]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - refpolicy/Makefile
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fixes to make base module compilable
[people/stevee/selinux-policy.git] / refpolicy / Makefile
1 #
2 # Makefile for the security policy.
3 #
4 # Targets:
5 #
6 # install - compile and install the policy configuration, and context files.
7 # load - compile, install, and load the policy configuration.
8 # reload - compile, install, and load/reload the policy configuration.
9 # relabel - relabel filesystems based on the file contexts configuration.
10 # checklabels - check filesystems against the file context configuration
11 # restorelabels - check filesystems against the file context configuration
12 # and restore the label of files with incorrect labels
13 # policy - compile the policy configuration locally for testing/development.
14 #
15 # The default target is 'policy'.
16 #
17
18 ########################################
19 #
20 # Configurable portions of the Makefile
21 #
22
23 # Policy version
24 # By default, checkpolicy will create the highest
25 # version policy it supports. Setting this will
26 # override the version.
27 #OUTPUT_POLICY = 18
28
29 # Policy Type
30 # strict, targeted, strict-mls, targeted-mls
31 TYPE = strict
32
33 # Policy Name
34 # If set, this will be used as the policy
35 # name. Otherwise the policy type will be
36 # used for the name.
37 NAME = refpolicy
38
39 # Distribution
40 # Some distributions have portions of policy
41 # for programs or configurations specific to the
42 # distribution. Setting this will enable options
43 # for the distribution.
44 # redhat, gentoo, debian, and suse are current options.
45 # Fedora users should enable redhat.
46 #DISTRO = redhat
47
48 # Build monolithic policy. Putting n here
49 # will build a loadable module policy.
50 MONOLITHIC=y
51
52 # Uncomment this to disable command echoing
53 #QUIET:=@
54
55 ########################################
56 #
57 # NO OPTIONS BELOW HERE
58 #
59
60 # executable paths
61 PREFIX := /usr
62 BINDIR := $(PREFIX)/bin
63 SBINDIR := $(PREFIX)/sbin
64 CHECKPOLICY := $(BINDIR)/checkpolicy
65 CHECKMODULE := $(BINDIR)/checkmodule
66 SEMOD_PKG := $(BINDIR)/semodule_package
67 LOADPOLICY := $(SBINDIR)/load_policy
68 SETFILES := $(SBINDIR)/setfiles
69 GENHOMEDIRCON := $(SBINDIR)/genhomedircon
70 XMLLINT := $(BINDIR)/xmllint
71
72 CFLAGS := -Wall
73
74 # policy source layout
75 POLDIR := policy
76 MODDIR := $(POLDIR)/modules
77 FLASKDIR := $(POLDIR)/flask
78 SECCLASS := $(FLASKDIR)/security_classes
79 ISIDS := $(FLASKDIR)/initial_sids
80 AVS := $(FLASKDIR)/access_vectors
81
82 # policy building support tools
83 SUPPORT := support
84 GENXML := $(SUPPORT)/segenxml.py
85 GENDOC := $(SUPPORT)/sedoctool.py
86 GENPERM := $(SUPPORT)/genclassperms.py
87 FCSORT := $(SUPPORT)/fc_sort
88 SETTUN := $(SUPPORT)/set_tunables
89
90 # documentation paths
91 DOCS = doc
92 POLXML = $(DOCS)/policy.xml
93 XMLDTD = $(DOCS)/policy.dtd
94 LAYERXML = metadata.xml
95 HTMLDIR = $(DOCS)/html
96 DOCTEMPLATE = $(DOCS)/templates
97
98 # config file paths
99 GLOBALTUN := $(POLDIR)/global_tunables
100 MOD_CONF := $(POLDIR)/modules.conf
101 TUNABLES := $(POLDIR)/tunables.conf
102
103 # install paths
104 TOPDIR = $(DESTDIR)/etc/selinux
105 INSTALLDIR = $(TOPDIR)/$(NAME)
106 SRCPATH = $(INSTALLDIR)/src
107 USERPATH = $(INSTALLDIR)/users
108 CONTEXTPATH = $(INSTALLDIR)/contexts
109
110 # enable MLS if requested.
111 ifneq ($(findstring mls,$(TYPE)),)
112 override M4PARAM += -D enable_mls
113 CHECKPOLICY += -M
114 CHECKMODULE += -M
115 endif
116
117 # compile targeted policy if requested.
118 ifneq ($(findstring targeted,$(TYPE)),)
119 override M4PARAM += -D targeted_policy
120 endif
121
122 # enable distribution-specific policy
123 ifneq ($(DISTRO),)
124 override M4PARAM += -D distro_$(DISTRO)
125 endif
126
127 ifneq ($(OUTPUT_POLICY),)
128 CHECKPOLICY += -c $(OUTPUT_POLICY)
129 endif
130
131 ifeq ($(NAME),)
132 NAME := $(TYPE)
133 endif
134
135 # determine the policy version and current kernel version if possible
136 PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
137 KV := $(shell cat /selinux/policyvers)
138
139 # dont print version warnings if we are unable to determine
140 # the currently running kernel's policy version
141 ifeq ($(KV),)
142 KV := $(PV)
143 endif
144
145 FC := file_contexts
146 POLVER := policy.$(PV)
147
148 ifneq ($(findstring targeted,$(TYPE)),)
149 APPCONF := config/appconfig-targeted
150 else
151 APPCONF := config/appconfig-strict
152 endif
153
154 M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
155
156 APPDIR := $(CONTEXTPATH)
157 APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media $(INSTALLDIR)/booleans
158 CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
159 USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
160
161 ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
162
163 GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
164 GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
165 GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in)))
166
167 # sort here since it removes duplicates, which can happen
168 # when a generated file is already generated
169 DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE))
170
171 # modules.conf setting for base module
172 MODBASE := base
173
174 # modules.conf setting for module
175 MODMOD := module
176
177 # extract settings from modules.conf
178 BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
179 MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
180
181 HOMEDIR_TEMPLATE = tmp/homedir_template
182
183 ########################################
184 #
185 # Load appropriate rules
186 #
187
188 ifeq ($(MONOLITHIC),y)
189 include Rules.monolithic
190 else
191 include Rules.modular
192 endif
193
194 ########################################
195 #
196 # Generated files
197 #
198 $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/kernel/corenetwork.if.in
199 @echo "#" > $@
200 @echo "# This is a generated file! Instead of modifying this file, the" >> $@
201 @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
202 @echo "#" >> $@
203 $(QUIET) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
204 $(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
205 | m4 -D monolithic_policy $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \
206 | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
207
208 $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
209 @echo "#" > $@
210 @echo "# This is a generated file! Instead of modifying this file, the" >> $@
211 @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
212 @echo "#" >> $@
213 $(QUIET) m4 -D monolithic_policy $(M4PARAM) $(M4SUPPORT) $^ \
214 | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
215
216 ########################################
217 #
218 # Create config files
219 #
220 conf: $(MOD_CONF) $(TUNABLES) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
221
222 $(MOD_CONF) $(TUNABLES): $(POLXML)
223 @echo "Updating $(MOD_CONF) and $(TUNABLES)"
224 $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(TUNABLES) -m ../$(MOD_CONF) -x ../$(POLXML)
225
226 ########################################
227 #
228 # Documentation generation
229 #
230
231 # minimal dependencies here, because we don't want to rebuild
232 # this and its dependents every time the dependencies
233 # change. Also use all .if files here, rather then just the
234 # enabled modules.
235 $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXML))
236 @echo "Creating $@"
237 @mkdir -p tmp
238 $(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
239 $(QUIET) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
240 $(QUIET) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) $(ALL_LAYERS) >> $@
241 $(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
242 $(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
243 fi
244
245 html: $(POLXML)
246 @mkdir -p $(HTMLDIR)
247 $(QUIET) cd $(DOCS) && ../$(GENDOC) -d ../$(HTMLDIR) -T ../$(DOCTEMPLATE) -x ../$(POLXML)
248 $(QUIET) cp $(DOCTEMPLATE)/*.css $(HTMLDIR)
249
250 ########################################
251 #
252 # Runtime binary policy patching of users
253 #
254 $(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf
255 @mkdir -p $(USERPATH)
256 @echo "Installing system.users"
257 @echo "# " > tmp/system.users
258 @echo "# Do not edit this file. " >> tmp/system.users
259 @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
260 @echo "# Please edit local.users to make local changes." >> tmp/system.users
261 @echo "#" >> tmp/system.users
262 $(QUIET) m4 -D monolithic_policy $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \
263 egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users
264 $(QUIET) install -m 644 tmp/system.users $@
265
266 $(USERPATH)/local.users: config/local.users
267 @mkdir -p $(USERPATH)
268 @echo "Installing local.users"
269 $(QUIET) install -b -m 644 $< $@
270
271 ########################################
272 #
273 # Appconfig files
274 #
275 install-appconfig: $(APPFILES)
276
277 $(INSTALLDIR)/booleans: $(TUNABLES)
278 @mkdir -p $(INSTALLDIR)
279 $(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(TUNABLES) \
280 | sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans
281 $(QUIET) install -m 644 tmp/booleans $@
282
283 $(CONTEXTPATH)/files/media: $(APPCONF)/media
284 @mkdir -p $(CONTEXTPATH)/files/
285 $(QUIET) install -m 644 $< $@
286
287 $(APPDIR)/default_contexts: $(APPCONF)/default_contexts
288 @mkdir -p $(APPDIR)
289 $(QUIET) install -m 644 $< $@
290
291 $(APPDIR)/removable_context: $(APPCONF)/removable_context
292 @mkdir -p $(APPDIR)
293 $(QUIET) install -m 644 $< $@
294
295 $(APPDIR)/customizable_types: policy.conf
296 @mkdir -p $(APPDIR)
297 $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
298 $(QUIET) install -m 644 tmp/customizable_types $@
299
300 $(APPDIR)/default_type: $(APPCONF)/default_type
301 @mkdir -p $(APPDIR)
302 $(QUIET) install -m 644 $< $@
303
304 $(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
305 @mkdir -p $(APPDIR)
306 $(QUIET) install -m 644 $< $@
307
308 $(APPDIR)/initrc_context: $(APPCONF)/initrc_context
309 @mkdir -p $(APPDIR)
310 $(QUIET) install -m 644 $< $@
311
312 $(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
313 @mkdir -p $(APPDIR)
314 $(QUIET) install -m 644 $< $@
315
316 $(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
317 @mkdir -p $(APPDIR)
318 $(QUIET) install -m 644 $< $@
319
320 $(APPDIR)/users/root: $(APPCONF)/root_default_contexts
321 @mkdir -p $(APPDIR)/users
322 $(QUIET) install -m 644 $< $@
323
324 ########################################
325 #
326 # Install policy sources
327 #
328 install-src:
329 rm -rf $(SRCPATH)/policy.old
330 -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
331 mkdir -p $(SRCPATH)/policy
332 cp -R . $(SRCPATH)/policy
333
334 ########################################
335 #
336 # Clean everything
337 #
338 bare: clean
339 rm -f $(POLXML)
340 rm -f $(SUPPORT)/*.pyc
341 rm -f $(FCSORT)
342 rm -f $(MOD_CONF)
343 rm -f $(TUNABLES)
344 rm -fR $(HTMLDIR)
345 ifneq ($(GENERATED_TE),)
346 rm -f $(GENERATED_TE)
347 endif
348 ifneq ($(GENERATED_IF),)
349 rm -f $(GENERATED_IF)
350 endif
351 ifneq ($(GENERATED_FC),)
352 rm -f $(GENERATED_FC)
353 endif
354
355 .PHONY: install-src install-appconfig conf html bare
The IPFire selinux policy.