1 ########################################
3 # Rules and Targets for building modular policies
6 all_modules := $(base_mods) $(mod_mods) $(off_mods)
7 all_interfaces := $(all_modules:.te=.if)
9 base_pkg := $(builddir)base.pp
10 base_fc := $(builddir)base.fc
11 base_conf := $(builddir)base.conf
12 base_mod := $(tmpdir)/base.mod
14 users_extra := $(tmpdir)/users_extra
16 base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
18 base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
19 base_te_files := $(base_mods)
20 base_post_te_files := $(user_files) $(poldir)/constraints
21 base_fc_files := $(base_mods:.te=.fc)
23 mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
25 # policy packages to install
26 instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
28 # search layer dirs for source files
29 vpath %.te $(all_layers)
30 vpath %.if $(all_layers)
31 vpath %.fc $(all_layers)
33 # broken in make 3.81:
36 ########################################
38 # default action: create all module packages
42 all policy: base modules
48 install: $(instpkg) $(appfiles)
50 ########################################
52 # Load all configured modules
54 load: $(instpkg) $(appfiles)
55 @echo "Loading configured modules."
56 $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
58 ########################################
60 # Install policy packages
62 $(modpkgdir)/%.pp: $(builddir)%.pp
63 @mkdir -p $(modpkgdir)
64 @echo "Installing $(NAME) $(@F) policy package."
65 $(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
67 ########################################
69 # Build module packages
71 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
72 @echo "Compliling $(NAME) $(@F) module"
73 @test -d $(tmpdir) || mkdir -p $(tmpdir)
74 $(call peruser-expansion,$(basename $(@F)),$@.role)
75 $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
76 $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
78 $(tmpdir)/%.mod.fc: $(m4support) %.fc
79 @test -d $(tmpdir) || mkdir -p $(tmpdir)
80 $(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
82 $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
83 @echo "Creating $(NAME) $(@F) policy package"
84 @test -d $(builddir) || mkdir -p $(builddir)
85 $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
87 ########################################
89 # Create a base module package
91 $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(seusers) $(net_contexts)
92 @echo "Creating $(NAME) base module package"
93 @test -d $(builddir) || mkdir -p $(builddir)
94 $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(seusers) -n $(net_contexts)
96 $(base_mod): $(base_conf)
97 @echo "Compiling $(NAME) base module"
98 $(verbose) $(CHECKMODULE) $^ -o $@
100 $(users_extra): $(m4support) $(user_files)
101 @test -d $(tmpdir) || mkdir -p $(tmpdir)
102 $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
103 $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
105 ########################################
107 # Construct a base.conf
109 $(base_conf): $(base_sections)
110 @echo "Creating $(NAME) base module $(@F)"
111 @test -d $(@D) || mkdir -p $(@D)
112 $(verbose) cat $^ > $@
114 $(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
115 $(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
116 @test -d $(tmpdir) || mkdir -p $(tmpdir)
117 $(verbose) $(M4) $(M4PARAM) $^ > $@
119 $(tmpdir)/generated_definitions.conf: $(base_te_files)
120 @test -d $(tmpdir) || mkdir -p $(tmpdir)
121 # define all available object classes
122 $(verbose) $(genperm) $(avs) $(secclass) > $@
123 # per-userdomain templates
124 $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
125 $(verbose) for i in $(patsubst %.te,%,$(base_mods)); do \
126 echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
129 $(verbose) echo "')" >> $@
130 $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
132 $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
133 $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
134 $(verbose) $(M4) $(M4PARAM) $^ > $@
136 $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces)
137 @test -d $(tmpdir) || mkdir -p $(tmpdir)
138 @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4
139 @echo "divert(-1)" > $@
140 $(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp
141 $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
144 $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
145 $(tmpdir)/rolemap.conf: $(rolemap)
146 $(call parse-rolemap,base,$@)
148 $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
149 $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
150 ifeq "$(strip $(base_te_files))" ""
151 $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
153 @test -d $(tmpdir) || mkdir -p $(tmpdir)
154 $(verbose) $(M4) $(M4PARAM) -s $^ > $@
156 $(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
157 $(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)
158 @test -d $(tmpdir) || mkdir -p $(tmpdir)
159 $(verbose) $(M4) $(M4PARAM) $^ > $@
161 # extract attributes and put them first. extract post te stuff
162 # like genfscon and put last.
163 $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
164 $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
165 $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
166 # these have to run individually because order matters:
167 $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
168 $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
169 $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
170 $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
171 $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
172 $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
173 $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
175 ########################################
177 # Construct a base.fc
179 $(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
180 $(verbose) $(fcsort) $< $@
182 $(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
183 ifeq ($(base_fc_files),)
184 $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
186 @echo "Creating $(NAME) base module file contexts."
187 @test -d $(tmpdir) || mkdir -p $(tmpdir)
188 $(verbose) $(M4) $(M4PARAM) $^ > $@
190 ########################################
192 # Remove the dontaudit rules from the base.conf
194 enableaudit: $(base_conf)
195 @test -d $(tmpdir) || mkdir -p $(tmpdir)
196 @echo "Removing dontaudit rules from $(^F)"
197 $(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit
198 $(verbose) mv $(tmpdir)/base.audit $(base_conf)
200 ########################################
204 $(appdir)/customizable_types: $(base_conf)
206 $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
207 $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
209 ########################################
211 # Validate linking and expanding of modules
213 validate: $(base_pkg) $(mod_pkgs)
214 @echo "Validating policy linking."
215 $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
216 $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
219 ########################################
226 rm -f $(builddir)*.pp
227 rm -f $(net_contexts)
230 .PHONY: default all policy base modules install load clean validate