]>
Commit | Line | Data |
---|---|---|
885b83ec | 1 | |
794a56cc CP |
2 | # helper tools |
3 | AWK ?= gawk | |
4 | INSTALL ?= install | |
5 | M4 ?= m4 | |
6 | SED ?= sed | |
7 | EINFO ?= echo | |
8 | PYTHON ?= python | |
dde00d4e | 9 | CUT ?= cut |
794a56cc CP |
10 | |
11 | NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config) | |
12 | SHAREDIR ?= /usr/share/selinux | |
13 | HEADERDIR ?= $(SHAREDIR)/$(NAME)/include | |
14 | ||
885b83ec CP |
15 | include $(HEADERDIR)/build.conf |
16 | ||
17 | # executables | |
18 | PREFIX := /usr | |
19 | BINDIR := $(PREFIX)/bin | |
20 | SBINDIR := $(PREFIX)/sbin | |
21 | CHECKMODULE := $(BINDIR)/checkmodule | |
22 | SEMODULE := $(SBINDIR)/semodule | |
23 | SEMOD_PKG := $(BINDIR)/semodule_package | |
24 | XMLLINT := $(BINDIR)/xmllint | |
25 | ||
885b83ec CP |
26 | # set default build options if missing |
27 | TYPE ?= strict | |
885b83ec CP |
28 | DIRECT_INITRC ?= n |
29 | POLY ?= n | |
30 | QUIET ?= y | |
31 | ||
32 | genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py | |
33 | ||
96fc0a45 CP |
34 | docs := doc |
35 | polxml := $(docs)/policy.xml | |
36 | xmldtd := $(HEADERDIR)/support/policy.dtd | |
37 | metaxml := metadata.xml | |
885b83ec CP |
38 | |
39 | globaltun = $(HEADERDIR)/global_tunables.xml | |
40 | globalbool = $(HEADERDIR)/global_booleans.xml | |
41 | ||
42 | # compile strict policy if requested. | |
43 | ifneq ($(findstring strict,$(TYPE)),) | |
44 | M4PARAM += -D strict_policy | |
45 | endif | |
46 | ||
47 | # compile targeted policy if requested. | |
48 | ifneq ($(findstring targeted,$(TYPE)),) | |
49 | M4PARAM += -D targeted_policy | |
50 | endif | |
51 | ||
52 | # enable MLS if requested. | |
53 | ifneq ($(findstring -mls,$(TYPE)),) | |
54 | M4PARAM += -D enable_mls | |
55 | CHECKPOLICY += -M | |
56 | CHECKMODULE += -M | |
57 | endif | |
58 | ||
59 | # enable MLS if MCS requested. | |
60 | ifneq ($(findstring -mcs,$(TYPE)),) | |
61 | M4PARAM += -D enable_mcs | |
62 | CHECKPOLICY += -M | |
63 | CHECKMODULE += -M | |
64 | endif | |
65 | ||
66 | # enable distribution-specific policy | |
67 | ifneq ($(DISTRO),) | |
68 | M4PARAM += -D distro_$(DISTRO) | |
69 | endif | |
70 | ||
885b83ec CP |
71 | ifeq ($(DIRECT_INITRC),y) |
72 | M4PARAM += -D direct_sysadm_daemon | |
73 | endif | |
74 | ||
e070dd2d CP |
75 | # default MLS/MCS sensitivity and category settings. |
76 | MLS_SENS ?= 16 | |
77 | MLS_CATS ?= 256 | |
78 | MCS_CATS ?= 256 | |
79 | ||
885b83ec CP |
80 | ifeq ($(QUIET),y) |
81 | verbose := @ | |
82 | endif | |
83 | ||
e070dd2d | 84 | M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) |
885b83ec CP |
85 | |
86 | # policy headers | |
87 | m4support = $(wildcard $(HEADERDIR)/support/*.spt) | |
56e1b3d2 | 88 | |
96fc0a45 CP |
89 | header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d)) |
90 | header_xml := $(addsuffix .xml,$(header_layers)) | |
91 | header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if)) | |
885b83ec | 92 | |
96fc0a45 | 93 | rolemap := $(HEADERDIR)/rolemap |
56e1b3d2 | 94 | |
96fc0a45 CP |
95 | local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d)) |
96 | local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers))) | |
56e1b3d2 | 97 | |
96fc0a45 | 98 | all_layer_names := $(sort $(notdir $(header_layers) $(local_layers))) |
56e1b3d2 | 99 | |
96fc0a45 CP |
100 | 3rd_party_mods := $(wildcard *.te) |
101 | detected_mods := $(3rd_party_mods) $(foreach layer,$(local_layers),$(wildcard $(layer)/*.te)) | |
ad8af23a | 102 | |
96fc0a45 CP |
103 | detected_ifs := $(detected_mods:.te=.if) |
104 | detected_fcs := $(detected_mods:.te=.fc) | |
105 | all_packages := $(notdir $(detected_mods:.te=.pp)) | |
56e1b3d2 | 106 | |
dde00d4e CP |
107 | # figure out what modules we may want to reload |
108 | loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1)) | |
109 | sys_mods = $(wildcard $(SHAREDIR)/$(NAME)/*.pp) | |
110 | match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods)) | |
111 | match_loc = $(filter $(all_packages),$(loaded_mods)) | |
112 | ||
96fc0a45 CP |
113 | vpath %.te $(local_layers) |
114 | vpath %.if $(local_layers) | |
115 | vpath %.fc $(local_layers) | |
885b83ec | 116 | |
885b83ec CP |
117 | ######################################## |
118 | # | |
119 | # Functions | |
120 | # | |
121 | ||
bbcd3c97 CP |
122 | # parse-rolemap-compat modulename,outputfile |
123 | define parse-rolemap-compat | |
124 | $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ | |
125 | $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 | |
126 | endef | |
127 | ||
885b83ec CP |
128 | # parse-rolemap modulename,outputfile |
129 | define parse-rolemap | |
130 | $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ | |
bbcd3c97 | 131 | $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 |
885b83ec CP |
132 | endef |
133 | ||
134 | # peruser-expansion modulename,outputfile | |
135 | define peruser-expansion | |
bbcd3c97 | 136 | $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 |
885b83ec CP |
137 | $(call parse-rolemap,$1,$2) |
138 | $(verbose) echo "')" >> $2 | |
bbcd3c97 CP |
139 | |
140 | $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 | |
141 | $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 | |
142 | $(call parse-rolemap-compat,$1,$2) | |
143 | $(verbose) echo "')" >> $2 | |
885b83ec CP |
144 | endef |
145 | ||
59f85393 | 146 | .PHONY: clean all xml load reload |
885b83ec CP |
147 | .SUFFIXES: |
148 | .SUFFIXES: .pp | |
4b01e21d CP |
149 | # broken in make 3.81: |
150 | #.SECONDARY: | |
885b83ec CP |
151 | |
152 | ######################################## | |
153 | # | |
154 | # Main targets | |
155 | # | |
156 | ||
157 | all: $(all_packages) | |
158 | ||
159 | xml: $(polxml) | |
160 | ||
dde00d4e CP |
161 | ######################################## |
162 | # | |
163 | # Attempt to reinstall all installed packages | |
164 | # | |
165 | refresh: | |
166 | @$(EINFO) "Refreshing $(NAME) modules" | |
167 | $(verbose) $(SEMODULE) -b $(SHAREDIR)/$(NAME)/base.pp $(foreach mod,$(match_sys) $(match_loc),-i $(mod)) | |
168 | ||
d508474f CP |
169 | ######################################## |
170 | # | |
171 | # Load module packages | |
172 | # | |
76bac89c CP |
173 | |
174 | load: tmp/loaded | |
59f85393 CP |
175 | tmp/loaded: $(all_packages) |
176 | @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $?))" | |
177 | $(verbose) $(SEMODULE) $(foreach mod,$?,-i $(mod)) | |
178 | @mkdir -p tmp | |
179 | @touch tmp/loaded | |
76bac89c | 180 | |
59f85393 CP |
181 | reload: $(all_packages) |
182 | @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $^))" | |
d508474f | 183 | $(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod)) |
76bac89c CP |
184 | @mkdir -p tmp |
185 | @touch tmp/loaded | |
d508474f | 186 | |
885b83ec CP |
187 | ######################################## |
188 | # | |
189 | # Build module packages | |
190 | # | |
191 | tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te | |
0578bf8d | 192 | @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" |
96fc0a45 | 193 | @test -d $(@D) || mkdir -p $(@D) |
885b83ec CP |
194 | $(call peruser-expansion,$(basename $(@F)),$@.role) |
195 | $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) | |
196 | $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ | |
197 | ||
198 | tmp/%.mod.fc: $(m4support) %.fc | |
199 | $(verbose) $(M4) $(M4PARAM) $^ > $@ | |
200 | ||
201 | %.pp: tmp/%.mod tmp/%.mod.fc | |
202 | @echo "Creating $(NAME) $(@F) policy package" | |
203 | $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc | |
204 | ||
96fc0a45 CP |
205 | tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs) |
206 | @test -d $(@D) || mkdir -p $(@D) | |
207 | @echo "ifdef(\`__if_error',\`m4exit(1)')" > tmp/iferror.m4 | |
208 | @echo "divert(-1)" > $@ | |
209 | $(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@ | |
210 | @echo "divert" >> $@ | |
885b83ec | 211 | |
0578bf8d | 212 | # so users dont have to make empty .fc and .if files |
96fc0a45 | 213 | $(detected_fcs): |
0578bf8d | 214 | @touch $@ |
96fc0a45 CP |
215 | |
216 | $(detected_ifs): | |
217 | @echo "## <summary>$(basename $(@D))</summary>" > $@ | |
885b83ec CP |
218 | |
219 | ######################################## | |
220 | # | |
221 | # Documentation generation | |
222 | # | |
96fc0a45 CP |
223 | tmp/%.xml: %/*.te %/*.if |
224 | @test -d $(@D) || mkdir -p $(@D) | |
225 | $(verbose) test -f $(HEADERDIR)/$*.xml || cat $*/$(metaxml) > $@ | |
226 | $(verbose) $(genxml) -w -m $(sort $(basename $^)) >> $@ | |
885b83ec | 227 | |
96fc0a45 | 228 | vars: $(local_xml) |
56e1b3d2 | 229 | |
96fc0a45 | 230 | $(polxml): $(header_xml) $(local_xml) $(globaltun) $(globalbool) $(detected_mods) $(detected_ifs) |
56e1b3d2 | 231 | @echo "Creating $(@F)" |
96fc0a45 | 232 | @test -d $(@D) || mkdir -p $(@D) |
885b83ec | 233 | $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@ |
56e1b3d2 CP |
234 | $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@ |
235 | $(verbose) echo '<policy>' >> $@ | |
96fc0a45 CP |
236 | $(verbose) for i in $(all_layer_names); do \ |
237 | echo "<layer name=\"$$i\">" >> $@ ;\ | |
238 | test -f $(HEADERDIR)/$$i.xml && cat $(HEADERDIR)/$$i.xml >> $@ ;\ | |
239 | test -f tmp/$$i.xml && cat tmp/$$i.xml >> $@ ;\ | |
240 | echo "</layer>" >> $@ ;\ | |
241 | done | |
242 | ifneq "$(strip $(3rd_party_mods))" "" | |
243 | $(verbose) echo "<layer name=\"third_party\">" >> $@ | |
244 | $(verbose) echo "<summary>These are all third-party modules.</summary>" >> $@ | |
245 | $(verbose) $(genxml) -w -m $(addprefix ./,$(basename $(3rd_party_mods))) >> $@ | |
246 | $(verbose) echo "</layer>" >> $@ | |
247 | endif | |
248 | $(verbose) cat $(globaltun) $(globalbool) >> $@ | |
56e1b3d2 | 249 | $(verbose) echo '</policy>' >> $@ |
885b83ec | 250 | $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ |
56e1b3d2 | 251 | $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\ |
885b83ec CP |
252 | fi |
253 | ||
254 | ######################################## | |
255 | # | |
256 | # Clean the environment | |
257 | # | |
258 | ||
259 | clean: | |
260 | rm -fR tmp | |
261 | rm -f *.pp |