]>
Commit | Line | Data |
---|---|---|
88d14a22 CP |
1 | # |
2 | # Makefile for the security policy. | |
3 | # | |
4 | # Targets: | |
5 | # | |
6 | # install - compile and install the policy configuration, and context files. | |
7 | # load - compile, install, and load the policy configuration. | |
8 | # reload - compile, install, and load/reload the policy configuration. | |
9 | # relabel - relabel filesystems based on the file contexts configuration. | |
10 | # checklabels - check filesystems against the file context configuration | |
11 | # restorelabels - check filesystems against the file context configuration | |
12 | # and restore the label of files with incorrect labels | |
13 | # policy - compile the policy configuration locally for testing/development. | |
14 | # | |
15 | # The default target is 'policy'. | |
16 | # | |
17 | ||
b4cd1533 CP |
18 | ######################################## |
19 | # | |
20 | # Configurable portions of the Makefile | |
21 | # | |
22 | ||
23 | # Build compatibility policies | |
24 | POLICYCOMPAT = -c 18 | |
25 | ||
26 | # set distribution | |
27 | #override M4PARAM += -D distro_redhat | |
28 | ||
29 | # Uncomment this to disable command echoing | |
30 | #QUIET:=@ | |
31 | ||
32 | ######################################## | |
33 | # | |
34 | # Invariant portions of the Makefile | |
35 | # | |
36 | ||
37 | # executable paths | |
38 | PREFIX := /usr | |
39 | BINDIR := $(PREFIX)/bin | |
40 | SBINDIR := $(PREFIX)/sbin | |
41 | CHECKPOLICY := $(BINDIR)/checkpolicy | |
42 | SETFILES := $(SBINDIR)/setfiles | |
43 | ||
44 | # determine the policy version and current kernel version if possible | |
45 | PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') | |
46 | KV := $(shell cat /selinux/policyvers) | |
47 | ||
48 | # dont print version warnings if we are unable to determine | |
49 | # the currently running kernel's policy version | |
50 | ifeq ($(KV),) | |
51 | KV := $(PV) | |
52 | endif | |
53 | ||
54 | FC := file_contexts | |
55 | POLVER := policy.$(PV) | |
56 | TYPE := strict | |
57 | ||
58 | # install paths | |
59 | TOPDIR = $(DESTDIR)/etc/selinux | |
60 | INSTALLDIR = $(TOPDIR)/$(TYPE) | |
61 | POLICYPATH = $(INSTALLDIR)/policy | |
62 | SRCPATH = $(INSTALLDIR)/src | |
63 | USERPATH = $(INSTALLDIR)/users | |
64 | CONTEXTPATH = $(INSTALLDIR)/contexts | |
65 | LOADPATH = $(POLICYPATH)/$(POLVER) | |
66 | FCPATH = $(CONTEXTPATH)/files/file_contexts | |
67 | HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template | |
68 | ||
69 | BASE_MODULE = kernel | |
70 | FLASKDIR = $(BASE_MODULE)/flask/ | |
71 | MISCDIR = $(BASE_MODULE)/misc/ | |
72 | ||
73 | DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) | |
74 | ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS)) | |
75 | ||
76 | PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) | |
77 | ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if)) | |
78 | ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te)) | |
79 | POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts) | |
80 | ||
81 | ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc)) | |
82 | ||
83 | POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf | |
84 | ||
85 | override M4PARAM += -D monolithic_policy | |
86 | ||
87 | ######################################## | |
88 | # | |
89 | # default action: build policy locally | |
90 | # | |
91 | default: policy | |
92 | ||
93 | policy: $(POLVER) | |
94 | ||
95 | install: $(LOADPATH) | |
96 | ||
97 | ######################################## | |
98 | # | |
99 | # Build a binary policy locally | |
100 | # | |
101 | $(POLVER): policy.conf | |
102 | ifneq ($(PV),$(KV)) | |
103 | @echo | |
104 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
105 | @echo | |
106 | endif | |
107 | $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER) | |
108 | ||
109 | ######################################## | |
110 | # | |
111 | # Install a binary policy | |
112 | # | |
113 | $(LOADPATH): policy.conf | |
114 | @mkdir -p $(POLICYPATH) | |
115 | ifneq ($(PV),$(KV)) | |
116 | @echo | |
117 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
118 | @echo | |
119 | endif | |
120 | $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH) | |
121 | ||
88d14a22 CP |
122 | ######################################## |
123 | # | |
124 | # Load the binary policy | |
125 | # | |
126 | reload tmp/load: $(LOADPATH) $(FCPATH) | |
127 | $(QUIET) $(LOADPOLICY) -q $(LOADPATH) | |
128 | @touch tmp/load | |
129 | ||
130 | load: tmp/load | |
131 | ||
b4cd1533 CP |
132 | ######################################## |
133 | # | |
134 | # Construct a monolithic policy.conf | |
135 | # | |
136 | policy.conf: $(POLICY_SECTIONS) | |
137 | $(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp | |
138 | $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ | |
139 | $(QUIET) # the ordering of these ocontexts matters: | |
140 | $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true | |
141 | $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true | |
142 | $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true | |
143 | ||
144 | tmp/pre_te_files.conf: $(PRE_TE_FILES) | |
145 | @test -d tmp || mkdir -p tmp | |
146 | $(QUIET) cat $^ > $@ | |
147 | ||
148 | tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te | |
149 | @test -d tmp || mkdir -p tmp | |
150 | $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ | |
151 | $(QUIET) for i in $(ALL_MODULES); do \ | |
152 | echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ | |
153 | >> $@ ;\ | |
154 | done | |
155 | $(QUIET) echo "')" >> $@ | |
156 | $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ | |
157 | echo "define(\`$$i')" >> $@ ;\ | |
158 | done | |
159 | $(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \ | |
160 | | sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@ | |
161 | ||
162 | tmp/all_interfaces.conf: $(ALL_INTERFACES) | |
163 | @test -d tmp || mkdir -p tmp | |
164 | $(QUIET) cat $^ > $@ | |
165 | ||
166 | tmp/all_te_files.conf: $(ALL_TE_FILES) | |
167 | @test -d tmp || mkdir -p tmp | |
168 | $(QUIET) cat $^ > $@ | |
169 | ||
170 | tmp/post_te_files.conf: $(POST_TE_FILES) | |
171 | @test -d tmp || mkdir -p tmp | |
172 | $(QUIET) cat $^ > $@ | |
173 | ||
174 | # extract attributes and put them first. extract post te stuff | |
175 | # like genfscon and put last. portcon, nodecon, and netifcon | |
176 | # is delayed since they are generated by m4 | |
177 | tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf | |
178 | $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true | |
179 | $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf | |
180 | $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true | |
181 | $(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf | |
182 | ||
183 | ######################################## | |
184 | # | |
185 | # Construct file_contexts | |
186 | # | |
187 | $(FC): $(ALL_FC_FILES) | |
188 | @test -d tmp || mkdir -p tmp | |
189 | $(QUIET) m4 $(M4PARAM) $^ > $@ | |
190 | ||
88d14a22 CP |
191 | ######################################## |
192 | # | |
193 | # Remove the dontaudit rules from the policy.conf | |
194 | # | |
195 | enableaudit: policy.conf | |
196 | @test -d tmp || mkdir -p tmp | |
197 | @echo "Removing dontaudit rules from policy.conf" | |
198 | $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit | |
199 | $(QUIET) mv tmp/policy.audit policy.conf | |
200 | ||
b4cd1533 CP |
201 | ######################################## |
202 | # | |
203 | # Filesystem labeling | |
204 | # | |
88d14a22 | 205 | FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` |
b4cd1533 | 206 | |
88d14a22 CP |
207 | checklabels: $(FC) $(SETFILES) |
208 | @if test -z "$(FILESYSTEMS)"; then \ | |
209 | echo "No filesystems with extended attributes found!" ;\ | |
210 | false ;\ | |
211 | fi | |
b4cd1533 CP |
212 | $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) |
213 | ||
88d14a22 CP |
214 | restorelabels: $(FC) $(SETFILES) |
215 | @if test -z "$(FILESYSTEMS)"; then \ | |
216 | echo "No filesystems with extended attributes found!" ;\ | |
217 | false ;\ | |
218 | fi | |
b4cd1533 CP |
219 | $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) |
220 | ||
221 | relabel: $(FC) $(SETFILES) | |
88d14a22 CP |
222 | @if test -z "$(FILESYSTEMS)"; then \ |
223 | echo "No filesystems with extended attributes found!" ;\ | |
224 | false ;\ | |
225 | fi | |
b4cd1533 CP |
226 | $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) |
227 | ||
228 | clean: | |
229 | rm -fR tmp | |
230 | rm -f policy.conf | |
231 | rm -f policy.$(PV) | |
232 | rm -f $(FC) | |
233 | ||
234 | .PHONY: default clean policy install |