]>
Commit | Line | Data |
---|---|---|
fedd3caf CP |
1 | 1) Reference Policy make targets: |
2 | ||
3 | General Make targets: | |
4 | ||
5 | install-src Install the policy sources into | |
6 | /etc/selinux/NAME/src/policy, where NAME is defined in | |
7 | the Makefile. If not defined, the TYPE, as defined in | |
8 | the Makefile, is used. The default NAME is refpolicy. | |
9 | A pre-existing source policy will be moved to | |
10 | /etc/selinux/NAME/src/policy.bak. | |
11 | ||
12 | conf Regenerate policy.xml, and update/create modules.conf | |
13 | and booleans.conf. This should be done after adding | |
14 | or removing modules, or after running the bare target. | |
15 | If the configuration files exist, their settings will | |
16 | be preserved. This must be ran on policy sources that | |
17 | are checked out from the CVS repository before they can | |
18 | be used. | |
19 | ||
20 | clean Delete all temporary files, compiled policies, | |
21 | and file_contexts. Configuration files are left intact. | |
22 | ||
23 | bare Do the clean make target and also delete configuration | |
24 | files, web page documentation, and policy.xml. | |
25 | ||
26 | html Regenerate policy.xml and create web page documentation | |
27 | in the doc/html directory. | |
28 | ||
29 | Make targets specific to modular (loadable modules) policies: | |
30 | ||
31 | base Compile and package the base module. This is the | |
32 | default target for modular policies. | |
33 | ||
34 | modules Compile and package all Reference Policy modules | |
35 | configured to be built as loadable modules. | |
36 | ||
37 | MODULENAME.pp Compile and package the MODULENAME Reference Policy | |
38 | module. | |
39 | ||
c767b14c CP |
40 | all Compile and package the base module and all Reference |
41 | Policy modules configured to be built as loadable | |
42 | modules. | |
43 | ||
44 | install Compile, package, and install the base module and | |
45 | Reference Policy modules configured to be built as | |
46 | loadable modules. | |
47 | ||
48 | load Compile, package, and install the base module and | |
49 | Reference Policy modules configured to be built as | |
50 | loadable modules, then insert them into the module | |
51 | store. | |
52 | ||
ea5333d1 CP |
53 | validate Validate if the configured modules can successfully |
54 | link and expand. | |
55 | ||
f65ca5f9 CP |
56 | install-headers Install the policy headers into /usr/share/selinux/NAME. |
57 | The headers are sufficient for building a policy | |
58 | module locally, without requiring the complete | |
59 | Reference Policy sources. The build.conf settings | |
60 | for this policy configuration should be set before | |
61 | using this target. | |
62 | ||
fedd3caf CP |
63 | Make targets specific to monolithic policies: |
64 | ||
65 | policy Compile a policy locally for development and testing. | |
66 | This is the default target for monolithic policies. | |
67 | ||
68 | install Compile and install the policy and file contexts. | |
69 | ||
70 | load Compile and install the policy and file contexts, then | |
71 | load the policy. | |
72 | ||
73 | enableaudit Remove all dontaudit rules from policy.conf. | |
74 | ||
75 | relabel Relabel the filesystem. | |
76 | ||
77 | checklabels Check the labels on the filesystem, and report when | |
78 | a file would be relabeled, but do not change its label. | |
79 | ||
80 | restorelabels Relabel the filesystem and report each file that is | |
81 | relabeled. | |
97749e2a | 82 | |
75c1c261 CP |
83 | |
84 | 2) Reference Policy Build Options (build.conf) | |
85 | ||
350b6ab7 CP |
86 | TYPE String. Available options are standard, mls, and mcs. |
87 | This optionally enables multi-level security (MLS) or | |
75c1c261 | 88 | multi-category security (MCS) features. This option |
350b6ab7 | 89 | controls enable_mls, and enable_mcs policy blocks. |
75c1c261 CP |
90 | |
91 | NAME String (optional). Sets the name of the policy; the | |
92 | NAME is used when installing files to e.g., | |
93 | /etc/selinux/NAME and /usr/share/selinux/NAME. If not | |
94 | set, the policy type (TYPE) is used. | |
95 | ||
96 | DISTRO String (optional). Enable distribution-specific policy. | |
97 | Available options are redhat, rhel4, gentoo, debian, | |
98 | and suse. This option controls distro_redhat, | |
99 | distro_rhel4, distro_gentoo, distro_debian, and | |
100 | distro_suse policy blocks. | |
101 | ||
102 | MONOLITHIC Boolean. If set, a monolithic policy is built, | |
103 | otherwise a modular policy is built. | |
104 | ||
105 | DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly | |
106 | run init scripts, instead of requiring the run_init | |
107 | tool. This is a build option instead of a tunable since | |
108 | role transitions do not work in conditional policy. | |
109 | This option controls direct_sysadm_daemon policy | |
110 | blocks. | |
111 | ||
112 | POLY Boolean. If set, policy for polyinstantiated | |
113 | directories will be enabled. This option controls | |
114 | enable_polyinstantiation policy blocks. | |
115 | ||
116 | OUTPUT_POLICY Integer. Set the version of the policy created when | |
117 | building a monolithic policy. This option has no effect | |
118 | on modular policy. | |
119 | ||
120 | QUIET Boolean. If set, the build system will only display | |
121 | status messages and error messages. This option has no | |
122 | effect on policy. | |
123 | ||
124 | ||
125 | 3) Reference Policy Files and Directories | |
97749e2a CP |
126 | All directories relative to the root of the Reference Policy sources directory. |
127 | ||
8e0ef1f9 CP |
128 | Makefile General rules for building the policy. |
129 | ||
35bb02ab CP |
130 | Rules.modular Makefile rules specific to building loadable module |
131 | policies. | |
8e0ef1f9 | 132 | |
35bb02ab | 133 | Rules.monolithic Makefile rules specific to building monolithic policies. |
8e0ef1f9 CP |
134 | |
135 | build.conf Options which influence the building of the policy, | |
350b6ab7 | 136 | such as the policy type and distribution. |
8e0ef1f9 | 137 | |
97749e2a CP |
138 | config/appconfig-* Application configuration files for all configurations |
139 | of the Reference Policy (targeted/strict with or without | |
140 | MLS or MCS). These are used by SELinux-aware programs. | |
141 | ||
142 | config/local.users The file read by load policy for adding SELinux users | |
143 | to the policy on the fly. | |
144 | ||
145 | doc/html/* This contains the contents of the in-policy XML | |
146 | documentation, presented in web page form. | |
147 | ||
148 | doc/policy.dtd The doc/policy.xml file is validated against this DTD. | |
149 | ||
150 | doc/policy.xml This file is generated/updated by the conf and html make | |
151 | targets. It contains the complete XML documentation | |
152 | included in the policy. | |
153 | ||
154 | doc/templates/* Templates used for documentation web pages. | |
155 | ||
156 | policy/booleans.conf This file is generated/updated by the conf make target. | |
157 | It contains the booleans in the policy, and their | |
158 | default values. If tunables are implemented as | |
159 | booleans, tunables will also be included. This file | |
160 | will be installed as the /etc/selinux/NAME/booleans | |
161 | file. | |
162 | ||
163 | policy/constraints This file defines additional constraints on permissions | |
164 | in the form of boolean expressions that must be | |
165 | satisfied in order for specified permissions to be | |
166 | granted. These constraints are used to further refine | |
167 | the type enforcement rules and the role allow rules. | |
168 | Typically, these constraints are used to restrict | |
169 | changes in user identity or role to certain domains. | |
170 | ||
171 | policy/global_booleans This file defines all booleans that have a global scope, | |
172 | their default value, and documentation. | |
173 | ||
174 | policy/global_tunables This file defines all tunables that have a global scope, | |
175 | their default value, and documentation. | |
176 | ||
97749e2a CP |
177 | policy/flask/initial_sids This file has declarations for each initial SID. |
178 | ||
179 | policy/flask/security_classes This file has declarations for each security class. | |
180 | ||
181 | policy/flask/access_vectors This file defines the access vectors. Common | |
182 | prefixes for access vectors may be defined at the | |
183 | beginning of the file. After the common prefixes are | |
184 | defined, an access vector may be defined for each | |
185 | security class. | |
186 | ||
35bb02ab CP |
187 | policy/mcs The multi-category security (MCS) configuration. |
188 | ||
189 | policy/mls The multi-level security (MLS) configuration. | |
190 | ||
97749e2a CP |
191 | policy/modules/* Each directory represents a layer in Reference Policy |
192 | all of the modules are contained in one of these layers. | |
193 | ||
194 | policy/modules.conf This file contains a listing of available modules, and | |
195 | how they will be used when building Reference Policy. To | |
196 | prevent a module from being used, set the module to | |
197 | "off". For monolithic policies, modules set to "base" | |
198 | and "module" will be included in the policy. For | |
199 | modular policies, modules set to "base" will be included | |
200 | in the base module; those set to "module" will be | |
201 | compiled as individual loadable modules. | |
202 | ||
6259d8e8 CP |
203 | policy/rolemap This file contains prefix and user domain type that |
204 | corresponds to each user role. The contents of this | |
205 | file will be used to expand the per-user domain | |
206 | templates for each module. | |
207 | ||
97749e2a CP |
208 | policy/support/* Support macros. |
209 | ||
35bb02ab CP |
210 | policy/users This file defines the users included in the policy. |
211 | ||
75c1c261 | 212 | support/* Tools used in the build process. |
f65ca5f9 CP |
213 | |
214 | ||
215 | 4) Building policy modules using Reference Policy headers: | |
216 | ||
217 | The system must first have the Reference Policy headers installed, typically | |
218 | by the distribution. Otherwise, the headers can be installed using the | |
219 | install-headers target from the full Reference Policy sources. | |
220 | ||
221 | To set up a directory to build a local module, one must simply place a .te | |
222 | file in a directory. A sample Makefile to use in the directory is the | |
223 | Makefile.example in the doc directory. This may be installed in | |
224 | /usr/share/doc, under the directory for the distribution's policy. | |
225 | Alternatively, the primary Makefile in the headers directory (typically | |
226 | /usr/share/selinux/NAME/Makefile) can be called directly, using make's -f | |
227 | option. | |
228 | ||
229 | Larger projects can set up a structure of layers, just as in Reference | |
230 | Policy, by creating policy/modules/LAYERNAME directories. Each layer also | |
231 | must have a metadata.xml file which is an XML file with a summary tag and | |
232 | optional desc (long description) tag. This should describe the purpose of | |
233 | the layer. | |
234 | ||
235 | Metadata.xml example: | |
236 | ||
237 | <summary>ABC modules for the XYZ components.</summary> | |
238 | ||
239 | Make targets for modules built from headers: | |
240 | ||
241 | MODULENAME.pp Compile and package the MODULENAME local module. | |
242 | ||
243 | all Compile and package the modules in the current | |
244 | directory. | |
245 | ||
246 | load Compile and package the modules in the current | |
247 | directory, then insert them into the module store. | |
248 | ||
249 | refresh Attempts to reinsert all modules that are currently | |
250 | in the module store from the local and system module | |
251 | packages. | |
252 | ||
253 | xml Build a policy.xml from the XML included with the | |
254 | base policy headers and any XML in the modules in | |
255 | the current directory. |