2 # Makefile for the security policy.
6 # install - compile and install the policy configuration, and context files.
7 # load - compile, install, and load the policy configuration.
8 # reload - compile, install, and load/reload the policy configuration.
9 # relabel - relabel filesystems based on the file contexts configuration.
10 # checklabels - check filesystems against the file context configuration
11 # restorelabels - check filesystems against the file context configuration
12 # and restore the label of files with incorrect labels
13 # policy - compile the policy configuration locally for testing/development.
15 # The default target is 'policy'.
18 # Please see build.conf for policy build options.
21 ########################################
23 # NO OPTIONS BELOW HERE
30 BINDIR
:= $(PREFIX
)/bin
31 SBINDIR
:= $(PREFIX
)/sbin
32 CHECKPOLICY
:= $(BINDIR
)/checkpolicy
33 CHECKMODULE
:= $(BINDIR
)/checkmodule
34 SEMODULE
:= $(SBINDIR
)/semodule
35 SEMOD_PKG
:= $(BINDIR
)/semodule_package
36 LOADPOLICY
:= $(SBINDIR
)/load_policy
37 SETFILES
:= $(SBINDIR
)/setfiles
38 GENHOMEDIRCON
:= $(SBINDIR
)/genhomedircon
39 XMLLINT
:= $(BINDIR
)/xmllint
40 SECHECK
:= $(BINDIR
)/sechecker
44 # policy source layout
46 MODDIR
:= $(POLDIR
)/modules
47 FLASKDIR
:= $(POLDIR
)/flask
48 SECCLASS
:= $(FLASKDIR
)/security_classes
49 ISIDS
:= $(FLASKDIR
)/initial_sids
50 AVS
:= $(FLASKDIR
)/access_vectors
52 # policy building support tools
54 GENXML
:= $(SUPPORT
)/segenxml.py
55 GENDOC
:= $(SUPPORT
)/sedoctool.py
56 GENPERM
:= $(SUPPORT
)/genclassperms.py
57 FCSORT
:= $(SUPPORT
)/fc_sort
58 SETTUN
:= $(SUPPORT
)/set_tunables
62 POLXML
= $(DOCS
)/policy.xml
63 XMLDTD
= $(DOCS
)/policy.dtd
64 LAYERXML
= metadata.xml
65 HTMLDIR
= $(DOCS
)/html
66 DOCTEMPLATE
= $(DOCS
)/templates
69 GLOBALTUN
:= $(POLDIR
)/global_tunables
70 GLOBALBOOL
:= $(POLDIR
)/global_booleans
71 MOD_CONF
:= $(POLDIR
)/modules.conf
72 TUNABLES
:= $(POLDIR
)/tunables.conf
73 BOOLEANS
:= $(POLDIR
)/booleans.conf
76 TOPDIR
= $(DESTDIR
)/etc
/selinux
77 INSTALLDIR
= $(TOPDIR
)/$(NAME
)
78 SRCPATH
= $(INSTALLDIR
)/src
79 USERPATH
= $(INSTALLDIR
)/users
80 CONTEXTPATH
= $(INSTALLDIR
)/contexts
81 MODPKGDIR
= $(DESTDIR
)/usr
/share
/selinux
/$(NAME
)
83 # compile strict policy if requested.
84 ifneq ($(findstring strict
,$(TYPE
)),)
85 override M4PARAM
+= -D strict_policy
88 # compile targeted policy if requested.
89 ifneq ($(findstring targeted
,$(TYPE
)),)
90 override M4PARAM
+= -D targeted_policy
93 # enable MLS if requested.
94 ifneq ($(findstring -mls
,$(TYPE
)),)
95 override M4PARAM
+= -D enable_mls
96 override CHECKPOLICY
+= -M
97 override CHECKMODULE
+= -M
100 # enable MLS if MCS requested.
101 ifneq ($(findstring -mcs
,$(TYPE
)),)
102 override M4PARAM
+= -D enable_mcs
103 override CHECKPOLICY
+= -M
104 override CHECKMODULE
+= -M
107 # enable distribution-specific policy
109 override M4PARAM
+= -D distro_
$(DISTRO
)
112 # enable polyinstantiation
114 override M4PARAM
+= -D enable_polyinstantiation
117 ifneq ($(OUTPUT_POLICY
),)
118 override CHECKPOLICY
+= -c
$(OUTPUT_POLICY
)
125 ifeq ($(DIRECT_INITRC
),y
)
126 override M4PARAM
+= -D direct_sysadm_daemon
129 override M4PARAM
+= -D hide_broken_symptoms
131 # we need exuberant ctags; unfortunately it is named
132 # differently on different distros
133 ifeq ($(DISTRO
),debian
)
134 CTAGS
:= ctags-exuberant
137 ifeq ($(DISTRO
),gentoo
)
138 CTAGS
:= exuberant-ctags
143 # determine the policy version and current kernel version if possible
144 PV
:= $(shell $(CHECKPOLICY
) -V |cut
-f
1 -d
' ')
145 KV
:= $(shell cat
/selinux
/policyvers
)
147 # dont print version warnings if we are unable to determine
148 # the currently running kernel's policy version
153 M4SUPPORT
= $(wildcard $(POLDIR
)/support
/*.spt
)
155 APPCONF
:= config
/appconfig-
$(TYPE
)
156 APPDIR
:= $(CONTEXTPATH
)
157 APPFILES
:= $(addprefix $(APPDIR
)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types
) $(CONTEXTPATH
)/files
/media
158 CONTEXTFILES
+= $(wildcard $(APPCONF
)/*_context
*) $(APPCONF
)/media
159 USER_FILES
:= $(POLDIR
)/users
161 ALL_LAYERS
:= $(filter-out $(MODDIR
)/CVS
,$(shell find
$(wildcard $(MODDIR
)/*) -maxdepth
0 -type d
))
163 GENERATED_TE
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.te.in
)))
164 GENERATED_IF
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.if.in
)))
165 GENERATED_FC
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.
fc.in
)))
167 # sort here since it removes duplicates, which can happen
168 # when a generated file is already generated
169 DETECTED_MODS
:= $(sort $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.te
)) $(GENERATED_TE
))
171 # modules.conf setting for base module
174 # modules.conf setting for loadable module
177 # modules.conf setting for unused module
180 # extract settings from modules.conf
181 BASE_MODS
:= $(addsuffix .te
,$(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
))
182 MOD_MODS
:= $(addsuffix .te
,$(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
))
183 OFF_MODS
:= $(addsuffix .te
,$(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
))
185 ########################################
187 # Load appropriate rules
190 ifeq ($(MONOLITHIC
),y
)
191 include Rules.monolithic
193 include Rules.modular
196 ########################################
200 $(MODDIR
)/kernel
/corenetwork.if
: $(MODDIR
)/kernel
/corenetwork.if.m4
$(MODDIR
)/kernel
/corenetwork.if.in
202 @echo
"# This is a generated file! Instead of modifying this file, the" >> $@
203 @echo
"# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
205 $(QUIET
) cat
$(MODDIR
)/kernel
/corenetwork.if.in
>> $@
206 $(QUIET
) egrep
"^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@
:.if
=.te
).in \
207 | m4
-D self_contained_policy
$(M4PARAM
) $(MODDIR
)/kernel
/corenetwork.if.m4
- \
208 | sed
-e
's/dollarsone/\$$1/g' -e
's/dollarszero/\$$0/g' >> $@
210 $(MODDIR
)/kernel
/corenetwork.te
: $(MODDIR
)/kernel
/corenetwork.te.m4
$(MODDIR
)/kernel
/corenetwork.te.in
212 @echo
"# This is a generated file! Instead of modifying this file, the" >> $@
213 @echo
"# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
215 $(QUIET
) m4
-D self_contained_policy
$(M4PARAM
) $^ \
216 | sed
-e
's/dollarsone/\$$1/g' -e
's/dollarszero/\$$0/g' >> $@
218 ########################################
220 # Create config files
222 conf
: $(MOD_CONF
) $(BOOLEANS
) $(GENERATED_TE
) $(GENERATED_IF
) $(GENERATED_FC
)
224 $(MOD_CONF
) $(BOOLEANS
): $(POLXML
)
225 @echo
"Updating $(MOD_CONF) and $(BOOLEANS)"
226 $(QUIET
) cd
$(DOCS
) && ..
/$(GENDOC
) -t ..
/$(BOOLEANS
) -m ..
/$(MOD_CONF
) -x ..
/$(POLXML
)
228 ########################################
230 # Documentation generation
233 # minimal dependencies here, because we don't want to rebuild
234 # this and its dependents every time the dependencies
235 # change. Also use all .if files here, rather then just the
237 $(POLXML
): $(DETECTED_MODS
:.te
=.if
) $(foreach dir,$(ALL_LAYERS
),$(dir)/$(LAYERXML
))
240 $(QUIET
) echo
'<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
241 $(QUIET
) echo
'<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
242 $(QUIET
) $(GENXML
) -w
-m
$(LAYERXML
) -t
$(GLOBALTUN
) -b
$(GLOBALBOOL
) $(ALL_LAYERS
) >> $@
243 $(QUIET
) if
test -x
$(XMLLINT
) && test -f
$(XMLDTD
); then \
244 $(XMLLINT
) --noout
--dtdvalid
$(XMLDTD
) $@
;\
248 @echo
"Building html interface reference documentation in $(HTMLDIR)"
250 $(QUIET
) cd
$(DOCS
) && ..
/$(GENDOC
) -d ..
/$(HTMLDIR
) -T ..
/$(DOCTEMPLATE
) -x ..
/$(POLXML
)
251 $(QUIET
) cp
$(DOCTEMPLATE
)/*.css
$(HTMLDIR
)
253 ########################################
255 # Runtime binary policy patching of users
257 $(USERPATH
)/system.users
: $(M4SUPPORT
) tmp
/generated_definitions.conf
$(USER_FILES
)
258 @mkdir
-p
$(USERPATH
)
259 @echo
"Installing system.users"
260 @echo
"# " > tmp
/system.users
261 @echo
"# Do not edit this file. " >> tmp
/system.users
262 @echo
"# This file is replaced on reinstalls of this policy." >> tmp
/system.users
263 @echo
"# Please edit local.users to make local changes." >> tmp
/system.users
264 @echo
"#" >> tmp
/system.users
265 $(QUIET
) m4
-D self_contained_policy
$(M4PARAM
) $^ | sed
-r
-e
's/^[[:blank:]]+//' \
266 -e
'/^[[:blank:]]*($$|#)/d' >> tmp
/system.users
267 $(QUIET
) install -m
644 tmp
/system.users
$@
269 $(USERPATH
)/local.users
: config
/local.users
270 @mkdir
-p
$(USERPATH
)
271 @echo
"Installing local.users"
272 $(QUIET
) install -b
-m
644 $< $@
274 ########################################
278 install-appconfig
: $(APPFILES
)
280 $(INSTALLDIR
)/booleans
: $(BOOLEANS
)
281 @mkdir
-p
$(INSTALLDIR
)
282 $(QUIET
) sed
-r
-e
's/false/0/g' -e
's/true/1/g' \
283 -e
'/^[[:blank:]]*($$|#)/d' $(BOOLEANS
) |
sort > tmp
/booleans
284 $(QUIET
) install -m
644 tmp
/booleans
$@
286 $(CONTEXTPATH
)/files
/media
: $(APPCONF
)/media
287 @mkdir
-p
$(CONTEXTPATH
)/files
/
288 $(QUIET
) install -m
644 $< $@
290 $(APPDIR
)/default_contexts
: $(APPCONF
)/default_contexts
292 $(QUIET
) install -m
644 $< $@
294 $(APPDIR
)/removable_context
: $(APPCONF
)/removable_context
296 $(QUIET
) install -m
644 $< $@
298 $(APPDIR
)/default_type
: $(APPCONF
)/default_type
300 $(QUIET
) install -m
644 $< $@
302 $(APPDIR
)/userhelper_context
: $(APPCONF
)/userhelper_context
304 $(QUIET
) install -m
644 $< $@
306 $(APPDIR
)/initrc_context
: $(APPCONF
)/initrc_context
308 $(QUIET
) install -m
644 $< $@
310 $(APPDIR
)/failsafe_context
: $(APPCONF
)/failsafe_context
312 $(QUIET
) install -m
644 $< $@
314 $(APPDIR
)/dbus_contexts
: $(APPCONF
)/dbus_contexts
316 $(QUIET
) install -m
644 $< $@
318 $(APPDIR
)/users
/root
: $(APPCONF
)/root_default_contexts
319 @mkdir
-p
$(APPDIR
)/users
320 $(QUIET
) install -m
644 $< $@
322 ########################################
324 # Install policy sources
327 rm -rf
$(SRCPATH
)/policy.old
328 -mv
$(SRCPATH
)/policy
$(SRCPATH
)/policy.old
329 mkdir
-p
$(SRCPATH
)/policy
330 cp
-R .
$(SRCPATH
)/policy
332 ########################################
337 @
($(CTAGS
) --version | grep
-q Exuberant
) ||
(echo ERROR
: Need exuberant-ctags to function
!; exit
1)
338 @LC_ALL
=C
$(CTAGS
) --langdef
=te
--langmap
=te
:..te.if.spt \
339 --regex-te
='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
340 --regex-te
='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
341 --regex-te
='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
342 --regex-te
='/^[ \t]*define\(`(\w+)/\1/d,define/' \
343 --regex-te
='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
344 --regex-te
='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy
/modules
/*/*.
{if
,te
} policy
/support
/*.spt
346 ########################################
352 rm -f
$(SUPPORT
)/*.pyc
358 ifneq ($(GENERATED_TE
),)
359 rm -f
$(GENERATED_TE
)
361 ifneq ($(GENERATED_IF
),)
362 rm -f
$(GENERATED_IF
)
364 ifneq ($(GENERATED_FC
),)
365 rm -f
$(GENERATED_FC
)
368 .PHONY
: install-src install-appconfig conf html bare
tags