]>
Commit | Line | Data |
---|---|---|
88d14a22 CP |
1 | # |
2 | # Makefile for the security policy. | |
3 | # | |
4 | # Targets: | |
5 | # | |
6 | # install - compile and install the policy configuration, and context files. | |
7 | # load - compile, install, and load the policy configuration. | |
8 | # reload - compile, install, and load/reload the policy configuration. | |
9 | # relabel - relabel filesystems based on the file contexts configuration. | |
10 | # checklabels - check filesystems against the file context configuration | |
11 | # restorelabels - check filesystems against the file context configuration | |
12 | # and restore the label of files with incorrect labels | |
13 | # policy - compile the policy configuration locally for testing/development. | |
14 | # | |
15 | # The default target is 'policy'. | |
16 | # | |
17 | ||
b4cd1533 CP |
18 | ######################################## |
19 | # | |
20 | # Configurable portions of the Makefile | |
21 | # | |
22 | ||
23 | # Build compatibility policies | |
134191be CP |
24 | POLICYCOMPAT = 18 |
25 | ||
26 | # Build MLS policies | |
27 | MLS=n | |
b4cd1533 CP |
28 | |
29 | # set distribution | |
c9a26b3e | 30 | override M4PARAM += -D distro_redhat |
b4cd1533 CP |
31 | |
32 | # Uncomment this to disable command echoing | |
33 | #QUIET:=@ | |
34 | ||
35 | ######################################## | |
36 | # | |
37 | # Invariant portions of the Makefile | |
38 | # | |
39 | ||
40 | # executable paths | |
41 | PREFIX := /usr | |
42 | BINDIR := $(PREFIX)/bin | |
43 | SBINDIR := $(PREFIX)/sbin | |
44 | CHECKPOLICY := $(BINDIR)/checkpolicy | |
547283e2 | 45 | LOADPOLICY := $(SBINDIR)/load_policy |
b4cd1533 CP |
46 | SETFILES := $(SBINDIR)/setfiles |
47 | ||
134191be CP |
48 | # enable MLS if requested. |
49 | ifeq ($(MLS),y) | |
50 | override M4PARAM += -D enable_mls | |
51 | CHECKPOLICY += -M | |
52 | endif | |
53 | ||
54 | ifneq ($(POLICYCOMPAT),) | |
55 | CHECKPOLICY += -c $(POLICYCOMPAT) | |
56 | endif | |
57 | ||
b4cd1533 | 58 | # determine the policy version and current kernel version if possible |
134191be | 59 | PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') |
b4cd1533 CP |
60 | KV := $(shell cat /selinux/policyvers) |
61 | ||
62 | # dont print version warnings if we are unable to determine | |
63 | # the currently running kernel's policy version | |
64 | ifeq ($(KV),) | |
134191be | 65 | KV := $(PV) |
b4cd1533 CP |
66 | endif |
67 | ||
68 | FC := file_contexts | |
69 | POLVER := policy.$(PV) | |
70 | TYPE := strict | |
71 | ||
72 | # install paths | |
73 | TOPDIR = $(DESTDIR)/etc/selinux | |
74 | INSTALLDIR = $(TOPDIR)/$(TYPE) | |
75 | POLICYPATH = $(INSTALLDIR)/policy | |
76 | SRCPATH = $(INSTALLDIR)/src | |
77 | USERPATH = $(INSTALLDIR)/users | |
78 | CONTEXTPATH = $(INSTALLDIR)/contexts | |
79 | LOADPATH = $(POLICYPATH)/$(POLVER) | |
80 | FCPATH = $(CONTEXTPATH)/files/file_contexts | |
81 | HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template | |
82 | ||
83 | BASE_MODULE = kernel | |
134191be | 84 | FLASKDIR = flask |
2926f9c7 | 85 | APPCONF = appconfig |
b4cd1533 | 86 | |
c9a26b3e CP |
87 | APPDIR := $(CONTEXTPATH) |
88 | APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media | |
2926f9c7 | 89 | CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media |
134191be | 90 | USER_FILES := users |
c9a26b3e | 91 | |
b4cd1533 | 92 | DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) |
2926f9c7 | 93 | ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS)) |
b4cd1533 | 94 | |
134191be | 95 | PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls |
2926f9c7 CP |
96 | ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if)) |
97 | ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) | |
134191be | 98 | POST_TE_FILES := users constraints initial_sid_contexts fs_use |
b4cd1533 | 99 | |
2926f9c7 | 100 | ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc)) |
b4cd1533 | 101 | |
f66a1af9 | 102 | POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf |
b4cd1533 | 103 | |
b4cd1533 CP |
104 | ######################################## |
105 | # | |
106 | # default action: build policy locally | |
107 | # | |
108 | default: policy | |
109 | ||
110 | policy: $(POLVER) | |
111 | ||
c9a26b3e CP |
112 | install: $(LOADPATH) $(FCPATH) $(USERPATH)/local.users |
113 | ||
114 | load: tmp/load | |
b4cd1533 CP |
115 | |
116 | ######################################## | |
117 | # | |
118 | # Build a binary policy locally | |
119 | # | |
120 | $(POLVER): policy.conf | |
88c72f44 | 121 | @echo "Compiling $(POLVER)" |
b4cd1533 CP |
122 | ifneq ($(PV),$(KV)) |
123 | @echo | |
124 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
125 | @echo | |
126 | endif | |
134191be | 127 | $(QUIET) $(CHECKPOLICY) $^ -o $@ |
b4cd1533 CP |
128 | |
129 | ######################################## | |
130 | # | |
131 | # Install a binary policy | |
132 | # | |
133 | $(LOADPATH): policy.conf | |
134 | @mkdir -p $(POLICYPATH) | |
88c72f44 | 135 | @echo "Compiling and installing $(LOADPATH)" |
b4cd1533 CP |
136 | ifneq ($(PV),$(KV)) |
137 | @echo | |
138 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
139 | @echo | |
140 | endif | |
134191be | 141 | $(QUIET) $(CHECKPOLICY) $^ -o $@ |
b4cd1533 | 142 | |
88d14a22 CP |
143 | ######################################## |
144 | # | |
145 | # Load the binary policy | |
146 | # | |
147 | reload tmp/load: $(LOADPATH) $(FCPATH) | |
88c72f44 | 148 | @echo "Loading $(LOADPATH)" |
88d14a22 CP |
149 | $(QUIET) $(LOADPOLICY) -q $(LOADPATH) |
150 | @touch tmp/load | |
151 | ||
b4cd1533 CP |
152 | ######################################## |
153 | # | |
154 | # Construct a monolithic policy.conf | |
155 | # | |
156 | policy.conf: $(POLICY_SECTIONS) | |
88c72f44 CP |
157 | @echo "Creating policy.conf" |
158 | # checkpolicy can use the #line directives provided by -s for error reporting: | |
c9a26b3e | 159 | $(QUIET) m4 $(M4PARAM) -D monolithic_policy -s $^ > tmp/$@.tmp |
b4cd1533 | 160 | $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ |
88c72f44 | 161 | # the ordering of these ocontexts matters: |
b4cd1533 CP |
162 | $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true |
163 | $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true | |
164 | $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true | |
165 | ||
166 | tmp/pre_te_files.conf: $(PRE_TE_FILES) | |
167 | @test -d tmp || mkdir -p tmp | |
168 | $(QUIET) cat $^ > $@ | |
169 | ||
2926f9c7 | 170 | tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te |
b4cd1533 CP |
171 | @test -d tmp || mkdir -p tmp |
172 | $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ | |
0634b6e7 | 173 | $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \ |
b4cd1533 CP |
174 | echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ |
175 | >> $@ ;\ | |
176 | done | |
177 | $(QUIET) echo "')" >> $@ | |
178 | $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ | |
179 | echo "define(\`$$i')" >> $@ ;\ | |
180 | done | |
c9a26b3e CP |
181 | $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \ |
182 | | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \ | |
bd202fe1 | 183 | | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ |
88c72f44 CP |
184 | # this is so the xml works: |
185 | $(QUIET) echo "## </module>" >> $@ | |
b4cd1533 CP |
186 | |
187 | tmp/all_interfaces.conf: $(ALL_INTERFACES) | |
188 | @test -d tmp || mkdir -p tmp | |
189 | $(QUIET) cat $^ > $@ | |
190 | ||
191 | tmp/all_te_files.conf: $(ALL_TE_FILES) | |
192 | @test -d tmp || mkdir -p tmp | |
193 | $(QUIET) cat $^ > $@ | |
194 | ||
195 | tmp/post_te_files.conf: $(POST_TE_FILES) | |
196 | @test -d tmp || mkdir -p tmp | |
197 | $(QUIET) cat $^ > $@ | |
198 | ||
199 | # extract attributes and put them first. extract post te stuff | |
200 | # like genfscon and put last. portcon, nodecon, and netifcon | |
201 | # is delayed since they are generated by m4 | |
f66a1af9 CP |
202 | tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf |
203 | $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true | |
204 | $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf | |
b4cd1533 CP |
205 | $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf |
206 | $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true | |
f66a1af9 | 207 | $(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf |
b4cd1533 | 208 | |
88d14a22 CP |
209 | ######################################## |
210 | # | |
211 | # Remove the dontaudit rules from the policy.conf | |
212 | # | |
213 | enableaudit: policy.conf | |
214 | @test -d tmp || mkdir -p tmp | |
215 | @echo "Removing dontaudit rules from policy.conf" | |
216 | $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit | |
217 | $(QUIET) mv tmp/policy.audit policy.conf | |
218 | ||
6d314fd3 CP |
219 | ######################################## |
220 | # | |
221 | # Construct file_contexts | |
222 | # | |
223 | $(FC): kernel/global.if $(ALL_FC_FILES) | |
224 | @test -d tmp || mkdir -p tmp | |
225 | $(QUIET) m4 $(M4PARAM) $^ > $@ | |
226 | ||
547283e2 CP |
227 | ######################################## |
228 | # | |
229 | # Install file_contexts | |
230 | # | |
c9a26b3e | 231 | $(FCPATH): $(FC) $(USERPATH)/system.users |
547283e2 CP |
232 | @mkdir -p $(CONTEXTPATH)/files |
233 | $(QUIET) install -m 644 $(FC) $(FCPATH) | |
234 | # $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) | |
235 | # $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) | |
236 | ||
b4cd1533 CP |
237 | ######################################## |
238 | # | |
239 | # Filesystem labeling | |
240 | # | |
88d14a22 | 241 | FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` |
b4cd1533 | 242 | |
88d14a22 CP |
243 | checklabels: $(FC) $(SETFILES) |
244 | @if test -z "$(FILESYSTEMS)"; then \ | |
245 | echo "No filesystems with extended attributes found!" ;\ | |
246 | false ;\ | |
247 | fi | |
b4cd1533 CP |
248 | $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) |
249 | ||
88d14a22 CP |
250 | restorelabels: $(FC) $(SETFILES) |
251 | @if test -z "$(FILESYSTEMS)"; then \ | |
252 | echo "No filesystems with extended attributes found!" ;\ | |
253 | false ;\ | |
254 | fi | |
b4cd1533 CP |
255 | $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) |
256 | ||
257 | relabel: $(FC) $(SETFILES) | |
88d14a22 CP |
258 | @if test -z "$(FILESYSTEMS)"; then \ |
259 | echo "No filesystems with extended attributes found!" ;\ | |
260 | false ;\ | |
261 | fi | |
b4cd1533 CP |
262 | $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) |
263 | ||
6d314fd3 CP |
264 | ######################################## |
265 | # | |
266 | # Documentation generation | |
267 | # | |
268 | ||
269 | xml: policy.xml | |
270 | ||
271 | policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf | |
88c72f44 CP |
272 | @echo "Creating $@" |
273 | $(QUIET) echo "<policy>" > $@ | |
c9a26b3e | 274 | $(QUIET) egrep -h "^##[[:space:]]" $^ | sed -e 's/^##[[:space:]]//g' >> $@ |
88c72f44 | 275 | $(QUIET) echo "</policy>" >> $@ |
6d314fd3 | 276 | |
c9a26b3e CP |
277 | ######################################## |
278 | # | |
279 | # Runtime binary policy patching of users | |
280 | # | |
281 | $(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf | |
282 | @mkdir -p $(USERPATH) | |
283 | @echo "Installing system.users" | |
284 | @echo "# " > tmp/system.users | |
285 | @echo "# Do not edit this file. " >> tmp/system.users | |
286 | @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users | |
287 | @echo "# Please edit local.users to make local changes." >> tmp/system.users | |
288 | @echo "#" >> tmp/system.users | |
289 | $(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \ | |
290 | egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users | |
291 | $(QUIET) install -m 644 tmp/system.users $@ | |
292 | ||
293 | $(USERPATH)/local.users: local.users | |
294 | @mkdir -p $(USERPATH) | |
295 | @echo "Installing local.users" | |
296 | $(QUIET) install -C -b -m 644 $< $@ | |
297 | ||
298 | ######################################## | |
299 | # | |
300 | # Appconfig files | |
301 | # | |
302 | install-appconfig: $(APPFILES) | |
303 | ||
2926f9c7 | 304 | $(CONTEXTPATH)/files/media: $(APPCONF)/media |
c9a26b3e CP |
305 | mkdir -p $(CONTEXTPATH)/files/ |
306 | install -m 644 $< $@ | |
307 | ||
2926f9c7 | 308 | $(APPDIR)/default_contexts: $(APPCONF)/default_contexts |
c9a26b3e CP |
309 | mkdir -p $(APPDIR) |
310 | install -m 644 $< $@ | |
311 | ||
2926f9c7 | 312 | $(APPDIR)/removable_context: $(APPCONF)/removable_context |
c9a26b3e CP |
313 | mkdir -p $(APPDIR) |
314 | install -m 644 $< $@ | |
315 | ||
316 | $(APPDIR)/customizable_types: policy.conf | |
317 | mkdir -p $(APPDIR) | |
318 | @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types | |
319 | install -m 644 tmp/customizable_types $@ | |
320 | ||
2926f9c7 | 321 | $(APPDIR)/default_type: $(APPCONF)/default_type |
c9a26b3e CP |
322 | mkdir -p $(APPDIR) |
323 | install -m 644 $< $@ | |
324 | ||
2926f9c7 | 325 | $(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context |
c9a26b3e CP |
326 | mkdir -p $(APPDIR) |
327 | install -m 644 $< $@ | |
328 | ||
2926f9c7 | 329 | $(APPDIR)/initrc_context: $(APPCONF)/initrc_context |
c9a26b3e CP |
330 | mkdir -p $(APPDIR) |
331 | install -m 644 $< $@ | |
332 | ||
2926f9c7 | 333 | $(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context |
c9a26b3e CP |
334 | mkdir -p $(APPDIR) |
335 | install -m 644 $< $@ | |
336 | ||
2926f9c7 | 337 | $(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts |
c9a26b3e CP |
338 | mkdir -p $(APPDIR) |
339 | install -m 644 $< $@ | |
340 | ||
2926f9c7 | 341 | $(APPDIR)/users/root: $(APPCONF)/root_default_contexts |
c9a26b3e CP |
342 | mkdir -p $(APPDIR)/users |
343 | install -m 644 $< $@ | |
344 | ||
b4cd1533 CP |
345 | clean: |
346 | rm -fR tmp | |
6d314fd3 | 347 | rm -f policy.xml |
b4cd1533 CP |
348 | rm -f policy.conf |
349 | rm -f policy.$(PV) | |
350 | rm -f $(FC) | |
351 | ||
88c72f44 | 352 | .PHONY: default policy install reload enableaudit checklabels restorelabels relabel xml clean |