]>
Commit | Line | Data |
---|---|---|
1 | ######################################## | |
2 | # | |
3 | # Rules and Targets for building monolithic policies | |
4 | # | |
5 | ||
6 | # determine the policy version and current kernel version if possible | |
7 | pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') | |
8 | kv := $(shell cat /selinux/policyvers) | |
9 | ||
10 | # dont print version warnings if we are unable to determine | |
11 | # the currently running kernel's policy version | |
12 | ifeq "$(kv)" "" | |
13 | kv := $(pv) | |
14 | endif | |
15 | ||
16 | policy_conf = $(builddir)policy.conf | |
17 | fc = $(builddir)file_contexts | |
18 | polver = $(builddir)policy.$(pv) | |
19 | homedir_template = $(builddir)homedir_template | |
20 | ||
21 | M4PARAM += -D self_contained_policy | |
22 | ||
23 | # install paths | |
24 | loadpath = $(policypath)/$(notdir $(polver)) | |
25 | ||
26 | appfiles += $(installdir)/booleans $(userpath)/local.users | |
27 | ||
28 | # for monolithic policy use all base and module to create policy | |
29 | all_modules := $(strip $(base_mods) $(mod_mods)) | |
30 | # off module interfaces included to make sure all interfaces are expanded. | |
31 | all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if) | |
32 | all_te_files := $(all_modules) | |
33 | all_fc_files := $(all_modules:.te=.fc) | |
34 | ||
35 | pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs | |
36 | post_te_files := $(user_files) $(poldir)/constraints | |
37 | ||
38 | policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf | |
39 | ||
40 | # search layer dirs for source files | |
41 | vpath %.te $(all_layers) | |
42 | vpath %.if $(all_layers) | |
43 | vpath %.fc $(all_layers) | |
44 | ||
45 | ######################################## | |
46 | # | |
47 | # default action: build policy locally | |
48 | # | |
49 | default: policy | |
50 | ||
51 | policy: $(polver) | |
52 | ||
53 | install: $(loadpath) $(fcpath) $(appfiles) | |
54 | ||
55 | load: $(tmpdir)/load | |
56 | ||
57 | checklabels: $(fcpath) | |
58 | restorelabels: $(fcpath) | |
59 | relabel: $(fcpath) | |
60 | resetlabels: $(fcpath) | |
61 | ||
62 | ######################################## | |
63 | # | |
64 | # Build a binary policy locally | |
65 | # | |
66 | $(polver): $(policy_conf) | |
67 | @echo "Compiling $(NAME) $(polver)" | |
68 | ifneq ($(pv),$(kv)) | |
69 | @echo | |
70 | @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" | |
71 | @echo | |
72 | endif | |
73 | $(verbose) $(CHECKPOLICY) $^ -o $@ | |
74 | ||
75 | ######################################## | |
76 | # | |
77 | # Install a binary policy | |
78 | # | |
79 | $(loadpath): $(policy_conf) | |
80 | @mkdir -p $(policypath) | |
81 | @echo "Compiling and installing $(NAME) $(loadpath)" | |
82 | ifneq ($(pv),$(kv)) | |
83 | @echo | |
84 | @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" | |
85 | @echo | |
86 | endif | |
87 | $(verbose) $(CHECKPOLICY) $^ -o $@ | |
88 | ||
89 | ######################################## | |
90 | # | |
91 | # Load the binary policy | |
92 | # | |
93 | reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) | |
94 | @echo "Loading $(NAME) $(loadpath)" | |
95 | $(verbose) $(LOADPOLICY) -q $(loadpath) | |
96 | @touch $(tmpdir)/load | |
97 | ||
98 | ######################################## | |
99 | # | |
100 | # Construct a monolithic policy.conf | |
101 | # | |
102 | $(policy_conf): $(policy_sections) | |
103 | @echo "Creating $(NAME) $(@F)" | |
104 | @test -d $(@D) || mkdir -p $(@D) | |
105 | $(verbose) cat $^ > $@ | |
106 | ||
107 | $(tmpdir)/pre_te_files.conf: $(pre_te_files) | |
108 | @test -d $(tmpdir) || mkdir -p $(tmpdir) | |
109 | $(verbose) $(M4) $(M4PARAM) $^ > $@ | |
110 | ||
111 | $(tmpdir)/generated_definitions.conf: $(all_te_files) | |
112 | @test -d $(tmpdir) || mkdir -p $(tmpdir) | |
113 | # define all available object classes | |
114 | $(verbose) $(genperm) $(avs) $(secclass) > $@ | |
115 | $(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@) | |
116 | $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true | |
117 | ||
118 | $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun) | |
119 | $(verbose) $(M4) $(M4PARAM) $^ > $@ | |
120 | ||
121 | $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) | |
122 | @test -d $(tmpdir) || mkdir -p $(tmpdir) | |
123 | @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4 | |
124 | @echo "divert(-1)" > $@ | |
125 | $(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp | |
126 | $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@ | |
127 | @echo "divert" >> $@ | |
128 | ||
129 | $(tmpdir)/rolemap.conf: $(rolemap) | |
130 | $(call parse-rolemap,base,$@) | |
131 | ||
132 | $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf | |
133 | ifeq "$(strip $(all_te_files))" "" | |
134 | $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") | |
135 | endif | |
136 | @test -d $(tmpdir) || mkdir -p $(tmpdir) | |
137 | $(verbose) $(M4) $(M4PARAM) -s $^ > $@ | |
138 | ||
139 | $(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files) | |
140 | @test -d $(tmpdir) || mkdir -p $(tmpdir) | |
141 | $(verbose) $(M4) $(M4PARAM) $^ > $@ | |
142 | ||
143 | # extract attributes and put them first. extract post te stuff | |
144 | # like genfscon and put last. | |
145 | $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf | |
146 | $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf | |
147 | $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf | |
148 | # these have to run individually because order matters: | |
149 | $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true | |
150 | $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true | |
151 | $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true | |
152 | $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true | |
153 | $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true | |
154 | $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true | |
155 | $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf | |
156 | ||
157 | ######################################## | |
158 | # | |
159 | # Remove the dontaudit rules from the policy.conf | |
160 | # | |
161 | enableaudit: $(policy_conf) | |
162 | @test -d $(tmpdir) || mkdir -p $(tmpdir) | |
163 | @echo "Removing dontaudit rules from $(notdir $(policy_conf))" | |
164 | $(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit | |
165 | $(verbose) mv $(tmpdir)/policy.audit $(policy_conf) | |
166 | ||
167 | ######################################## | |
168 | # | |
169 | # Construct file_contexts | |
170 | # | |
171 | $(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort) | |
172 | $(verbose) $(fcsort) $< $@ | |
173 | $(verbose) $(GREP) -e HOME -e ROLE $@ > $(homedir_template) | |
174 | $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d $@ | |
175 | ||
176 | $(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files) | |
177 | ifeq ($(all_fc_files),) | |
178 | $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") | |
179 | endif | |
180 | @echo "Creating $(NAME) file_contexts." | |
181 | @test -d $(tmpdir) || mkdir -p $(tmpdir) | |
182 | $(verbose) $(M4) $(M4PARAM) $^ > $@ | |
183 | ||
184 | $(homedir_template): $(fc) | |
185 | ||
186 | ######################################## | |
187 | # | |
188 | # Install file_contexts | |
189 | # | |
190 | $(fcpath): $(fc) $(loadpath) $(userpath)/system.users | |
191 | @echo "Validating $(NAME) file_contexts." | |
192 | $(verbose) $(SETFILES) -q -c $(loadpath) $(fc) | |
193 | @echo "Installing file_contexts." | |
194 | @mkdir -p $(contextpath)/files | |
195 | $(verbose) $(INSTALL) -m 644 $(fc) $(fcpath) | |
196 | $(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath) | |
197 | $(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) | |
198 | ifeq "$(DISTRO)" "rhel4" | |
199 | # Setfiles in RHEL4 does not look at file_contexts.homedirs. | |
200 | $(verbose) cat $@.homedirs >> $@ | |
201 | # Delete the file_contexts.homedirs in case the toolchain has | |
202 | # been updated, to prevent duplicate match errors. | |
203 | $(verbose) rm -f $@.homedirs | |
204 | endif | |
205 | ||
206 | ######################################## | |
207 | # | |
208 | # Intall netfilter_contexts | |
209 | # | |
210 | $(ncpath): $(net_contexts) | |
211 | @echo "Installing $(NAME) netfilter_contexts." | |
212 | $(verbose) $(INSTALL) -m 0644 $^ $@ | |
213 | ||
214 | ######################################## | |
215 | # | |
216 | # Run policy source checks | |
217 | # | |
218 | check: $(builddir)check.res | |
219 | $(builddir)check.res: $(policy_conf) $(fc) | |
220 | $(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@ | |
221 | ||
222 | longcheck: $(builddir)longcheck.res | |
223 | $(builddir)longcheck.res: $(policy_conf) $(fc) | |
224 | $(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@ | |
225 | ||
226 | ######################################## | |
227 | # | |
228 | # Appconfig files | |
229 | # | |
230 | $(appdir)/customizable_types: $(policy_conf) | |
231 | @mkdir -p $(appdir) | |
232 | $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types | |
233 | $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ | |
234 | ||
235 | ######################################## | |
236 | # | |
237 | # Clean the sources | |
238 | # | |
239 | clean: | |
240 | rm -f $(policy_conf) | |
241 | rm -f $(polver) | |
242 | rm -f $(fc) | |
243 | rm -f $(homedir_template) | |
244 | rm -f $(net_contexts) | |
245 | rm -f *.res | |
246 | rm -fR $(tmpdir) | |
247 | ||
248 | .PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean |