2 # Makefile for the security policy.
6 # install - compile and install the policy configuration, and context files.
7 # load - compile, install, and load the policy configuration.
8 # reload - compile, install, and load/reload the policy configuration.
9 # relabel - relabel filesystems based on the file contexts configuration.
10 # checklabels - check filesystems against the file context configuration
11 # restorelabels - check filesystems against the file context configuration
12 # and restore the label of files with incorrect labels
13 # policy - compile the policy configuration locally for testing/development.
15 # The default target is 'policy'.
18 # Please see build.conf for policy build options.
21 ########################################
23 # NO OPTIONS BELOW HERE
26 # Include the local build.conf if it exists, otherwise
27 # include the configuration of the root directory.
31 include $(LOCAL_ROOT
)/build.conf
35 VERSION
= $(shell cat VERSION
)
38 BUILDDIR
:= $(LOCAL_ROOT
)/
39 TMPDIR
:= $(LOCAL_ROOT
)/tmp
40 TAGS
:= $(LOCAL_ROOT
)/tags
49 CHECKPOLICY
:= $(BINDIR
)/checkpolicy
50 CHECKMODULE
:= $(BINDIR
)/checkmodule
51 SEMODULE
:= $(SBINDIR
)/semodule
52 SEMOD_PKG
:= $(BINDIR
)/semodule_package
53 LOADPOLICY
:= $(SBINDIR
)/load_policy
54 SETFILES
:= $(SBINDIR
)/setfiles
55 GENHOMEDIRCON
:= $(SBINDIR
)/genhomedircon
56 XMLLINT
:= $(BINDIR
)/xmllint
57 SECHECK
:= $(BINDIR
)/sechecker
59 # interpreters and aux tools
68 # policy source layout
70 MODDIR
:= $(POLDIR
)/modules
71 FLASKDIR
:= $(POLDIR
)/flask
72 SECCLASS
:= $(FLASKDIR
)/security_classes
73 ISIDS
:= $(FLASKDIR
)/initial_sids
74 AVS
:= $(FLASKDIR
)/access_vectors
78 LOCAL_POLDIR
:= $(LOCAL_ROOT
)/policy
79 LOCAL_MODDIR
:= $(LOCAL_POLDIR
)/modules
82 # policy building support tools
84 GENXML
:= $(PYTHON
) $(SUPPORT
)/segenxml.py
85 GENDOC
:= $(PYTHON
) $(SUPPORT
)/sedoctool.py
86 GENPERM
:= $(PYTHON
) $(SUPPORT
)/genclassperms.py
87 FCSORT
:= $(TMPDIR
)/fc_sort
88 SETBOOLS
:= $(AWK
) -f
$(SUPPORT
)/set_bools_tuns.awk
92 XMLDTD
= $(DOCS
)/policy.dtd
93 LAYERXML
= metadata.xml
94 DOCTEMPLATE
= $(DOCS
)/templates
95 DOCFILES
= $(DOCS
)/Makefile.example
$(addprefix $(DOCS
)/,example.te example.if example.
fc)
98 POLXML
= $(DOCS
)/policy.xml
99 HTMLDIR
= $(DOCS
)/html
101 POLXML
= $(LOCAL_ROOT
)/doc
/policy.xml
102 HTMLDIR
= $(LOCAL_ROOT
)/doc
/html
106 GLOBALTUN
= $(POLDIR
)/global_tunables
107 GLOBALBOOL
= $(POLDIR
)/global_booleans
108 TUNABLES
= $(POLDIR
)/tunables.conf
109 ROLEMAP
= $(POLDIR
)/rolemap
110 USER_FILES
:= $(POLDIR
)/users
112 # local config file paths
114 MOD_CONF
= $(POLDIR
)/modules.conf
115 BOOLEANS
= $(POLDIR
)/booleans.conf
117 MOD_CONF
= $(LOCAL_POLDIR
)/modules.conf
118 BOOLEANS
= $(LOCAL_POLDIR
)/booleans.conf
122 PKGNAME ?
= refpolicy-
$(VERSION
)
123 PREFIX
= $(DESTDIR
)/usr
124 TOPDIR
= $(DESTDIR
)/etc
/selinux
125 INSTALLDIR
= $(TOPDIR
)/$(NAME
)
126 SRCPATH
= $(INSTALLDIR
)/src
127 USERPATH
= $(INSTALLDIR
)/users
128 CONTEXTPATH
= $(INSTALLDIR
)/contexts
129 FCPATH
= $(CONTEXTPATH
)/files
/file_contexts
130 SHAREDIR
= $(PREFIX
)/share
/selinux
131 MODPKGDIR
= $(SHAREDIR
)/$(NAME
)
132 HEADERDIR
= $(MODPKGDIR
)/include
133 DOCSDIR
= $(PREFIX
)/share
/doc
/$(PKGNAME
)
135 # compile strict policy if requested.
136 ifneq ($(findstring strict
,$(TYPE
)),)
137 M4PARAM
+= -D strict_policy
140 # compile targeted policy if requested.
141 ifneq ($(findstring targeted
,$(TYPE
)),)
142 M4PARAM
+= -D targeted_policy
145 # enable MLS if requested.
146 ifneq ($(findstring -mls
,$(TYPE
)),)
147 M4PARAM
+= -D enable_mls
152 # enable MLS if MCS requested.
153 ifneq ($(findstring -mcs
,$(TYPE
)),)
154 M4PARAM
+= -D enable_mcs
159 # enable distribution-specific policy
161 M4PARAM
+= -D distro_
$(DISTRO
)
164 # enable polyinstantiation
166 M4PARAM
+= -D enable_polyinstantiation
169 ifneq ($(OUTPUT_POLICY
),)
170 CHECKPOLICY
+= -c
$(OUTPUT_POLICY
)
173 # if not set, use the type as the name.
176 ifeq ($(DIRECT_INITRC
),y
)
177 M4PARAM
+= -D direct_sysadm_daemon
184 M4PARAM
+= -D hide_broken_symptoms
186 # we need exuberant ctags; unfortunately it is named
187 # differently on different distros
188 ifeq ($(DISTRO
),debian
)
189 CTAGS
:= ctags-exuberant
192 ifeq ($(DISTRO
),gentoo
)
193 CTAGS
:= exuberant-ctags
198 # determine the policy version and current kernel version if possible
199 PV
:= $(shell $(CHECKPOLICY
) -V |cut
-f
1 -d
' ')
200 KV
:= $(shell cat
/selinux
/policyvers
)
202 # dont print version warnings if we are unable to determine
203 # the currently running kernel's policy version
208 M4SUPPORT
= $(wildcard $(POLDIR
)/support
/*.spt
$(LOCAL_POLDIR
)/support
/*.spt
)
210 APPCONF
:= config
/appconfig-
$(TYPE
)
211 SEUSERS
:= $(APPCONF
)/seusers
212 APPDIR
:= $(CONTEXTPATH
)
213 APPFILES
:= $(addprefix $(APPDIR
)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types
) $(CONTEXTPATH
)/files
/media
214 CONTEXTFILES
+= $(wildcard $(APPCONF
)/*_context
*) $(APPCONF
)/media
216 ALL_LAYERS
:= $(filter-out $(MODDIR
)/CVS
,$(shell find
$(wildcard $(MODDIR
)/*) -maxdepth
0 -type d
))
218 ALL_LAYERS
+= $(filter-out $(LOCAL_MODDIR
)/CVS
,$(shell find
$(wildcard $(LOCAL_MODDIR
)/*) -maxdepth
0 -type d
))
221 GENERATED_TE
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.te.in
)))
222 GENERATED_IF
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.if.in
)))
223 GENERATED_FC
:= $(basename $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.
fc.in
)))
225 # sort here since it removes duplicates, which can happen
226 # when a generated file is already generated
227 DETECTED_MODS
:= $(sort $(foreach dir,$(ALL_LAYERS
),$(wildcard $(dir)/*.te
)) $(GENERATED_TE
))
229 # modules.conf setting for base module
232 # modules.conf setting for loadable module
235 # modules.conf setting for unused module
238 # test for module overrides from command line
239 MOD_TEST
= $(filter $(APPS_OFF
), $(APPS_ON
) $(APPS_MODS
))
240 MOD_TEST
+= $(filter $(APPS_MODS
), $(APPS_ON
))
241 ifneq ($(strip $(MOD_TEST
)),)
242 $(error Applications must be on
, module
, or off
, and not in more than one list
! $(strip $(MOD_TEST
)) found in multiple lists
!)
245 # extract settings from modules.conf
246 BASE_MODS
:= $(addsuffix .te
,$(sort $(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
) $(APPS_ON
)))
247 MOD_MODS
:= $(addsuffix .te
,$(sort $(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
) $(APPS_MODS
)))
248 OFF_MODS
:= $(addsuffix .te
,$(sort $(shell awk
'/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF
) 2> /dev
/null
) $(APPS_OFF
)))
250 # filesystems to be used in labeling targets
251 FILESYSTEMS
= $(shell mount | grep
-v
"context=" | egrep
-v
'\((|.*,)bind(,.*|)\)' | awk
'/(ext[23]| xfs| jfs).*rw/{print $$3}';)
253 ########################################
258 # parse-rolemap modulename,outputfile
260 $(verbose
) m4
$(M4PARAM
) $(ROLEMAP
) | \
261 awk
'/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
264 # peruser-expansion modulename,outputfile
265 define peruser-expansion
266 $(verbose
) echo
"ifdef(\`""$1""_per_userdomain_template',\`" > $2
267 $(call parse-rolemap
,$1,$2)
268 $(verbose
) echo
"')" >> $2
271 ########################################
273 # Load appropriate rules
276 ifeq ($(MONOLITHIC
),y
)
277 include Rules.monolithic
279 include Rules.modular
282 ########################################
286 # NOTE: There is no "local" version of these files.
288 $(MODDIR
)/kernel
/corenetwork.if
: $(MODDIR
)/kernel
/corenetwork.if.m4
$(MODDIR
)/kernel
/corenetwork.if.in
290 @echo
"# This is a generated file! Instead of modifying this file, the" >> $@
291 @echo
"# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
293 $(verbose
) cat
$(MODDIR
)/kernel
/corenetwork.if.in
>> $@
294 $(verbose
) egrep
"^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@
:.if
=.te
).in \
295 | m4
-D self_contained_policy
$(M4PARAM
) $(MODDIR
)/kernel
/corenetwork.if.m4
- \
296 | sed
-e
's/dollarsone/\$$1/g' -e
's/dollarszero/\$$0/g' >> $@
298 $(MODDIR
)/kernel
/corenetwork.te
: $(MODDIR
)/kernel
/corenetwork.te.m4
$(MODDIR
)/kernel
/corenetwork.te.in
300 @echo
"# This is a generated file! Instead of modifying this file, the" >> $@
301 @echo
"# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
303 $(verbose
) m4
-D self_contained_policy
$(M4PARAM
) $^ \
304 | sed
-e
's/dollarsone/\$$1/g' -e
's/dollarszero/\$$0/g' >> $@
306 ########################################
308 # Create config files
310 conf
: $(MOD_CONF
) $(BOOLEANS
) $(GENERATED_TE
) $(GENERATED_IF
) $(GENERATED_FC
)
312 $(MOD_CONF
) $(BOOLEANS
): $(POLXML
)
313 @echo
"Updating $(MOD_CONF) and $(BOOLEANS)"
314 $(verbose
) $(GENDOC
) -t
$(BOOLEANS
) -m
$(MOD_CONF
) -x
$(POLXML
)
316 ########################################
318 # Generate the fc_sort program
320 $(FCSORT
) : $(SUPPORT
)/fc_sort.c
321 $(CC
) $(CFLAGS
) $(SUPPORT
)/fc_sort.c
-o
$(FCSORT
)
323 ########################################
325 # Documentation generation
328 # minimal dependencies here, because we don't want to rebuild
329 # this and its dependents every time the dependencies
330 # change. Also use all .if files here, rather then just the
332 $(POLXML
): $(DETECTED_MODS
:.te
=.if
) $(foreach dir,$(ALL_LAYERS
),$(dir)/$(LAYERXML
))
334 @
test -d
$(dir $(POLXML
)) || mkdir
-p
$(dir $(POLXML
))
335 @
test -d
$(TMPDIR
) || mkdir
-p
$(TMPDIR
)
336 $(verbose
) echo
'<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
337 $(verbose
) echo
'<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
338 $(verbose
) $(GENXML
) -m
$(LAYERXML
) -t
$(GLOBALTUN
) -b
$(GLOBALBOOL
) -o
$(TMPDIR
) $(ALL_LAYERS
) >> $@
339 $(verbose
) if
test -x
$(XMLLINT
) && test -f
$(XMLDTD
); then \
340 $(XMLLINT
) --noout
--path
$(dir $(XMLDTD
)) --dtdvalid
$(XMLDTD
) $@
;\
343 html
$(TMPDIR
)/html
: $(POLXML
)
344 @echo
"Building html interface reference documentation in $(HTMLDIR)"
345 @
test -d
$(HTMLDIR
) || mkdir
-p
$(HTMLDIR
)
346 @
test -d
$(TMPDIR
) || mkdir
-p
$(TMPDIR
)
347 $(verbose
) $(GENDOC
) -d
$(HTMLDIR
) -T
$(DOCTEMPLATE
) -x
$(POLXML
)
348 $(verbose
) cp
$(DOCTEMPLATE
)/*.css
$(HTMLDIR
)
349 @touch
$(TMPDIR
)/html
351 ########################################
353 # Runtime binary policy patching of users
355 $(USERPATH
)/system.users
: $(M4SUPPORT
) $(TMPDIR
)/generated_definitions.conf
$(USER_FILES
)
357 @mkdir
-p
$(USERPATH
)
358 @echo
"Installing system.users"
359 @echo
"# " > $(TMPDIR
)/system.users
360 @echo
"# Do not edit this file. " >> $(TMPDIR
)/system.users
361 @echo
"# This file is replaced on reinstalls of this policy." >> $(TMPDIR
)/system.users
362 @echo
"# Please edit local.users to make local changes." >> $(TMPDIR
)/system.users
363 @echo
"#" >> $(TMPDIR
)/system.users
364 $(verbose
) m4
-D self_contained_policy
$(M4PARAM
) $^ | sed
-r
-e
's/^[[:blank:]]+//' \
365 -e
'/^[[:blank:]]*($$|#)/d' >> $(TMPDIR
)/system.users
366 $(verbose
) install -m
644 $(TMPDIR
)/system.users
$@
368 $(USERPATH
)/local.users
: config
/local.users
369 @mkdir
-p
$(USERPATH
)
370 @echo
"Installing local.users"
371 $(verbose
) install -b
-m
644 $< $@
373 ########################################
377 install-appconfig
: $(APPFILES
)
379 $(INSTALLDIR
)/booleans
: $(BOOLEANS
)
381 @mkdir
-p
$(INSTALLDIR
)
382 $(verbose
) sed
-r
-e
's/false/0/g' -e
's/true/1/g' \
383 -e
'/^[[:blank:]]*($$|#)/d' $(BOOLEANS
) |
sort > $(TMPDIR
)/booleans
384 $(verbose
) install -m
644 $(TMPDIR
)/booleans
$@
386 $(CONTEXTPATH
)/files
/media
: $(APPCONF
)/media
387 @mkdir
-p
$(CONTEXTPATH
)/files
/
388 $(verbose
) install -m
644 $< $@
390 $(APPDIR
)/default_contexts
: $(APPCONF
)/default_contexts
392 $(verbose
) install -m
644 $< $@
394 $(APPDIR
)/removable_context
: $(APPCONF
)/removable_context
396 $(verbose
) install -m
644 $< $@
398 $(APPDIR
)/default_type
: $(APPCONF
)/default_type
400 $(verbose
) install -m
644 $< $@
402 $(APPDIR
)/userhelper_context
: $(APPCONF
)/userhelper_context
404 $(verbose
) install -m
644 $< $@
406 $(APPDIR
)/initrc_context
: $(APPCONF
)/initrc_context
408 $(verbose
) install -m
644 $< $@
410 $(APPDIR
)/failsafe_context
: $(APPCONF
)/failsafe_context
412 $(verbose
) install -m
644 $< $@
414 $(APPDIR
)/dbus_contexts
: $(APPCONF
)/dbus_contexts
416 $(verbose
) install -m
644 $< $@
418 $(APPDIR
)/users
/root
: $(APPCONF
)/root_default_contexts
419 @mkdir
-p
$(APPDIR
)/users
420 $(verbose
) install -m
644 $< $@
422 ########################################
424 # Install policy headers
426 install-headers
: $(POLXML
)
427 @mkdir
-p
$(HEADERDIR
)
428 @echo
"Installing policy headers"
429 $(verbose
) install -m
644 $(TMPDIR
)/global_
{tunables
,booleans
}.xml
$(HEADERDIR
)
430 $(verbose
) m4
$(M4PARAM
) $(ROLEMAP
) > $(HEADERDIR
)/$(notdir $(ROLEMAP
))
431 $(verbose
) mkdir
-p
$(HEADERDIR
)/support
432 $(verbose
) install -m
644 $(M4SUPPORT
) $(word $(words $(GENXML
)),$(GENXML
)) $(XMLDTD
) $(HEADERDIR
)/support
433 $(verbose
) $(GENPERM
) $(AVS
) $(SECCLASS
) > $(HEADERDIR
)/support
/all_perms.spt
434 $(verbose
) for i in
$(notdir $(ALL_LAYERS
)); do \
435 mkdir
-p
$(HEADERDIR
)/$$i ;\
436 install -m
644 $(MODDIR
)/$$i/*.if \
437 $(MODDIR
)/$$i/metadata.xml \
440 $(verbose
) echo
"TYPE=$(TYPE)" > $(HEADERDIR
)/build.conf
441 $(verbose
) echo
"NAME=$(NAME)" >> $(HEADERDIR
)/build.conf
443 $(verbose
) echo
"DISTRO=$(DISTRO)" >> $(HEADERDIR
)/build.conf
445 $(verbose
) echo
"MONOLITHIC=n" >> $(HEADERDIR
)/build.conf
446 $(verbose
) echo
"DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR
)/build.conf
447 $(verbose
) echo
"POLY=$(POLY)" >> $(HEADERDIR
)/build.conf
448 $(verbose
) install -m
644 $(SUPPORT
)/Makefile.devel
$(HEADERDIR
)/Makefile
450 ########################################
452 # Install policy documentation
454 install-docs
: $(TMPDIR
)/html
455 @mkdir
-p
$(DOCSDIR
)/html
456 @echo
"Installing policy documentation"
457 $(verbose
) install -m
644 $(DOCFILES
) $(DOCSDIR
)
458 $(verbose
) install -m
644 $(wildcard $(HTMLDIR
)/*) $(DOCSDIR
)/html
460 ########################################
462 # Install policy sources
465 rm -rf
$(SRCPATH
)/policy.old
466 -mv
$(SRCPATH
)/policy
$(SRCPATH
)/policy.old
467 mkdir
-p
$(SRCPATH
)/policy
468 cp
-R .
$(SRCPATH
)/policy
470 ########################################
476 @
($(CTAGS
) --version | grep
-q Exuberant
) ||
(echo ERROR
: Need exuberant-ctags to function
!; exit
1)
477 @LC_ALL
=C
$(CTAGS
) -f
$(TAGS
) --langdef
=te
--langmap
=te
:..te.if.spt \
478 --regex-te
='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
479 --regex-te
='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
480 --regex-te
='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
481 --regex-te
='/^[ \t]*define\(`(\w+)/\1/d,define/' \
482 --regex-te
='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
483 --regex-te
='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy
/modules
/*/*.
{if
,te
} policy
/support
/*.spt
485 ########################################
487 # Filesystem labeling
490 @echo
"Checking labels on filesystem types: ext2 ext3 xfs jfs"
491 @if
test -z
"$(FILESYSTEMS)"; then \
492 echo
"No filesystems with extended attributes found!" ;\
495 $(verbose
) $(SETFILES
) -v
-n
$(FCPATH
) $(FILESYSTEMS
)
498 @echo
"Restoring labels on filesystem types: ext2 ext3 xfs jfs"
499 @if
test -z
"$(FILESYSTEMS)"; then \
500 echo
"No filesystems with extended attributes found!" ;\
503 $(verbose
) $(SETFILES
) -v
$(FCPATH
) $(FILESYSTEMS
)
506 @echo
"Relabeling filesystem types: ext2 ext3 xfs jfs"
507 @if
test -z
"$(FILESYSTEMS)"; then \
508 echo
"No filesystems with extended attributes found!" ;\
511 $(verbose
) $(SETFILES
) $(FCPATH
) $(FILESYSTEMS
)
514 @echo
"Resetting labels on filesystem types: ext2 ext3 xfs jfs"
515 @if
test -z
"$(FILESYSTEMS)"; then \
516 echo
"No filesystems with extended attributes found!" ;\
519 $(verbose
) $(SETFILES
) -F
$(FCPATH
) $(FILESYSTEMS
)
521 ########################################
531 # don't remove these files if we're given a local root
534 rm -f
$(SUPPORT
)/*.pyc
535 ifneq ($(GENERATED_TE
),)
536 rm -f
$(GENERATED_TE
)
538 ifneq ($(GENERATED_IF
),)
539 rm -f
$(GENERATED_IF
)
541 ifneq ($(GENERATED_FC
),)
542 rm -f
$(GENERATED_FC
)
546 .PHONY
: install-src install-appconfig conf html bare
tags