]>
Commit | Line | Data |
---|---|---|
88d14a22 CP |
1 | # |
2 | # Makefile for the security policy. | |
3 | # | |
4 | # Targets: | |
5 | # | |
6 | # install - compile and install the policy configuration, and context files. | |
7 | # load - compile, install, and load the policy configuration. | |
8 | # reload - compile, install, and load/reload the policy configuration. | |
9 | # relabel - relabel filesystems based on the file contexts configuration. | |
10 | # checklabels - check filesystems against the file context configuration | |
11 | # restorelabels - check filesystems against the file context configuration | |
12 | # and restore the label of files with incorrect labels | |
13 | # policy - compile the policy configuration locally for testing/development. | |
14 | # | |
15 | # The default target is 'policy'. | |
16 | # | |
17 | ||
b4cd1533 CP |
18 | ######################################## |
19 | # | |
20 | # Configurable portions of the Makefile | |
21 | # | |
22 | ||
23 | # Build compatibility policies | |
24 | POLICYCOMPAT = -c 18 | |
25 | ||
26 | # set distribution | |
c9a26b3e | 27 | override M4PARAM += -D distro_redhat |
b4cd1533 CP |
28 | |
29 | # Uncomment this to disable command echoing | |
30 | #QUIET:=@ | |
31 | ||
32 | ######################################## | |
33 | # | |
34 | # Invariant portions of the Makefile | |
35 | # | |
36 | ||
37 | # executable paths | |
38 | PREFIX := /usr | |
39 | BINDIR := $(PREFIX)/bin | |
40 | SBINDIR := $(PREFIX)/sbin | |
41 | CHECKPOLICY := $(BINDIR)/checkpolicy | |
547283e2 | 42 | LOADPOLICY := $(SBINDIR)/load_policy |
b4cd1533 CP |
43 | SETFILES := $(SBINDIR)/setfiles |
44 | ||
45 | # determine the policy version and current kernel version if possible | |
46 | PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') | |
47 | KV := $(shell cat /selinux/policyvers) | |
48 | ||
49 | # dont print version warnings if we are unable to determine | |
50 | # the currently running kernel's policy version | |
51 | ifeq ($(KV),) | |
52 | KV := $(PV) | |
53 | endif | |
54 | ||
55 | FC := file_contexts | |
56 | POLVER := policy.$(PV) | |
57 | TYPE := strict | |
58 | ||
59 | # install paths | |
60 | TOPDIR = $(DESTDIR)/etc/selinux | |
61 | INSTALLDIR = $(TOPDIR)/$(TYPE) | |
62 | POLICYPATH = $(INSTALLDIR)/policy | |
63 | SRCPATH = $(INSTALLDIR)/src | |
64 | USERPATH = $(INSTALLDIR)/users | |
65 | CONTEXTPATH = $(INSTALLDIR)/contexts | |
66 | LOADPATH = $(POLICYPATH)/$(POLVER) | |
67 | FCPATH = $(CONTEXTPATH)/files/file_contexts | |
68 | HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template | |
69 | ||
70 | BASE_MODULE = kernel | |
71 | FLASKDIR = $(BASE_MODULE)/flask/ | |
72 | MISCDIR = $(BASE_MODULE)/misc/ | |
73 | ||
c9a26b3e CP |
74 | APPDIR := $(CONTEXTPATH) |
75 | APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media | |
76 | CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media | |
77 | USER_FILES := $(MISCDIR)/users | |
78 | ||
b4cd1533 | 79 | DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) |
3b3bf871 | 80 | ALL_MODULES := $(filter-out tmp appconfig CVS,$(DETECTED_DIRS)) |
b4cd1533 CP |
81 | |
82 | PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) | |
83 | ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if)) | |
84 | ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te)) | |
099c8b24 | 85 | POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use) |
b4cd1533 CP |
86 | |
87 | ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc)) | |
88 | ||
f66a1af9 | 89 | POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf |
b4cd1533 | 90 | |
b4cd1533 CP |
91 | ######################################## |
92 | # | |
93 | # default action: build policy locally | |
94 | # | |
95 | default: policy | |
96 | ||
97 | policy: $(POLVER) | |
98 | ||
c9a26b3e CP |
99 | install: $(LOADPATH) $(FCPATH) $(USERPATH)/local.users |
100 | ||
101 | load: tmp/load | |
b4cd1533 CP |
102 | |
103 | ######################################## | |
104 | # | |
105 | # Build a binary policy locally | |
106 | # | |
107 | $(POLVER): policy.conf | |
88c72f44 | 108 | @echo "Compiling $(POLVER)" |
b4cd1533 CP |
109 | ifneq ($(PV),$(KV)) |
110 | @echo | |
111 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
112 | @echo | |
113 | endif | |
88c72f44 | 114 | $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@ |
b4cd1533 CP |
115 | |
116 | ######################################## | |
117 | # | |
118 | # Install a binary policy | |
119 | # | |
120 | $(LOADPATH): policy.conf | |
121 | @mkdir -p $(POLICYPATH) | |
88c72f44 | 122 | @echo "Compiling and installing $(LOADPATH)" |
b4cd1533 CP |
123 | ifneq ($(PV),$(KV)) |
124 | @echo | |
125 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
126 | @echo | |
127 | endif | |
88c72f44 | 128 | $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@ |
b4cd1533 | 129 | |
88d14a22 CP |
130 | ######################################## |
131 | # | |
132 | # Load the binary policy | |
133 | # | |
134 | reload tmp/load: $(LOADPATH) $(FCPATH) | |
88c72f44 | 135 | @echo "Loading $(LOADPATH)" |
88d14a22 CP |
136 | $(QUIET) $(LOADPOLICY) -q $(LOADPATH) |
137 | @touch tmp/load | |
138 | ||
b4cd1533 CP |
139 | ######################################## |
140 | # | |
141 | # Construct a monolithic policy.conf | |
142 | # | |
143 | policy.conf: $(POLICY_SECTIONS) | |
88c72f44 CP |
144 | @echo "Creating policy.conf" |
145 | # checkpolicy can use the #line directives provided by -s for error reporting: | |
c9a26b3e | 146 | $(QUIET) m4 $(M4PARAM) -D monolithic_policy -s $^ > tmp/$@.tmp |
b4cd1533 | 147 | $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ |
88c72f44 | 148 | # the ordering of these ocontexts matters: |
b4cd1533 CP |
149 | $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true |
150 | $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true | |
151 | $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true | |
152 | ||
153 | tmp/pre_te_files.conf: $(PRE_TE_FILES) | |
154 | @test -d tmp || mkdir -p tmp | |
155 | $(QUIET) cat $^ > $@ | |
156 | ||
157 | tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te | |
158 | @test -d tmp || mkdir -p tmp | |
159 | $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ | |
0634b6e7 | 160 | $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \ |
b4cd1533 CP |
161 | echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ |
162 | >> $@ ;\ | |
163 | done | |
164 | $(QUIET) echo "')" >> $@ | |
165 | $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ | |
166 | echo "define(\`$$i')" >> $@ ;\ | |
167 | done | |
c9a26b3e CP |
168 | $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \ |
169 | | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \ | |
bd202fe1 | 170 | | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ |
88c72f44 CP |
171 | # this is so the xml works: |
172 | $(QUIET) echo "## </module>" >> $@ | |
b4cd1533 CP |
173 | |
174 | tmp/all_interfaces.conf: $(ALL_INTERFACES) | |
175 | @test -d tmp || mkdir -p tmp | |
176 | $(QUIET) cat $^ > $@ | |
177 | ||
178 | tmp/all_te_files.conf: $(ALL_TE_FILES) | |
179 | @test -d tmp || mkdir -p tmp | |
180 | $(QUIET) cat $^ > $@ | |
181 | ||
182 | tmp/post_te_files.conf: $(POST_TE_FILES) | |
183 | @test -d tmp || mkdir -p tmp | |
184 | $(QUIET) cat $^ > $@ | |
185 | ||
186 | # extract attributes and put them first. extract post te stuff | |
187 | # like genfscon and put last. portcon, nodecon, and netifcon | |
188 | # is delayed since they are generated by m4 | |
f66a1af9 CP |
189 | tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf |
190 | $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true | |
191 | $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf | |
b4cd1533 CP |
192 | $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf |
193 | $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true | |
f66a1af9 | 194 | $(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf |
b4cd1533 | 195 | |
88d14a22 CP |
196 | ######################################## |
197 | # | |
198 | # Remove the dontaudit rules from the policy.conf | |
199 | # | |
200 | enableaudit: policy.conf | |
201 | @test -d tmp || mkdir -p tmp | |
202 | @echo "Removing dontaudit rules from policy.conf" | |
203 | $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit | |
204 | $(QUIET) mv tmp/policy.audit policy.conf | |
205 | ||
6d314fd3 CP |
206 | ######################################## |
207 | # | |
208 | # Construct file_contexts | |
209 | # | |
210 | $(FC): kernel/global.if $(ALL_FC_FILES) | |
211 | @test -d tmp || mkdir -p tmp | |
212 | $(QUIET) m4 $(M4PARAM) $^ > $@ | |
213 | ||
547283e2 CP |
214 | ######################################## |
215 | # | |
216 | # Install file_contexts | |
217 | # | |
c9a26b3e | 218 | $(FCPATH): $(FC) $(USERPATH)/system.users |
547283e2 CP |
219 | @mkdir -p $(CONTEXTPATH)/files |
220 | $(QUIET) install -m 644 $(FC) $(FCPATH) | |
221 | # $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) | |
222 | # $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) | |
223 | ||
b4cd1533 CP |
224 | ######################################## |
225 | # | |
226 | # Filesystem labeling | |
227 | # | |
88d14a22 | 228 | FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` |
b4cd1533 | 229 | |
88d14a22 CP |
230 | checklabels: $(FC) $(SETFILES) |
231 | @if test -z "$(FILESYSTEMS)"; then \ | |
232 | echo "No filesystems with extended attributes found!" ;\ | |
233 | false ;\ | |
234 | fi | |
b4cd1533 CP |
235 | $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) |
236 | ||
88d14a22 CP |
237 | restorelabels: $(FC) $(SETFILES) |
238 | @if test -z "$(FILESYSTEMS)"; then \ | |
239 | echo "No filesystems with extended attributes found!" ;\ | |
240 | false ;\ | |
241 | fi | |
b4cd1533 CP |
242 | $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) |
243 | ||
244 | relabel: $(FC) $(SETFILES) | |
88d14a22 CP |
245 | @if test -z "$(FILESYSTEMS)"; then \ |
246 | echo "No filesystems with extended attributes found!" ;\ | |
247 | false ;\ | |
248 | fi | |
b4cd1533 CP |
249 | $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) |
250 | ||
6d314fd3 CP |
251 | ######################################## |
252 | # | |
253 | # Documentation generation | |
254 | # | |
255 | ||
256 | xml: policy.xml | |
257 | ||
258 | policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf | |
88c72f44 CP |
259 | @echo "Creating $@" |
260 | $(QUIET) echo "<policy>" > $@ | |
c9a26b3e | 261 | $(QUIET) egrep -h "^##[[:space:]]" $^ | sed -e 's/^##[[:space:]]//g' >> $@ |
88c72f44 | 262 | $(QUIET) echo "</policy>" >> $@ |
6d314fd3 | 263 | |
c9a26b3e CP |
264 | ######################################## |
265 | # | |
266 | # Runtime binary policy patching of users | |
267 | # | |
268 | $(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf | |
269 | @mkdir -p $(USERPATH) | |
270 | @echo "Installing system.users" | |
271 | @echo "# " > tmp/system.users | |
272 | @echo "# Do not edit this file. " >> tmp/system.users | |
273 | @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users | |
274 | @echo "# Please edit local.users to make local changes." >> tmp/system.users | |
275 | @echo "#" >> tmp/system.users | |
276 | $(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \ | |
277 | egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users | |
278 | $(QUIET) install -m 644 tmp/system.users $@ | |
279 | ||
280 | $(USERPATH)/local.users: local.users | |
281 | @mkdir -p $(USERPATH) | |
282 | @echo "Installing local.users" | |
283 | $(QUIET) install -C -b -m 644 $< $@ | |
284 | ||
285 | ######################################## | |
286 | # | |
287 | # Appconfig files | |
288 | # | |
289 | install-appconfig: $(APPFILES) | |
290 | ||
291 | $(CONTEXTPATH)/files/media: appconfig/media | |
292 | mkdir -p $(CONTEXTPATH)/files/ | |
293 | install -m 644 $< $@ | |
294 | ||
295 | $(APPDIR)/default_contexts: appconfig/default_contexts | |
296 | mkdir -p $(APPDIR) | |
297 | install -m 644 $< $@ | |
298 | ||
299 | $(APPDIR)/removable_context: appconfig/removable_context | |
300 | mkdir -p $(APPDIR) | |
301 | install -m 644 $< $@ | |
302 | ||
303 | $(APPDIR)/customizable_types: policy.conf | |
304 | mkdir -p $(APPDIR) | |
305 | @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types | |
306 | install -m 644 tmp/customizable_types $@ | |
307 | ||
308 | $(APPDIR)/default_type: appconfig/default_type | |
309 | mkdir -p $(APPDIR) | |
310 | install -m 644 $< $@ | |
311 | ||
312 | $(APPDIR)/userhelper_context: appconfig/userhelper_context | |
313 | mkdir -p $(APPDIR) | |
314 | install -m 644 $< $@ | |
315 | ||
316 | $(APPDIR)/initrc_context: appconfig/initrc_context | |
317 | mkdir -p $(APPDIR) | |
318 | install -m 644 $< $@ | |
319 | ||
320 | $(APPDIR)/failsafe_context: appconfig/failsafe_context | |
321 | mkdir -p $(APPDIR) | |
322 | install -m 644 $< $@ | |
323 | ||
324 | $(APPDIR)/dbus_contexts: appconfig/dbus_contexts | |
325 | mkdir -p $(APPDIR) | |
326 | install -m 644 $< $@ | |
327 | ||
328 | $(APPDIR)/users/root: appconfig/root_default_contexts | |
329 | mkdir -p $(APPDIR)/users | |
330 | install -m 644 $< $@ | |
331 | ||
b4cd1533 CP |
332 | clean: |
333 | rm -fR tmp | |
6d314fd3 | 334 | rm -f policy.xml |
b4cd1533 CP |
335 | rm -f policy.conf |
336 | rm -f policy.$(PV) | |
337 | rm -f $(FC) | |
338 | ||
88c72f44 | 339 | .PHONY: default policy install reload enableaudit checklabels restorelabels relabel xml clean |