install -m 644 $(FC) $(FCPATH) | |
275 | # $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) | |
276 | # $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) | |
277 | ||
b4cd1533 CP |
278 | ######################################## |
279 | # | |
280 | # Filesystem labeling | |
281 | # | |
88d14a22 | 282 | FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` |
b4cd1533 | 283 | |
88d14a22 CP |
284 | checklabels: $(FC) $(SETFILES) |
285 | @if test -z "$(FILESYSTEMS)"; then \ | |
286 | echo "No filesystems with extended attributes found!" ;\ | |
287 | false ;\ | |
288 | fi | |
b4cd1533 CP |
289 | $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) |
290 | ||
88d14a22 CP |
291 | restorelabels: $(FC) $(SETFILES) |
292 | @if test -z "$(FILESYSTEMS)"; then \ | |
293 | echo "No filesystems with extended attributes found!" ;\ | |
294 | false ;\ | |
295 | fi | |
b4cd1533 CP |
296 | $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) |
297 | ||
298 | relabel: $(FC) $(SETFILES) | |
88d14a22 CP |
299 | @if test -z "$(FILESYSTEMS)"; then \ |
300 | echo "No filesystems with extended attributes found!" ;\ | |
301 | false ;\ | |
302 | fi | |
b4cd1533 CP |
303 | $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) |
304 | ||
6d314fd3 CP |
305 | ######################################## |
306 | # | |
307 | # Documentation generation | |
308 | # | |
309 | ||
36e54b81 | 310 | tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf |
88c72f44 | 311 | @echo "Creating $@" |
36e54b81 | 312 | @cp $(XMLDTD) tmp |
004db90d CP |
313 | $(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@ |
314 | $(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@ | |
315 | $(QUIET) echo "<policy>" >> $@ | |
44cda51b | 316 | # process this through m4 to eliminate the generated definitions templates. |
3c62aa31 | 317 | # currently these are only in corenetwork.if |
004db90d | 318 | $(QUIET) m4 $^ | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@ |
88c72f44 | 319 | $(QUIET) echo "</policy>" >> $@ |
0447352a CP |
320 | $(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \ |
321 | $(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\ | |
004db90d | 322 | fi |
6d314fd3 | 323 | |
c9a26b3e CP |
324 | ######################################## |
325 | # | |
326 | # Runtime binary policy patching of users | |
327 | # | |
328 | $(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf | |
329 | @mkdir -p $(USERPATH) | |
330 | @echo "Installing system.users" | |
331 | @echo "# " > tmp/system.users | |
332 | @echo "# Do not edit this file. " >> tmp/system.users | |
333 | @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users | |
334 | @echo "# Please edit local.users to make local changes." >> tmp/system.users | |
335 | @echo "#" >> tmp/system.users | |
336 | $(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \ | |
337 | egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users | |
338 | $(QUIET) install -m 644 tmp/system.users $@ | |
339 | ||
340 | $(USERPATH)/local.users: local.users | |
341 | @mkdir -p $(USERPATH) | |
342 | @echo "Installing local.users" | |
343 | $(QUIET) install -C -b -m 644 $< $@ | |
344 | ||
345 | ######################################## | |
346 | # | |
347 | # Appconfig files | |
348 | # | |
349 | install-appconfig: $(APPFILES) | |
350 | ||
2926f9c7 | 351 | $(CONTEXTPATH)/files/media: $(APPCONF)/media |
c9a26b3e CP |
352 | mkdir -p $(CONTEXTPATH)/files/ |
353 | install -m 644 $< $@ | |
354 | ||
2926f9c7 | 355 | $(APPDIR)/default_contexts: $(APPCONF)/default_contexts |
c9a26b3e CP |
356 | mkdir -p $(APPDIR) |
357 | install -m 644 $< $@ | |
358 | ||
2926f9c7 | 359 | $(APPDIR)/removable_context: $(APPCONF)/removable_context |
c9a26b3e CP |
360 | mkdir -p $(APPDIR) |
361 | install -m 644 $< $@ | |
362 | ||
363 | $(APPDIR)/customizable_types: policy.conf | |
364 | mkdir -p $(APPDIR) | |
365 | @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types | |
366 | install -m 644 tmp/customizable_types $@ | |
367 | ||
2926f9c7 | 368 | $(APPDIR)/default_type: $(APPCONF)/default_type |
c9a26b3e CP |
369 | mkdir -p $(APPDIR) |
370 | install -m 644 $< $@ | |
371 | ||
2926f9c7 | 372 | $(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context |
c9a26b3e CP |
373 | mkdir -p $(APPDIR) |
374 | install -m 644 $< $@ | |
375 | ||
2926f9c7 | 376 | $(APPDIR)/initrc_context: $(APPCONF)/initrc_context |
c9a26b3e CP |
377 | mkdir -p $(APPDIR) |
378 | install -m 644 $< $@ | |
379 | ||
2926f9c7 | 380 | $(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context |
c9a26b3e CP |
381 | mkdir -p $(APPDIR) |
382 | install -m 644 $< $@ | |
383 | ||
2926f9c7 | 384 | $(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts |
c9a26b3e CP |
385 | mkdir -p $(APPDIR) |
386 | install -m 644 $< $@ | |
387 | ||
2926f9c7 | 388 | $(APPDIR)/users/root: $(APPCONF)/root_default_contexts |
c9a26b3e CP |
389 | mkdir -p $(APPDIR)/users |
390 | install -m 644 $< $@ | |
391 | ||
b4cd1533 CP |
392 | clean: |
393 | rm -fR tmp | |
6d314fd3 | 394 | rm -f policy.xml |
b4cd1533 CP |
395 | rm -f policy.conf |
396 | rm -f policy.$(PV) | |
397 | rm -f $(FC) | |
398 | ||
b67488e3 | 399 | .PHONY: default policy install reload enableaudit checklabels restorelabels relabel clean |