[people/stevee/selinux-policy.git] / refpolicy / Makefile

#
# Makefile for the security policy.
#
# Targets:
# 
# install       - compile and install the policy configuration, and context files.
# load          - compile, install, and load the policy configuration.
# reload        - compile, install, and load/reload the policy configuration.
# relabel       - relabel filesystems based on the file contexts configuration.
# checklabels   - check filesystems against the file context configuration
# restorelabels - check filesystems against the file context configuration
#                 and restore the label of files with incorrect labels
# policy        - compile the policy configuration locally for testing/development.
#
# The default target is 'policy'.
#

########################################
#
# Configurable portions of the Makefile
#

# Build compatibility policies 
POLICYCOMPAT = -c 18

# set distribution
#override M4PARAM += -D distro_redhat

# Uncomment this to disable command echoing
#QUIET:=@

########################################
#
# Invariant portions of the Makefile
#

# executable paths
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy
SETFILES := $(SBINDIR)/setfiles

# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)

# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq ($(KV),)
KV := $(PV)
endif

FC := file_contexts
POLVER := policy.$(PV)
TYPE := strict

# install paths
TOPDIR = $(DESTDIR)/etc/selinux
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template

BASE_MODULE = kernel
FLASKDIR = $(BASE_MODULE)/flask/
MISCDIR = $(BASE_MODULE)/misc/

DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS))

PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts)

ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))

POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf

override M4PARAM += -D monolithic_policy

########################################
#
# default action: build policy locally
#
default: policy

policy: $(POLVER)

install: $(LOADPATH)

########################################
#
# Build a binary policy locally
#
$(POLVER): policy.conf
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER)

########################################
#
# Install a binary policy
#
$(LOADPATH): policy.conf
	@mkdir -p $(POLICYPATH)
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)

########################################
#
# Load the binary policy
#
reload tmp/load: $(LOADPATH) $(FCPATH)
	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	@touch tmp/load

load: tmp/load

########################################
#
# Construct a monolithic policy.conf
#
policy.conf: $(POLICY_SECTIONS)
	$(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp
	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
	$(QUIET) # the ordering of these ocontexts matters:
	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true

tmp/pre_te_files.conf: $(PRE_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
	@test -d tmp || mkdir -p tmp
	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
	$(QUIET) for i in $(ALL_MODULES); do \
		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
			>> $@ ;\
	done
	$(QUIET) echo "')" >> $@
	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
		echo "define(\`$$i')" >> $@ ;\
	done
	$(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@

tmp/all_interfaces.conf: $(ALL_INTERFACES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/all_te_files.conf: $(ALL_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/post_te_files.conf: $(POST_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

# extract attributes and put them first. extract post te stuff
# like genfscon and put last.  portcon, nodecon, and netifcon
# is delayed since they are generated by m4
tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true
	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
	$(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf

########################################
#
# Construct file_contexts
#
$(FC): $(ALL_FC_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) m4 $(M4PARAM) $^ > $@

########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: policy.conf
	@test -d tmp || mkdir -p tmp
	@echo "Removing dontaudit rules from policy.conf"
	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	$(QUIET) mv tmp/policy.audit policy.conf

########################################
#
# Filesystem labeling
#
FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`

checklabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)

restorelabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)

relabel:  $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)

clean:
	rm -fR tmp
	rm -f policy.conf
	rm -f policy.$(PV)
	rm -f $(FC)

.PHONY: default clean policy install
Commit	Line	Data
88d14a22 CP	1	#
	2	# Makefile for the security policy.
	3	#
	4	# Targets:
	5	#
	6	# install - compile and install the policy configuration, and context files.
	7	# load - compile, install, and load the policy configuration.
	8	# reload - compile, install, and load/reload the policy configuration.
	9	# relabel - relabel filesystems based on the file contexts configuration.
	10	# checklabels - check filesystems against the file context configuration
	11	# restorelabels - check filesystems against the file context configuration
	12	# and restore the label of files with incorrect labels
	13	# policy - compile the policy configuration locally for testing/development.
	14	#
	15	# The default target is 'policy'.
	16	#
	17
b4cd1533 CP	18	########################################
	19	#
	20	# Configurable portions of the Makefile
	21	#
	22
	23	# Build compatibility policies
	24	POLICYCOMPAT = -c 18
	25
	26	# set distribution
	27	#override M4PARAM += -D distro_redhat
	28
	29	# Uncomment this to disable command echoing
	30	#QUIET:=@
	31
	32	########################################
	33	#
	34	# Invariant portions of the Makefile
	35	#
	36
	37	# executable paths
	38	PREFIX := /usr
	39	BINDIR := $(PREFIX)/bin
	40	SBINDIR := $(PREFIX)/sbin
	41	CHECKPOLICY := $(BINDIR)/checkpolicy
	42	SETFILES := $(SBINDIR)/setfiles
	43
	44	# determine the policy version and current kernel version if possible
	45	PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V \|cut -f 1 -d ' ')
	46	KV := $(shell cat /selinux/policyvers)
	47
	48	# dont print version warnings if we are unable to determine
	49	# the currently running kernel's policy version
	50	ifeq ($(KV),)
	51	KV := $(PV)
	52	endif
	53
	54	FC := file_contexts
	55	POLVER := policy.$(PV)
	56	TYPE := strict
	57
	58	# install paths
	59	TOPDIR = $(DESTDIR)/etc/selinux
	60	INSTALLDIR = $(TOPDIR)/$(TYPE)
	61	POLICYPATH = $(INSTALLDIR)/policy
	62	SRCPATH = $(INSTALLDIR)/src
	63	USERPATH = $(INSTALLDIR)/users
	64	CONTEXTPATH = $(INSTALLDIR)/contexts
	65	LOADPATH = $(POLICYPATH)/$(POLVER)
	66	FCPATH = $(CONTEXTPATH)/files/file_contexts
	67	HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
	68
	69	BASE_MODULE = kernel
	70	FLASKDIR = $(BASE_MODULE)/flask/
	71	MISCDIR = $(BASE_MODULE)/misc/
	72
	73	DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
	74	ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS))
	75
	76	PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
	77	ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
	78	ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
	79	POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts)
	80
	81	ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
82
83	POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf
84
85	override M4PARAM += -D monolithic_policy
86
87	########################################
88	#
89	# default action: build policy locally
90	#
91	default: policy
92
93	policy: $(POLVER)
94
95	install: $(LOADPATH)
96
97	########################################
98	#
99	# Build a binary policy locally
100	#
101	$(POLVER): policy.conf
102	ifneq ($(PV),$(KV))
103	@echo
104	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
105	@echo
106	endif
107	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER)
108
109	########################################
110	#
111	# Install a binary policy
112	#
113	$(LOADPATH): policy.conf
114	@mkdir -p $(POLICYPATH)
115	ifneq ($(PV),$(KV))
116	@echo
117	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
118	@echo
119	endif
120	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)
121
88d14a22 CP	122	########################################
	123	#
	124	# Load the binary policy
	125	#
	126	reload tmp/load: $(LOADPATH) $(FCPATH)
	127	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	128	@touch tmp/load
	129
	130	load: tmp/load
	131
b4cd1533 CP	132	########################################
	133	#
	134	# Construct a monolithic policy.conf
	135	#
	136	policy.conf: $(POLICY_SECTIONS)
	137	$(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp
	138	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
	139	$(QUIET) # the ordering of these ocontexts matters:
	140	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ \|\| true
	141	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ \|\| true
	142	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ \|\| true
	143
	144	tmp/pre_te_files.conf: $(PRE_TE_FILES)
	145	@test -d tmp \|\| mkdir -p tmp
	146	$(QUIET) cat $^ > $@
	147
	148	tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
	149	@test -d tmp \|\| mkdir -p tmp
	150	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
	151	$(QUIET) for i in $(ALL_MODULES); do \
	152	echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
	153	>> $@ ;\
	154	done
	155	$(QUIET) echo "')" >> $@
	156	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
	157	echo "define(\`$$i')" >> $@ ;\
	158	done
	159	$(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
	160	\| sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@
	161
	162	tmp/all_interfaces.conf: $(ALL_INTERFACES)
	163	@test -d tmp \|\| mkdir -p tmp
	164	$(QUIET) cat $^ > $@
	165
	166	tmp/all_te_files.conf: $(ALL_TE_FILES)
	167	@test -d tmp \|\| mkdir -p tmp
	168	$(QUIET) cat $^ > $@
	169
	170	tmp/post_te_files.conf: $(POST_TE_FILES)
	171	@test -d tmp \|\| mkdir -p tmp
	172	$(QUIET) cat $^ > $@
	173
	174	# extract attributes and put them first. extract post te stuff
	175	# like genfscon and put last. portcon, nodecon, and netifcon
	176	# is delayed since they are generated by m4
	177	tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	178	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf \|\| true
	179	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
	180	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf \|\| true
	181	$(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
	182
	183	########################################
	184	#
	185	# Construct file_contexts
	186	#
	187	$(FC): $(ALL_FC_FILES)
	188	@test -d tmp \|\| mkdir -p tmp
	189	$(QUIET) m4 $(M4PARAM) $^ > $@
	190
88d14a22 CP	191	########################################
	192	#
	193	# Remove the dontaudit rules from the policy.conf
	194	#
	195	enableaudit: policy.conf
	196	@test -d tmp \|\| mkdir -p tmp
	197	@echo "Removing dontaudit rules from policy.conf"
	198	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	199	$(QUIET) mv tmp/policy.audit policy.conf
	200
b4cd1533 CP	201	########################################
	202	#
	203	# Filesystem labeling
	204	#
88d14a22	205	FILESYSTEMS := `mount \| grep -v "context=" \| egrep -v '\((\|.,)bind(,.\|)\)' \| awk '/(ext[23]\| xfs\| jfs).*rw/{print $$3}';`
b4cd1533	206
88d14a22 CP	207	checklabels: $(FC) $(SETFILES)
	208	@if test -z "$(FILESYSTEMS)"; then \
	209	echo "No filesystems with extended attributes found!" ;\
	210	false ;\
	211	fi
b4cd1533 CP	212	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
b4cd1533 CP	213
88d14a22 CP	214	restorelabels: $(FC) $(SETFILES)
	215	@if test -z "$(FILESYSTEMS)"; then \
	216	echo "No filesystems with extended attributes found!" ;\
	217	false ;\
	218	fi
b4cd1533 CP	219	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
	220
	221	relabel: $(FC) $(SETFILES)
88d14a22 CP	222	@if test -z "$(FILESYSTEMS)"; then \
	223	echo "No filesystems with extended attributes found!" ;\
	224	false ;\
	225	fi
b4cd1533 CP	226	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
	227
	228	clean:
	229	rm -fR tmp
	230	rm -f policy.conf
	231	rm -f policy.$(PV)
	232	rm -f $(FC)
	233
	234	.PHONY: default clean policy install