base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
-base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs
+base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
base_te_files := $(base_mods)
base_post_te_files := $(user_files) $(poldir)/constraints
base_fc_files := $(base_mods:.te=.fc)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)
-# broken in make 3.81:
-#.SECONDARY:
+.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
########################################
#
# Load all configured modules
#
load: $(instpkg) $(appfiles)
+# make sure two directories exist since they are not
+# created by semanage
+ @mkdir -p $(policypath) $(dir $(fcpath))
@echo "Loading configured modules."
$(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
@test -d $(tmpdir) || mkdir -p $(tmpdir)
- $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(call perrole-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
#
# Create a base module package
#
-$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(seusers) $(net_contexts)
+$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
@echo "Creating $(NAME) base module package"
@test -d $(builddir) || mkdir -p $(builddir)
- $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(seusers) -n $(net_contexts)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
$(base_mod): $(base_conf)
@echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@
+$(tmpdir)/seusers: $(seusers)
+ @mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
+
$(users_extra): $(m4support) $(user_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
-$(tmpdir)/generated_definitions.conf: $(base_te_files)
+$(tmpdir)/generated_definitions.conf:
@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates
- $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
- $(verbose) for i in $(patsubst %.te,%,$(base_mods)); do \
- echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
- >> $@ ;\
- done
- $(verbose) echo "')" >> $@
+ $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
$(verbose) $(M4) $(M4PARAM) $^ > $@
-$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces)
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
- @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4
@echo "divert(-1)" > $@
- $(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp
+ $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
@echo "divert" >> $@
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
$(call parse-rolemap,base,$@)
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
-$(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
-########################################
-#
-# Remove the dontaudit rules from the base.conf
-#
-enableaudit: $(base_conf)
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
- @echo "Removing dontaudit rules from $(^F)"
- $(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit
- $(verbose) mv $(tmpdir)/base.audit $(base_conf)
-
########################################
#
# Appconfig files
@echo "Validating policy linking."
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
@echo "Success."
########################################