[people/stevee/selinux-policy.git] / Rules.monolithic

########################################
#
# Rules and Targets for building monolithic policies
#

# determine the policy version and current kernel version if possible
pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
kv := $(shell cat /selinux/policyvers)

# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq "$(kv)" ""
	kv := $(pv)
endif

policy_conf = $(builddir)policy.conf
fc = $(builddir)file_contexts
polver = $(builddir)policy.$(pv)
homedir_template = $(builddir)homedir_template

M4PARAM += -D self_contained_policy

# install paths
loadpath = $(policypath)/$(notdir $(polver))

appfiles += $(installdir)/booleans $(userpath)/local.users

# for monolithic policy use all base and module to create policy
all_modules := $(strip $(base_mods) $(mod_mods))
# off module interfaces included to make sure all interfaces are expanded.
all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
all_te_files := $(all_modules)
all_fc_files := $(all_modules:.te=.fc)

pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
post_te_files := $(user_files) $(poldir)/constraints

policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf

# search layer dirs for source files
vpath %.te $(all_layers)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)

########################################
#
# default action: build policy locally
#
default: policy

policy: $(polver)

install: $(loadpath) $(fcpath) $(appfiles)

load: $(tmpdir)/load

checklabels: $(fcpath)
restorelabels: $(fcpath)
relabel:  $(fcpath)
resetlabels:  $(fcpath)

########################################
#
# Build a binary policy locally
#
$(polver): $(policy_conf)
	@echo "Compiling $(NAME) $(polver)"
ifneq ($(pv),$(kv))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
	@echo
endif
	$(verbose) $(CHECKPOLICY) $^ -o $@

########################################
#
# Install a binary policy
#
$(loadpath): $(policy_conf)
	@mkdir -p $(policypath)
	@echo "Compiling and installing $(NAME) $(loadpath)"
ifneq ($(pv),$(kv))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
	@echo
endif
	$(verbose) $(CHECKPOLICY) $^ -o $@

########################################
#
# Load the binary policy
#
reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
	@echo "Loading $(NAME) $(loadpath)"
	$(verbose) $(LOADPOLICY) -q $(loadpath)
	@touch $(tmpdir)/load

########################################
#
# Construct a monolithic policy.conf
#
$(policy_conf): $(policy_sections)
	@echo "Creating $(NAME) $(@F)"
	@test -d $(@D) || mkdir -p $(@D)
	$(verbose) cat $^ > $@

$(tmpdir)/pre_te_files.conf: $(pre_te_files)
	@test -d $(tmpdir) || mkdir -p $(tmpdir)
	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(tmpdir)/generated_definitions.conf: $(all_te_files)
	@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
	$(verbose) $(genperm) $(avs) $(secclass) > $@
	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true

$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces)
	@test -d $(tmpdir) || mkdir -p $(tmpdir)
	@echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4
	@echo "divert(-1)" > $@
	$(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp
	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
	@echo "divert" >> $@

$(tmpdir)/rolemap.conf: $(rolemap)
	$(call parse-rolemap,base,$@)

$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
ifeq "$(strip $(all_te_files))" ""
	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
	@test -d $(tmpdir) || mkdir -p $(tmpdir)
	$(verbose) $(M4) $(M4PARAM) -s $^ > $@

$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files)
	@test -d $(tmpdir) || mkdir -p $(tmpdir)
	$(verbose) $(M4) $(M4PARAM) $^ > $@

# extract attributes and put them first. extract post te stuff
# like genfscon and put last.
$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
# these have to run individually because order matters:
	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
	$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf

########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: $(policy_conf)
	@test -d $(tmpdir) || mkdir -p $(tmpdir)
	@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
	$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
	$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)

########################################
#
# Construct file_contexts
#
$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
	$(verbose) $(fcsort) $< $@
	$(verbose) $(GREP) -e HOME -e ROLE $@ > $(homedir_template)
	$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d $@

$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
ifeq ($(all_fc_files),)
	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
	@echo "Creating $(NAME) file_contexts."
	@test -d $(tmpdir) || mkdir -p $(tmpdir)
	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(homedir_template): $(fc)

########################################
#
# Install file_contexts
#
$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
	@echo "Validating $(NAME) file_contexts."
	$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
	@echo "Installing file_contexts."
	@mkdir -p $(contextpath)/files
	$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
	$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
	$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
ifeq "$(DISTRO)" "rhel4"
# Setfiles in RHEL4 does not look at file_contexts.homedirs.
	$(verbose) cat $@.homedirs >> $@
# Delete the file_contexts.homedirs in case the toolchain has
# been updated, to prevent duplicate match errors.
	$(verbose) rm -f $@.homedirs
endif

########################################
#
# Intall netfilter_contexts
#
$(ncpath): $(net_contexts)
	@echo "Installing $(NAME) netfilter_contexts."
	$(verbose) $(INSTALL) -m 0644 $^ $@

########################################
#
# Run policy source checks
#
check: $(builddir)check.res
$(builddir)check.res: $(policy_conf) $(fc)
	$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@

longcheck: $(builddir)longcheck.res
$(builddir)longcheck.res: $(policy_conf) $(fc)
	$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@

########################################
#
# Appconfig files
#
$(appdir)/customizable_types: $(policy_conf)
	@mkdir -p $(appdir)
	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
	$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ 

########################################
#
# Clean the sources
#
clean:
	rm -f $(policy_conf)
	rm -f $(polver)
	rm -f $(fc)
	rm -f $(homedir_template)
	rm -f $(net_contexts)
	rm -f *.res
	rm -fR $(tmpdir)

.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
Commit	Line	Data
	1	########################################
	2	#
	3	# Rules and Targets for building monolithic policies
	4	#
	5
	6	# determine the policy version and current kernel version if possible
	7	pv := $(shell $(CHECKPOLICY) -V \|cut -f 1 -d ' ')
	8	kv := $(shell cat /selinux/policyvers)
	9
	10	# dont print version warnings if we are unable to determine
	11	# the currently running kernel's policy version
	12	ifeq "$(kv)" ""
	13	kv := $(pv)
	14	endif
	15
	16	policy_conf = $(builddir)policy.conf
	17	fc = $(builddir)file_contexts
	18	polver = $(builddir)policy.$(pv)
	19	homedir_template = $(builddir)homedir_template
	20
	21	M4PARAM += -D self_contained_policy
	22
	23	# install paths
	24	loadpath = $(policypath)/$(notdir $(polver))
	25
	26	appfiles += $(installdir)/booleans $(userpath)/local.users
	27
	28	# for monolithic policy use all base and module to create policy
	29	all_modules := $(strip $(base_mods) $(mod_mods))
	30	# off module interfaces included to make sure all interfaces are expanded.
	31	all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
	32	all_te_files := $(all_modules)
	33	all_fc_files := $(all_modules:.te=.fc)
	34
	35	pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
	36	post_te_files := $(user_files) $(poldir)/constraints
	37
	38	policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
	39
	40	# search layer dirs for source files
	41	vpath %.te $(all_layers)
	42	vpath %.if $(all_layers)
	43	vpath %.fc $(all_layers)
	44
	45	########################################
	46	#
	47	# default action: build policy locally
	48	#
	49	default: policy
	50
	51	policy: $(polver)
	52
	53	install: $(loadpath) $(fcpath) $(appfiles)
	54
	55	load: $(tmpdir)/load
	56
	57	checklabels: $(fcpath)
	58	restorelabels: $(fcpath)
	59	relabel: $(fcpath)
	60	resetlabels: $(fcpath)
	61
	62	########################################
	63	#
	64	# Build a binary policy locally
	65	#
	66	$(polver): $(policy_conf)
	67	@echo "Compiling $(NAME) $(polver)"
	68	ifneq ($(pv),$(kv))
	69	@echo
	70	@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
	71	@echo
	72	endif
	73	$(verbose) $(CHECKPOLICY) $^ -o $@
	74
	75	########################################
	76	#
	77	# Install a binary policy
	78	#
	79	$(loadpath): $(policy_conf)
	80	@mkdir -p $(policypath)
	81	@echo "Compiling and installing $(NAME) $(loadpath)"
	82	ifneq ($(pv),$(kv))
	83	@echo
	84	@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
	85	@echo
	86	endif
	87	$(verbose) $(CHECKPOLICY) $^ -o $@
	88
	89	########################################
	90	#
	91	# Load the binary policy
	92	#
	93	reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
	94	@echo "Loading $(NAME) $(loadpath)"
	95	$(verbose) $(LOADPOLICY) -q $(loadpath)
	96	@touch $(tmpdir)/load
	97
	98	########################################
	99	#
	100	# Construct a monolithic policy.conf
	101	#
	102	$(policy_conf): $(policy_sections)
	103	@echo "Creating $(NAME) $(@F)"
	104	@test -d $(@D) \|\| mkdir -p $(@D)
	105	$(verbose) cat $^ > $@
	106
	107	$(tmpdir)/pre_te_files.conf: $(pre_te_files)
	108	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	109	$(verbose) $(M4) $(M4PARAM) $^ > $@
	110
	111	$(tmpdir)/generated_definitions.conf: $(all_te_files)
	112	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	113	# define all available object classes
	114	$(verbose) $(genperm) $(avs) $(secclass) > $@
	115	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
	116	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ \|\| true
	117
	118	$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
	119	$(verbose) $(M4) $(M4PARAM) $^ > $@
	120
	121	$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces)
	122	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	123	@echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4
	124	@echo "divert(-1)" > $@
	125	$(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp
	126	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
	127	@echo "divert" >> $@
	128
	129	$(tmpdir)/rolemap.conf: $(rolemap)
	130	$(call parse-rolemap,base,$@)
	131
	132	$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
	133	ifeq "$(strip $(all_te_files))" ""
	134	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
	135	endif
	136	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	137	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
	138
	139	$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files)
	140	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	141	$(verbose) $(M4) $(M4PARAM) $^ > $@
	142
	143	# extract attributes and put them first. extract post te stuff
	144	# like genfscon and put last.
	145	$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
	146	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf \| $(SORT) > $(tmpdir)/all_attrs_types.conf
	147	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
	148	# these have to run individually because order matters:
	149	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
	150	$(verbose) $(GREP) '^fs_use_(xattr\|task\|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
	151	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
	152	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
	153	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
	154	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
	155	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
	156
	157	########################################
	158	#
	159	# Remove the dontaudit rules from the policy.conf
	160	#
	161	enableaudit: $(policy_conf)
	162	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	163	@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
	164	$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
	165	$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
	166
	167	########################################
	168	#
	169	# Construct file_contexts
	170	#
	171	$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
	172	$(verbose) $(fcsort) $< $@
	173	$(verbose) $(GREP) -e HOME -e ROLE $@ > $(homedir_template)
	174	$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d $@
	175
	176	$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
	177	ifeq ($(all_fc_files),)
	178	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
	179	endif
	180	@echo "Creating $(NAME) file_contexts."
	181	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	182	$(verbose) $(M4) $(M4PARAM) $^ > $@
	183
	184	$(homedir_template): $(fc)
	185
	186	########################################
	187	#
	188	# Install file_contexts
	189	#
	190	$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
	191	@echo "Validating $(NAME) file_contexts."
	192	$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
	193	@echo "Installing file_contexts."
	194	@mkdir -p $(contextpath)/files
	195	$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
	196	$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
	197	$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
	198	ifeq "$(DISTRO)" "rhel4"
	199	# Setfiles in RHEL4 does not look at file_contexts.homedirs.
	200	$(verbose) cat $@.homedirs >> $@
	201	# Delete the file_contexts.homedirs in case the toolchain has
	202	# been updated, to prevent duplicate match errors.
	203	$(verbose) rm -f $@.homedirs
	204	endif
	205
	206	########################################
	207	#
	208	# Intall netfilter_contexts
	209	#
	210	$(ncpath): $(net_contexts)
	211	@echo "Installing $(NAME) netfilter_contexts."
	212	$(verbose) $(INSTALL) -m 0644 $^ $@
	213
	214	########################################
	215	#
	216	# Run policy source checks
	217	#
	218	check: $(builddir)check.res
	219	$(builddir)check.res: $(policy_conf) $(fc)
	220	$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
	221
	222	longcheck: $(builddir)longcheck.res
	223	$(builddir)longcheck.res: $(policy_conf) $(fc)
	224	$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
	225
	226	########################################
	227	#
	228	# Appconfig files
	229	#
	230	$(appdir)/customizable_types: $(policy_conf)
	231	@mkdir -p $(appdir)
	232	$(verbose) $(GREP) '^[[:blank:]]type .customizable' $< \| cut -d';' -f1 \| cut -d',' -f1 \| cut -d' ' -f2 \| $(SORT) -u > $(tmpdir)/customizable_types
	233	$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
	234
	235	########################################
	236	#
	237	# Clean the sources
	238	#
	239	clean:
	240	rm -f $(policy_conf)
	241	rm -f $(polver)
	242	rm -f $(fc)
	243	rm -f $(homedir_template)
	244	rm -f $(net_contexts)
	245	rm -f *.res
	246	rm -fR $(tmpdir)
	247
	248	.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean