2 # Makefile for the security policy.
6 # install - compile and install the policy configuration, and context files.
7 # load - compile, install, and load the policy configuration.
8 # reload - compile, install, and load/reload the policy configuration.
9 # relabel - relabel filesystems based on the file contexts configuration.
10 # checklabels - check filesystems against the file context configuration
11 # restorelabels - check filesystems against the file context configuration
12 # and restore the label of files with incorrect labels
13 # policy - compile the policy configuration locally for testing/development.
15 # The default target is 'policy'.
18 ########################################
20 # Configurable portions of the Makefile
24 # By default, checkpolicy will create the highest
25 # version policy it supports. Setting this will
26 # override the version.
30 # strict, targeted, strict-mls, targeted-mls
34 # If set, this will be used as the policy
35 # name. Otherwise the policy type will be
40 # Some distributions have portions of policy
41 # for programs or configurations specific to the
42 # distribution. Setting this will enable options
43 # for the distribution.
44 # redhat, gentoo, debian, and suse are current options.
45 # Fedora users should enable redhat.
48 # Build monolithic policy. Putting n here
49 # will build a loadable module policy.
52 # Uncomment this to disable command echoing
55 ########################################
57 # NO OPTIONS BELOW HERE
62 BINDIR
:= $(PREFIX
)/bin
63 SBINDIR
:= $(PREFIX
)/sbin
64 CHECKPOLICY
:= $(BINDIR
)/checkpolicy
65 CHECKMODULE
:= $(BINDIR
)/checkmodule
66 SEMOD_PKG
:= $(BINDIR
)/semodule_package
67 LOADPOLICY
:= $(SBINDIR
)/load_policy
68 SETFILES
:= $(SBINDIR
)/setfiles
69 GENHOMEDIRCON
:= $(SBINDIR
)/genhomedircon
70 XMLLINT
:= $(BINDIR
)/xmllint
74 # policy source layout
76 MODDIR
:= $(POLDIR
)/modules
77 FLASKDIR
:= $(POLDIR
)/flask
78 SECCLASS
:= $(FLASKDIR
)/security_classes
79 ISIDS
:= $(FLASKDIR
)/initial_sids
80 AVS
:= $(FLASKDIR
)/access_vectors
82 # policy building support tools
84 GENXML
:= $(SUPPORT
)/segenxml.py
85 GENDOC
:= $(SUPPORT
)/sedoctool.py
86 GENPERM
:= $(SUPPORT
)/genclassperms.py
87 FCSORT
:= $(SUPPORT
)/fc_sort
88 SETTUN
:= $(SUPPORT
)/set_tunables
92 POLXML
= $(DOCS
)/policy.xml
93 XMLDTD
= $(DOCS
)/policy.dtd
94 LAYERXML
= metadata.xml
95 HTMLDIR
= $(DOCS
)/html
96 DOCTEMPLATE
= $(DOCS
)/templates
99 GLOBALTUN
:= $(POLDIR
)/global_tunables
100 MOD_CONF
:= $(POLDIR
)/modules.conf
101 TUNABLES
:= $(POLDIR
)/tunables.conf
104 TOPDIR
= $(DESTDIR
)/etc
/selinux
105 INSTALLDIR
= $(TOPDIR
)/$(NAME
)
106 SRCPATH
= $(INSTALLDIR
)/src
107 USERPATH
= $(INSTALLDIR
)/users
108 CONTEXTPATH
= $(INSTALLDIR
)/contexts
110 # enable MLS if requested.
111 ifneq ($(findstring mls
,$(TYPE
)),)
112 override M4PARAM
+= -D enable_mls
117 # compile targeted policy if requested.
118 ifneq ($(findstring targeted
,$(TYPE
)),)
119 override M4PARAM
+= -D targeted_policy
122 # enable distribution-specific policy
124 override M4PARAM
+= -D distro_
$(DISTRO
)
127 ifneq ($(OUTPUT_POLICY
),)
128 CHECKPOLICY
+= -c
$(OUTPUT_POLICY
)
135 # determine the policy version and current kernel version if possible
136 PV
:= $(shell $(CHECKPOLICY
) -V |cut
-f
1 -d
' ')
137 KV
:= $(shell cat
/selinux
/policyvers
)
139 # dont print version warnings if we are unable to determine
140 # the currently running kernel's policy version
146 POLVER
:= policy.
$(PV
)
148 ifneq ($(findstring targeted
,$(TYPE
)),)
149 APPCONF
:= config
/appconfig-targeted
151 APPCONF
:= config
/appconfig-strict
154 M4SUPPORT
= $(wildcard $(POLDIR
)/support
/*.spt
)
156 APPDIR
:= $(CONTEXTPATH
)
157 APPFILES
:= $(addprefix $(APPDIR
)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types
) $(CONTEXTPATH
)/files
/media
$(INSTALLDIR
)/booleans
158 CONTEXTFILES
+= $(wildcard $(APPCONF
)/*_context
*) $(APPCONF
)/media
159 USER_FILES
:= $(POLDIR
)/systemuser
$(POLDIR
)/users
161 ALL_LAYERS
:= $(filter-out $(MODDIR
)/CVS
,$(shell find
$(wildcard $(MODDIR
)/*) -maxdepth
0 -type d
))
163 GENERATED_TE
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.te.in
)))
164 GENERATED_IF
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.if.in
)))
165 GENERATED_FC
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.
fc.in
)))
167 # sort here since it removes duplicates, which can happen
168 # when a generated file is already generated
169 DETECTED_MODS
:= $(sort $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.te
)) $(GENERATED_TE
))
171 # modules.conf setting for base module
174 # modules.conf setting for module
177 # extract settings from modules.conf
178 BASE_MODS
:= $(foreach mod
,$(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
),$(subst .
/,,$(shell find
-iname
$(mod
).te
)))
179 MOD_MODS
:= $(foreach mod
,$(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
),$(subst .
/,,$(shell find
-iname
$(mod
).te
)))
181 HOMEDIR_TEMPLATE
= tmp
/homedir_template
183 ########################################
185 # Load appropriate rules
188 ifeq ($(MONOLITHIC
),y
)
189 include Rules.monolithic
191 include Rules.modular
194 ########################################
198 $(MODDIR
)/kernel
/corenetwork.if
: $(MODDIR
)/kernel
/corenetwork.if.m4
$(MODDIR
)/kernel
/corenetwork.if.in
200 @echo
"# This is a generated file! Instead of modifying this file, the" >> $@
201 @echo
"# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
203 $(QUIET
) cat
$(MODDIR
)/kernel
/corenetwork.if.in
>> $@
204 $(QUIET
) egrep
"^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@
:.if
=.te
).in \
205 | m4
-D monolithic_policy
$(M4PARAM
) $(M4SUPPORT
) $(MODDIR
)/kernel
/corenetwork.if.m4
- \
206 | sed
-e
's/dollarsone/\$$1/g' -e
's/dollarszero/\$$0/g' >> $@
208 $(MODDIR
)/kernel
/corenetwork.te
: $(MODDIR
)/kernel
/corenetwork.te.m4
$(MODDIR
)/kernel
/corenetwork.te.in
210 @echo
"# This is a generated file! Instead of modifying this file, the" >> $@
211 @echo
"# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
213 $(QUIET
) m4
-D monolithic_policy
$(M4PARAM
) $(M4SUPPORT
) $^ \
214 | sed
-e
's/dollarsone/\$$1/g' -e
's/dollarszero/\$$0/g' >> $@
216 ########################################
218 # Create config files
220 conf
: $(MOD_CONF
) $(TUNABLES
) $(GENERATED_TE
) $(GENERATED_IF
) $(GENERATED_FC
)
222 $(MOD_CONF
) $(TUNABLES
): $(POLXML
)
223 @echo
"Updating $(MOD_CONF) and $(TUNABLES)"
224 $(QUIET
) cd
$(DOCS
) && ..
/$(GENDOC
) -t ..
/$(TUNABLES
) -m ..
/$(MOD_CONF
) -x ..
/$(POLXML
)
226 ########################################
228 # Documentation generation
231 # minimal dependencies here, because we don't want to rebuild
232 # this and its dependents every time the dependencies
233 # change. Also use all .if files here, rather then just the
235 $(POLXML
): $(DETECTED_MODS
:.te
=.if
) $(foreach dir,$(ALL_LAYERS
),$(dir)/$(LAYERXML
))
238 $(QUIET
) echo
'<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
239 $(QUIET
) echo
'<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
240 $(QUIET
) $(GENXML
) -w
-m
$(LAYERXML
) -t
$(GLOBALTUN
) $(ALL_LAYERS
) >> $@
241 $(QUIET
) if
test -x
$(XMLLINT
) && test -f
$(XMLDTD
); then \
242 $(XMLLINT
) --noout
--dtdvalid
$(XMLDTD
) $@
;\
247 $(QUIET
) cd
$(DOCS
) && ..
/$(GENDOC
) -d ..
/$(HTMLDIR
) -T ..
/$(DOCTEMPLATE
) -x ..
/$(POLXML
)
248 $(QUIET
) cp
$(DOCTEMPLATE
)/*.css
$(HTMLDIR
)
250 ########################################
252 # Runtime binary policy patching of users
254 $(USERPATH
)/system.users
: $(USER_FILES
) tmp
/generated_definitions.conf
255 @mkdir
-p
$(USERPATH
)
256 @echo
"Installing system.users"
257 @echo
"# " > tmp
/system.users
258 @echo
"# Do not edit this file. " >> tmp
/system.users
259 @echo
"# This file is replaced on reinstalls of this policy." >> tmp
/system.users
260 @echo
"# Please edit local.users to make local changes." >> tmp
/system.users
261 @echo
"#" >> tmp
/system.users
262 $(QUIET
) m4
-D monolithic_policy
$(M4PARAM
) tmp
/generated_definitions.conf
$(USER_FILES
) | \
263 egrep
-v
"^[[:space:]]*($$|#)" >> tmp
/system.users
264 $(QUIET
) install -m
644 tmp
/system.users
$@
266 $(USERPATH
)/local.users
: config
/local.users
267 @mkdir
-p
$(USERPATH
)
268 @echo
"Installing local.users"
269 $(QUIET
) install -b
-m
644 $< $@
271 ########################################
275 install-appconfig
: $(APPFILES
)
277 $(INSTALLDIR
)/booleans
: $(TUNABLES
)
278 @mkdir
-p
$(INSTALLDIR
)
279 $(QUIET
) egrep
'^[[:blank:]]*[[:alpha:]]' $(TUNABLES
) \
280 | sed
-e
's/false/0/g' -e
's/true/1/g' > tmp
/booleans
281 $(QUIET
) install -m
644 tmp
/booleans
$@
283 $(CONTEXTPATH
)/files
/media
: $(APPCONF
)/media
284 @mkdir
-p
$(CONTEXTPATH
)/files
/
285 $(QUIET
) install -m
644 $< $@
287 $(APPDIR
)/default_contexts
: $(APPCONF
)/default_contexts
289 $(QUIET
) install -m
644 $< $@
291 $(APPDIR
)/removable_context
: $(APPCONF
)/removable_context
293 $(QUIET
) install -m
644 $< $@
295 $(APPDIR
)/customizable_types
: policy.conf
297 $(QUIET
) grep
"^type .*customizable" $< | cut
-d
',' -f1 | cut
-d
' ' -f2
> tmp
/customizable_types
298 $(QUIET
) install -m
644 tmp
/customizable_types
$@
300 $(APPDIR
)/default_type
: $(APPCONF
)/default_type
302 $(QUIET
) install -m
644 $< $@
304 $(APPDIR
)/userhelper_context
: $(APPCONF
)/userhelper_context
306 $(QUIET
) install -m
644 $< $@
308 $(APPDIR
)/initrc_context
: $(APPCONF
)/initrc_context
310 $(QUIET
) install -m
644 $< $@
312 $(APPDIR
)/failsafe_context
: $(APPCONF
)/failsafe_context
314 $(QUIET
) install -m
644 $< $@
316 $(APPDIR
)/dbus_contexts
: $(APPCONF
)/dbus_contexts
318 $(QUIET
) install -m
644 $< $@
320 $(APPDIR
)/users
/root
: $(APPCONF
)/root_default_contexts
321 @mkdir
-p
$(APPDIR
)/users
322 $(QUIET
) install -m
644 $< $@
324 ########################################
326 # Install policy sources
329 rm -rf
$(SRCPATH
)/policy.old
330 -mv
$(SRCPATH
)/policy
$(SRCPATH
)/policy.old
331 mkdir
-p
$(SRCPATH
)/policy
332 cp
-R .
$(SRCPATH
)/policy
334 ########################################
340 rm -f
$(SUPPORT
)/*.pyc
345 ifneq ($(GENERATED_TE
),)
346 rm -f
$(GENERATED_TE
)
348 ifneq ($(GENERATED_IF
),)
349 rm -f
$(GENERATED_IF
)
351 ifneq ($(GENERATED_FC
),)
352 rm -f
$(GENERATED_FC
)
355 .PHONY
: install-src install-appconfig conf html bare