[people/stevee/selinux-policy.git] / refpolicy / Makefile

#
# Makefile for the security policy.
#
# Targets:
# 
# install       - compile and install the policy configuration, and context files.
# load          - compile, install, and load the policy configuration.
# reload        - compile, install, and load/reload the policy configuration.
# relabel       - relabel filesystems based on the file contexts configuration.
# checklabels   - check filesystems against the file context configuration
# restorelabels - check filesystems against the file context configuration
#                 and restore the label of files with incorrect labels
# policy        - compile the policy configuration locally for testing/development.
#
# The default target is 'policy'.
#

########################################
#
# Configurable portions of the Makefile
#

# Build compatibility policies 
POLICYCOMPAT = -c 18

# set distribution
override M4PARAM += -D distro_redhat

# Uncomment this to disable command echoing
#QUIET:=@

########################################
#
# Invariant portions of the Makefile
#

# executable paths
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy
LOADPOLICY := $(SBINDIR)/load_policy
SETFILES := $(SBINDIR)/setfiles

# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)

# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq ($(KV),)
KV := $(PV)
endif

FC := file_contexts
POLVER := policy.$(PV)
TYPE := strict

# install paths
TOPDIR = $(DESTDIR)/etc/selinux
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template

BASE_MODULE = kernel
FLASKDIR = $(BASE_MODULE)/flask/
MISCDIR = $(BASE_MODULE)/misc/

APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
USER_FILES := $(MISCDIR)/users 

DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
ALL_MODULES := $(filter-out tmp appconfig CVS,$(DETECTED_DIRS))

PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use)

ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))

POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf

########################################
#
# default action: build policy locally
#
default: policy

policy: $(POLVER)

install: $(LOADPATH) $(FCPATH) $(USERPATH)/local.users

load: tmp/load

########################################
#
# Build a binary policy locally
#
$(POLVER): policy.conf
	@echo "Compiling $(POLVER)"
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@

########################################
#
# Install a binary policy
#
$(LOADPATH): policy.conf
	@mkdir -p $(POLICYPATH)
	@echo "Compiling and installing $(LOADPATH)"
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@

########################################
#
# Load the binary policy
#
reload tmp/load: $(LOADPATH) $(FCPATH)
	@echo "Loading $(LOADPATH)"
	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	@touch tmp/load

########################################
#
# Construct a monolithic policy.conf
#
policy.conf: $(POLICY_SECTIONS)
	@echo "Creating policy.conf"
# checkpolicy can use the #line directives provided by -s for error reporting:
	$(QUIET) m4 $(M4PARAM) -D monolithic_policy -s $^ > tmp/$@.tmp
	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
# the ordering of these ocontexts matters:
	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true

tmp/pre_te_files.conf: $(PRE_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
	@test -d tmp || mkdir -p tmp
	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \
		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
			>> $@ ;\
	done
	$(QUIET) echo "')" >> $@
	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
		echo "define(\`$$i')" >> $@ ;\
	done
	$(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
		| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \
		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
# this is so the xml works:
	$(QUIET) echo "## </module>" >> $@

tmp/all_interfaces.conf: $(ALL_INTERFACES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/all_te_files.conf: $(ALL_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/post_te_files.conf: $(POST_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

# extract attributes and put them first. extract post te stuff
# like genfscon and put last.  portcon, nodecon, and netifcon
# is delayed since they are generated by m4
tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
	$(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf

########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: policy.conf
	@test -d tmp || mkdir -p tmp
	@echo "Removing dontaudit rules from policy.conf"
	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	$(QUIET) mv tmp/policy.audit policy.conf

########################################
#
# Construct file_contexts
#
$(FC): kernel/global.if $(ALL_FC_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) m4 $(M4PARAM) $^ > $@

########################################
#
# Install file_contexts
#
$(FCPATH): $(FC) $(USERPATH)/system.users 
	@mkdir -p $(CONTEXTPATH)/files
	$(QUIET) install -m 644 $(FC) $(FCPATH)
#	$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
#	$(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)

########################################
#
# Filesystem labeling
#
FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`

checklabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)

restorelabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)

relabel:  $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)

########################################
#
# Documentation generation
#

xml: policy.xml

policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
	@echo "Creating $@"
	$(QUIET) echo "<policy>" > $@
	$(QUIET) egrep -h "^##[[:space:]]" $^ | sed -e 's/^##[[:space:]]//g' >> $@
	$(QUIET) echo "</policy>" >> $@

########################################
#
# Runtime binary policy patching of users
#
$(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf
	@mkdir -p $(USERPATH)
	@echo "Installing system.users"
	@echo "# " > tmp/system.users
	@echo "# Do not edit this file. " >> tmp/system.users
	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
	@echo "# Please edit local.users to make local changes." >> tmp/system.users
	@echo "#" >> tmp/system.users
	$(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \
		egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users
	$(QUIET) install -m 644 tmp/system.users $@

$(USERPATH)/local.users: local.users
	@mkdir -p $(USERPATH)
	@echo "Installing local.users"
	$(QUIET) install -C -b -m 644 $< $@

########################################
#
# Appconfig files
#
install-appconfig: $(APPFILES)

$(CONTEXTPATH)/files/media: appconfig/media
	mkdir -p $(CONTEXTPATH)/files/
	install -m 644 $< $@

$(APPDIR)/default_contexts: appconfig/default_contexts
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/removable_context: appconfig/removable_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/customizable_types: policy.conf
	mkdir -p $(APPDIR)
	@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
	install -m 644 tmp/customizable_types $@ 

$(APPDIR)/default_type: appconfig/default_type
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/userhelper_context: appconfig/userhelper_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/initrc_context: appconfig/initrc_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/failsafe_context: appconfig/failsafe_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/users/root: appconfig/root_default_contexts
	mkdir -p $(APPDIR)/users
	install -m 644 $< $@

clean:
	rm -fR tmp
	rm -f policy.xml
	rm -f policy.conf
	rm -f policy.$(PV)
	rm -f $(FC)

.PHONY: default policy install reload enableaudit checklabels restorelabels relabel xml clean
Commit	Line	Data
88d14a22 CP	1	#
	2	# Makefile for the security policy.
	3	#
	4	# Targets:
	5	#
	6	# install - compile and install the policy configuration, and context files.
	7	# load - compile, install, and load the policy configuration.
	8	# reload - compile, install, and load/reload the policy configuration.
	9	# relabel - relabel filesystems based on the file contexts configuration.
	10	# checklabels - check filesystems against the file context configuration
	11	# restorelabels - check filesystems against the file context configuration
	12	# and restore the label of files with incorrect labels
	13	# policy - compile the policy configuration locally for testing/development.
	14	#
	15	# The default target is 'policy'.
	16	#
	17
b4cd1533 CP	18	########################################
	19	#
	20	# Configurable portions of the Makefile
	21	#
	22
	23	# Build compatibility policies
	24	POLICYCOMPAT = -c 18
	25
	26	# set distribution
c9a26b3e	27	override M4PARAM += -D distro_redhat
b4cd1533 CP	28
	29	# Uncomment this to disable command echoing
	30	#QUIET:=@
	31
	32	########################################
	33	#
	34	# Invariant portions of the Makefile
	35	#
	36
	37	# executable paths
	38	PREFIX := /usr
	39	BINDIR := $(PREFIX)/bin
	40	SBINDIR := $(PREFIX)/sbin
	41	CHECKPOLICY := $(BINDIR)/checkpolicy
547283e2	42	LOADPOLICY := $(SBINDIR)/load_policy
b4cd1533 CP	43	SETFILES := $(SBINDIR)/setfiles
	44
	45	# determine the policy version and current kernel version if possible
	46	PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V \|cut -f 1 -d ' ')
	47	KV := $(shell cat /selinux/policyvers)
	48
	49	# dont print version warnings if we are unable to determine
	50	# the currently running kernel's policy version
	51	ifeq ($(KV),)
	52	KV := $(PV)
	53	endif
	54
	55	FC := file_contexts
	56	POLVER := policy.$(PV)
	57	TYPE := strict
	58
	59	# install paths
	60	TOPDIR = $(DESTDIR)/etc/selinux
	61	INSTALLDIR = $(TOPDIR)/$(TYPE)
	62	POLICYPATH = $(INSTALLDIR)/policy
	63	SRCPATH = $(INSTALLDIR)/src
	64	USERPATH = $(INSTALLDIR)/users
	65	CONTEXTPATH = $(INSTALLDIR)/contexts
	66	LOADPATH = $(POLICYPATH)/$(POLVER)
	67	FCPATH = $(CONTEXTPATH)/files/file_contexts
	68	HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
	69
	70	BASE_MODULE = kernel
	71	FLASKDIR = $(BASE_MODULE)/flask/
	72	MISCDIR = $(BASE_MODULE)/misc/
	73
c9a26b3e CP	74	APPDIR := $(CONTEXTPATH)
	75	APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
	76	CONTEXTFILES += $(wildcard appconfig/_context) appconfig/media
	77	USER_FILES := $(MISCDIR)/users
	78
b4cd1533	79	DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
3b3bf871	80	ALL_MODULES := $(filter-out tmp appconfig CVS,$(DETECTED_DIRS))
b4cd1533 CP	81
	82	PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
	83	ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
	84	ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
099c8b24	85	POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use)
b4cd1533 CP	86
	87	ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
	88
f66a1af9	89	POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf
b4cd1533	90
b4cd1533 CP	91	########################################
	92	#
	93	# default action: build policy locally
	94	#
	95	default: policy
	96
	97	policy: $(POLVER)
	98
c9a26b3e CP	99	install: $(LOADPATH) $(FCPATH) $(USERPATH)/local.users
	100
	101	load: tmp/load
b4cd1533 CP	102
	103	########################################
	104	#
	105	# Build a binary policy locally
	106	#
	107	$(POLVER): policy.conf
88c72f44	108	@echo "Compiling $(POLVER)"
b4cd1533 CP	109	ifneq ($(PV),$(KV))
	110	@echo
	111	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
	112	@echo
	113	endif
88c72f44	114	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
b4cd1533 CP	115
	116	########################################
	117	#
	118	# Install a binary policy
	119	#
	120	$(LOADPATH): policy.conf
	121	@mkdir -p $(POLICYPATH)
88c72f44	122	@echo "Compiling and installing $(LOADPATH)"
b4cd1533 CP	123	ifneq ($(PV),$(KV))
	124	@echo
	125	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
	126	@echo
	127	endif
88c72f44	128	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
b4cd1533	129
88d14a22 CP	130	########################################
	131	#
	132	# Load the binary policy
	133	#
	134	reload tmp/load: $(LOADPATH) $(FCPATH)
88c72f44	135	@echo "Loading $(LOADPATH)"
88d14a22 CP	136	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	137	@touch tmp/load
	138
b4cd1533 CP	139	########################################
	140	#
	141	# Construct a monolithic policy.conf
	142	#
	143	policy.conf: $(POLICY_SECTIONS)
88c72f44 CP	144	@echo "Creating policy.conf"
88c72f44 CP	145	# checkpolicy can use the #line directives provided by -s for error reporting:
c9a26b3e	146	$(QUIET) m4 $(M4PARAM) -D monolithic_policy -s $^ > tmp/$@.tmp
b4cd1533	147	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
88c72f44	148	# the ordering of these ocontexts matters:
b4cd1533 CP	149	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ \|\| true
	150	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ \|\| true
	151	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ \|\| true
	152
	153	tmp/pre_te_files.conf: $(PRE_TE_FILES)
	154	@test -d tmp \|\| mkdir -p tmp
	155	$(QUIET) cat $^ > $@
	156
	157	tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
	158	@test -d tmp \|\| mkdir -p tmp
	159	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
0634b6e7	160	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \
b4cd1533 CP	161	echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
	162	>> $@ ;\
	163	done
	164	$(QUIET) echo "')" >> $@
	165	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
	166	echo "define(\`$$i')" >> $@ ;\
	167	done
c9a26b3e CP	168	$(QUIET) egrep "^network_(interface\|node\|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
c9a26b3e CP	169	\| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \
bd202fe1	170	\| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
88c72f44 CP	171	# this is so the xml works:
88c72f44 CP	172	$(QUIET) echo "## </module>" >> $@
b4cd1533 CP	173
	174	tmp/all_interfaces.conf: $(ALL_INTERFACES)
	175	@test -d tmp \|\| mkdir -p tmp
	176	$(QUIET) cat $^ > $@
	177
	178	tmp/all_te_files.conf: $(ALL_TE_FILES)
	179	@test -d tmp \|\| mkdir -p tmp
	180	$(QUIET) cat $^ > $@
	181
	182	tmp/post_te_files.conf: $(POST_TE_FILES)
	183	@test -d tmp \|\| mkdir -p tmp
	184	$(QUIET) cat $^ > $@
	185
	186	# extract attributes and put them first. extract post te stuff
	187	# like genfscon and put last. portcon, nodecon, and netifcon
	188	# is delayed since they are generated by m4
f66a1af9 CP	189	tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	190	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf \|\| true
	191	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
b4cd1533 CP	192	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
b4cd1533 CP	193	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf \|\| true
f66a1af9	194	$(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
b4cd1533	195
88d14a22 CP	196	########################################
	197	#
	198	# Remove the dontaudit rules from the policy.conf
	199	#
	200	enableaudit: policy.conf
	201	@test -d tmp \|\| mkdir -p tmp
	202	@echo "Removing dontaudit rules from policy.conf"
	203	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	204	$(QUIET) mv tmp/policy.audit policy.conf
	205
6d314fd3 CP	206	########################################
	207	#
	208	# Construct file_contexts
	209	#
	210	$(FC): kernel/global.if $(ALL_FC_FILES)
	211	@test -d tmp \|\| mkdir -p tmp
	212	$(QUIET) m4 $(M4PARAM) $^ > $@
	213
547283e2 CP	214	########################################
	215	#
	216	# Install file_contexts
	217	#
c9a26b3e	218	$(FCPATH): $(FC) $(USERPATH)/system.users
547283e2 CP	219	@mkdir -p $(CONTEXTPATH)/files
	220	$(QUIET) install -m 644 $(FC) $(FCPATH)
	221	# $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
	222	# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
	223
b4cd1533 CP	224	########################################
	225	#
	226	# Filesystem labeling
	227	#
88d14a22	228	FILESYSTEMS := `mount \| grep -v "context=" \| egrep -v '\((\|.,)bind(,.\|)\)' \| awk '/(ext[23]\| xfs\| jfs).*rw/{print $$3}';`
b4cd1533	229
88d14a22 CP	230	checklabels: $(FC) $(SETFILES)
	231	@if test -z "$(FILESYSTEMS)"; then \
	232	echo "No filesystems with extended attributes found!" ;\
	233	false ;\
	234	fi
b4cd1533 CP	235	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
b4cd1533 CP	236
88d14a22 CP	237	restorelabels: $(FC) $(SETFILES)
	238	@if test -z "$(FILESYSTEMS)"; then \
	239	echo "No filesystems with extended attributes found!" ;\
	240	false ;\
	241	fi
b4cd1533 CP	242	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
	243
	244	relabel: $(FC) $(SETFILES)
88d14a22 CP	245	@if test -z "$(FILESYSTEMS)"; then \
	246	echo "No filesystems with extended attributes found!" ;\
	247	false ;\
	248	fi
b4cd1533 CP	249	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
b4cd1533 CP	250
6d314fd3 CP	251	########################################
	252	#
	253	# Documentation generation
	254	#
	255
	256	xml: policy.xml
	257
	258	policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
88c72f44 CP	259	@echo "Creating $@"
88c72f44 CP	260	$(QUIET) echo "<policy>" > $@
c9a26b3e	261	$(QUIET) egrep -h "^##[[:space:]]" $^ \| sed -e 's/^##[[:space:]]//g' >> $@
88c72f44	262	$(QUIET) echo "</policy>" >> $@
6d314fd3	263
c9a26b3e CP	264	########################################
	265	#
	266	# Runtime binary policy patching of users
	267	#
	268	$(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf
	269	@mkdir -p $(USERPATH)
	270	@echo "Installing system.users"
	271	@echo "# " > tmp/system.users
	272	@echo "# Do not edit this file. " >> tmp/system.users
	273	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
	274	@echo "# Please edit local.users to make local changes." >> tmp/system.users
	275	@echo "#" >> tmp/system.users
	276	$(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) \| \
	277	egrep -v "^[[:space:]]*($$\|#)" >> tmp/system.users
	278	$(QUIET) install -m 644 tmp/system.users $@
	279
	280	$(USERPATH)/local.users: local.users
	281	@mkdir -p $(USERPATH)
	282	@echo "Installing local.users"
	283	$(QUIET) install -C -b -m 644 $< $@
	284
	285	########################################
	286	#
	287	# Appconfig files
	288	#
	289	install-appconfig: $(APPFILES)
	290
	291	$(CONTEXTPATH)/files/media: appconfig/media
	292	mkdir -p $(CONTEXTPATH)/files/
	293	install -m 644 $< $@
	294
	295	$(APPDIR)/default_contexts: appconfig/default_contexts
	296	mkdir -p $(APPDIR)
	297	install -m 644 $< $@
	298
	299	$(APPDIR)/removable_context: appconfig/removable_context
	300	mkdir -p $(APPDIR)
	301	install -m 644 $< $@
	302
	303	$(APPDIR)/customizable_types: policy.conf
	304	mkdir -p $(APPDIR)
	305	@grep "^type .*customizable" $< \| cut -d',' -f1 \| cut -d' ' -f2 > tmp/customizable_types
	306	install -m 644 tmp/customizable_types $@
	307
	308	$(APPDIR)/default_type: appconfig/default_type
	309	mkdir -p $(APPDIR)
	310	install -m 644 $< $@
	311
	312	$(APPDIR)/userhelper_context: appconfig/userhelper_context
	313	mkdir -p $(APPDIR)
	314	install -m 644 $< $@
	315
	316	$(APPDIR)/initrc_context: appconfig/initrc_context
	317	mkdir -p $(APPDIR)
	318	install -m 644 $< $@
	319
	320	$(APPDIR)/failsafe_context: appconfig/failsafe_context
	321	mkdir -p $(APPDIR)
	322	install -m 644 $< $@
	323
	324	$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
	325	mkdir -p $(APPDIR)
	326	install -m 644 $< $@
	327
328	$(APPDIR)/users/root: appconfig/root_default_contexts
329	mkdir -p $(APPDIR)/users
330	install -m 644 $< $@
331
b4cd1533 CP	332	clean:
b4cd1533 CP	333	rm -fR tmp
6d314fd3	334	rm -f policy.xml
b4cd1533 CP	335	rm -f policy.conf
	336	rm -f policy.$(PV)
	337	rm -f $(FC)
	338
88c72f44	339	.PHONY: default policy install reload enableaudit checklabels restorelabels relabel xml clean