projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| fb0a3a98 CP |
1 | ######################################## |
| 2 | # | |
| c3812748 | 3 | # Rules and Targets for building modular policies |
| fb0a3a98 CP |
4 | # |
| 5 | ||
| e0a9001b | 6 | ALL_MODULES := $(BASE_MODS) $(MOD_MODS) $(OFF_MODS) |
| fb0a3a98 CP |
7 | ALL_INTERFACES := $(ALL_MODULES:.te=.if) |
| 8 | ||
| 5b45ffb0 CP |
9 | BASE_PKG := $(BUILDDIR)base.pp |
| 10 | BASE_FC := $(BUILDDIR)base.fc | |
| 11 | BASE_CONF := $(BUILDDIR)base.conf | |
| c9f20d5b | 12 | BASE_MOD := $(TMPDIR)/base.mod |
| fb0a3a98 | 13 | |
| 90b331fa CP |
14 | USERS_EXTRA := $(TMPDIR)/users_extra |
| 15 | ||
| 3abd5ee8 | 16 | BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/global_bools.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf |
| fb0a3a98 | 17 | |
| a0824843 | 18 | BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs |
| fb0a3a98 | 19 | BASE_TE_FILES := $(BASE_MODS) |
| 2f33cd7d | 20 | BASE_POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints |
| fb0a3a98 CP |
21 | BASE_FC_FILES := $(BASE_MODS:.te=.fc) |
| 22 | ||
| 23 | MOD_MODULES := $(MOD_MODS:.te=.mod) | |
| 5b45ffb0 | 24 | MOD_PKGS := $(addprefix $(BUILDDIR),$(notdir $(MOD_MODS:.te=.pp))) |
| c04f2abe | 25 | |
| c767b14c | 26 | # policy packages to install |
| c9f20d5b | 27 | INSTPKG := $(addprefix $(MODPKGDIR)/,$(notdir $(BASE_PKG)) $(MOD_PKGS)) |
| c767b14c | 28 | |
| c04f2abe | 29 | # search layer dirs for source files |
| e2680fb4 CP |
30 | vpath %.te $(ALL_LAYERS) |
| 31 | vpath %.if $(ALL_LAYERS) | |
| 32 | vpath %.fc $(ALL_LAYERS) | |
| fb0a3a98 | 33 | |
| 4b01e21d CP |
34 | # broken in make 3.81: |
| 35 | #.SECONDARY: | |
| e60b983b | 36 | |
| fb0a3a98 CP |
37 | ######################################## |
| 38 | # | |
| 39 | # default action: create all module packages | |
| 40 | # | |
| ddb9aafc | 41 | default: policy |
| fb0a3a98 | 42 | |
| ddb9aafc | 43 | all policy: base modules |
| 06a5362f | 44 | |
| fb0a3a98 CP |
45 | base: $(BASE_PKG) |
| 46 | ||
| 47 | modules: $(MOD_PKGS) | |
| 48 | ||
| c767b14c CP |
49 | install: $(INSTPKG) $(APPFILES) |
| 50 | ||
| 51 | ######################################## | |
| 52 | # | |
| 53 | # Load all configured modules | |
| 54 | # | |
| 55 | load: $(INSTPKG) $(APPFILES) | |
| 56 | @echo "Loading configured modules." | |
| c9f20d5b | 57 | $(verbose) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(notdir $(BASE_PKG)) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod)) |
| c767b14c CP |
58 | |
| 59 | ######################################## | |
| 60 | # | |
| 61 | # Install policy packages | |
| 62 | # | |
| 5b45ffb0 | 63 | $(MODPKGDIR)/%.pp: $(BUILDDIR)%.pp |
| c767b14c | 64 | @mkdir -p $(MODPKGDIR) |
| 6b1c8ee3 | 65 | @echo "Installing $(NAME) $(@F) policy package." |
| 9b3756bf | 66 | $(verbose) install -m 0644 $^ $(MODPKGDIR) |
| c767b14c CP |
67 | |
| 68 | ######################################## | |
| 69 | # | |
| 70 | # Build module packages | |
| 71 | # | |
| c9f20d5b | 72 | $(TMPDIR)/%.mod: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf %.te |
| c767b14c | 73 | @echo "Compliling $(NAME) $(@F) module" |
| c9f20d5b | 74 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) |
| 4ace0fa5 | 75 | $(call peruser-expansion,$(basename $(@F)),$@.role) |
| 3abd5ee8 | 76 | $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) |
| 9b3756bf | 77 | $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ |
| c767b14c | 78 | |
| c9f20d5b CP |
79 | $(TMPDIR)/%.mod.fc: $(M4SUPPORT) %.fc |
| 80 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) | |
| 3abd5ee8 | 81 | $(verbose) $(M4) $(M4PARAM) $(M4SUPPORT) $^ > $@ |
| c767b14c | 82 | |
| 5b45ffb0 | 83 | $(BUILDDIR)%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc |
| c767b14c | 84 | @echo "Creating $(NAME) $(@F) policy package" |
| c9f20d5b | 85 | @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR) |
| 9b3756bf | 86 | $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc |
| fb0a3a98 CP |
87 | |
| 88 | ######################################## | |
| 89 | # | |
| 90 | # Create a base module package | |
| 91 | # | |
| 5a7c06fd | 92 | $(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS) $(net_contexts) |
| fb0a3a98 | 93 | @echo "Creating $(NAME) base module package" |
| c9f20d5b | 94 | @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR) |
| 5a7c06fd | 95 | $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS) -n $(net_contexts) |
| fb0a3a98 | 96 | |
| c9f20d5b | 97 | $(BASE_MOD): $(BASE_CONF) |
| fb0a3a98 | 98 | @echo "Compiling $(NAME) base module" |
| 9b3756bf | 99 | $(verbose) $(CHECKMODULE) $^ -o $@ |
| fb0a3a98 | 100 | |
| 90b331fa CP |
101 | $(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES) |
| 102 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) | |
| 103 | $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ | |
| 104 | $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@ | |
| 105 | ||
| fb0a3a98 CP |
106 | ######################################## |
| 107 | # | |
| c767b14c | 108 | # Construct a base.conf |
| fb0a3a98 | 109 | # |
| c9f20d5b | 110 | $(BASE_CONF): $(BASE_SECTIONS) |
| 58b2a3c7 | 111 | @echo "Creating $(NAME) base module $(@F)" |
| 3abd5ee8 CP |
112 | @test -d $(@D) || mkdir -p $(@D) |
| 113 | $(verbose) cat $^ > $@ | |
| fb0a3a98 | 114 | |
| 3abd5ee8 | 115 | $(TMPDIR)/pre_te_files.conf: M4PARAM += -D self_contained_policy |
| c9f20d5b CP |
116 | $(TMPDIR)/pre_te_files.conf: $(BASE_PRE_TE_FILES) |
| 117 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) | |
| 3abd5ee8 | 118 | $(verbose) $(M4) $(M4PARAM) $^ > $@ |
| fb0a3a98 | 119 | |
| c9f20d5b CP |
120 | $(TMPDIR)/generated_definitions.conf: $(BASE_TE_FILES) |
| 121 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) | |
| c04f2abe | 122 | # define all available object classes |
| 9b3756bf | 123 | $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@ |
| 71fe0fa4 | 124 | # per-userdomain templates |
| 9b3756bf CP |
125 | $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@ |
| 126 | $(verbose) for i in $(patsubst %.te,%,$(BASE_MODS)); do \ | |
| 71fe0fa4 CP |
127 | echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ |
| 128 | >> $@ ;\ | |
| 129 | done | |
| 9b3756bf | 130 | $(verbose) echo "')" >> $@ |
| 5b45ffb0 | 131 | $(verbose) test -f $(BOOLEANS) && $(SETBOOLS) $(BOOLEANS) >> $@ || true |
| fb0a3a98 | 132 | |
| 3abd5ee8 CP |
133 | $(TMPDIR)/global_bools.conf: M4PARAM += -D self_contained_policy |
| 134 | $(TMPDIR)/global_bools.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(GLOBALBOOL) $(GLOBALTUN) | |
| 135 | $(verbose) $(M4) $(M4PARAM) $^ > $@ | |
| 136 | ||
| c9f20d5b | 137 | $(TMPDIR)/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) |
| c9f20d5b | 138 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) |
| 5706facd | 139 | @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(TMPDIR)/iferror.m4 |
| 3abd5ee8 | 140 | @echo "divert(-1)" > $@ |
| 5706facd CP |
141 | $(verbose) $(M4) $^ $(TMPDIR)/iferror.m4 >> $(TMPDIR)/$(@F).tmp |
| 142 | $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(TMPDIR)/$(@F).tmp >> $@ | |
| 3abd5ee8 CP |
143 | @echo "divert" >> $@ |
| 144 | ||
| 145 | $(TMPDIR)/rolemap.conf: M4PARAM += -D self_contained_policy | |
| 146 | $(TMPDIR)/rolemap.conf: $(ROLEMAP) | |
| 147 | $(call parse-rolemap,base,$@) | |
| fb0a3a98 | 148 | |
| 3abd5ee8 CP |
149 | $(TMPDIR)/all_te_files.conf: M4PARAM += -D self_contained_policy |
| 150 | $(TMPDIR)/all_te_files.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(BASE_TE_FILES) $(TMPDIR)/rolemap.conf | |
| c72f53f6 | 151 | ifeq "$(strip $(BASE_TE_FILES))" "" |
| fb0a3a98 CP |
152 | $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") |
| 153 | endif | |
| c9f20d5b | 154 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) |
| 3abd5ee8 | 155 | $(verbose) $(M4) $(M4PARAM) -s $^ > $@ |
| fb0a3a98 | 156 | |
| 3abd5ee8 CP |
157 | $(TMPDIR)/post_te_files.conf: M4PARAM += -D self_contained_policy |
| 158 | $(TMPDIR)/post_te_files.conf: $(M4SUPPORT) $(BASE_POST_TE_FILES) | |
| c9f20d5b | 159 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) |
| 3abd5ee8 | 160 | $(verbose) $(M4) $(M4PARAM) $^ > $@ |
| fb0a3a98 CP |
161 | |
| 162 | # extract attributes and put them first. extract post te stuff | |
| 3abd5ee8 | 163 | # like genfscon and put last. |
| c9f20d5b | 164 | $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf: $(TMPDIR)/all_te_files.conf $(TMPDIR)/post_te_files.conf |
| f62f4c79 | 165 | $(verbose) $(get_type_attr_decl) $(TMPDIR)/all_te_files.conf | $(SORT) > $(TMPDIR)/all_attrs_types.conf |
| c9f20d5b | 166 | $(verbose) cat $(TMPDIR)/post_te_files.conf > $(TMPDIR)/all_post.conf |
| 3abd5ee8 CP |
167 | # these have to run individually because order matters: |
| 168 | $(verbose) $(GREP) '^sid ' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true | |
| 169 | $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true | |
| 170 | $(verbose) $(GREP) ^genfscon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true | |
| 171 | $(verbose) $(GREP) ^portcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true | |
| 172 | $(verbose) $(GREP) ^netifcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true | |
| 173 | $(verbose) $(GREP) ^nodecon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true | |
| 174 | $(verbose) $(comment_move_decl) $(TMPDIR)/all_te_files.conf > $(TMPDIR)/only_te_rules.conf | |
| fb0a3a98 CP |
175 | |
| 176 | ######################################## | |
| 177 | # | |
| c767b14c | 178 | # Construct a base.fc |
| fb0a3a98 | 179 | # |
| c9f20d5b | 180 | $(BASE_FC): $(TMPDIR)/$(notdir $(BASE_FC)).tmp $(FCSORT) |
| 9b3756bf | 181 | $(verbose) $(FCSORT) $< $@ |
| c767b14c | 182 | |
| c9f20d5b | 183 | $(TMPDIR)/$(notdir $(BASE_FC)).tmp: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(BASE_FC_FILES) |
| fb0a3a98 CP |
184 | ifeq ($(BASE_FC_FILES),) |
| 185 | $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") | |
| 186 | endif | |
| 187 | @echo "Creating $(NAME) base module file contexts." | |
| c9f20d5b | 188 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) |
| 3abd5ee8 | 189 | $(verbose) $(M4) $(M4PARAM) $^ > $@ |
| fb0a3a98 | 190 | |
| bf080a46 CP |
191 | ######################################## |
| 192 | # | |
| 193 | # Remove the dontaudit rules from the base.conf | |
| 194 | # | |
| c9f20d5b CP |
195 | enableaudit: $(BASE_CONF) |
| 196 | @test -d $(TMPDIR) || mkdir -p $(TMPDIR) | |
| 58b2a3c7 | 197 | @echo "Removing dontaudit rules from $(^F)" |
| 3abd5ee8 | 198 | $(verbose) $(GREP) -v dontaudit $(BASE_CONF) > $(TMPDIR)/base.audit |
| c9f20d5b | 199 | $(verbose) mv $(TMPDIR)/base.audit $(BASE_CONF) |
| bf080a46 | 200 | |
| 049e11af CP |
201 | ######################################## |
| 202 | # | |
| 203 | # Appconfig files | |
| 204 | # | |
| c9f20d5b | 205 | $(APPDIR)/customizable_types: $(BASE_CONF) |
| 049e11af | 206 | @mkdir -p $(APPDIR) |
| 85a0f967 | 207 | $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types |
| c9f20d5b | 208 | $(verbose) install -m 644 $(TMPDIR)/customizable_types $@ |
| 049e11af | 209 | |
| ea5333d1 CP |
210 | ######################################## |
| 211 | # | |
| 212 | # Validate linking and expanding of modules | |
| 213 | # | |
| 214 | validate: $(BASE_PKG) $(MOD_PKGS) | |
| 215 | @echo "Validating policy linking." | |
| 216 | $(verbose) $(SEMOD_LNK) -o $(TMPDIR)/test.lnk $^ | |
| 217 | $(verbose) $(SEMOD_EXP) $(TMPDIR)/test.lnk $(TMPDIR)/policy.bin | |
| 218 | @echo "Success." | |
| 219 | ||
| fb0a3a98 CP |
220 | ######################################## |
| 221 | # | |
| 222 | # Clean the sources | |
| 223 | # | |
| 224 | clean: | |
| c9f20d5b | 225 | rm -f $(BASE_CONF) |
| 712566ee | 226 | rm -f $(BASE_FC) |
| 5b45ffb0 | 227 | rm -f $(BUILDDIR)*.pp |
| 6962bb32 | 228 | rm -f $(net_contexts) |
| c9f20d5b | 229 | rm -fR $(TMPDIR) |
| fb0a3a98 | 230 | |
| ea5333d1 | 231 | .PHONY: default all policy base modules install load clean validate |