[people/stevee/selinux-policy.git] / refpolicy / Makefile

#
# Makefile for the security policy.
#
# Targets:
# 
# install       - compile and install the policy configuration, and context files.
# load          - compile, install, and load the policy configuration.
# reload        - compile, install, and load/reload the policy configuration.
# relabel       - relabel filesystems based on the file contexts configuration.
# checklabels   - check filesystems against the file context configuration
# restorelabels - check filesystems against the file context configuration
#                 and restore the label of files with incorrect labels
# policy        - compile the policy configuration locally for testing/development.
#
# The default target is 'policy'.
#

########################################
#
# Configurable portions of the Makefile
#

# Build compatibility policies 
POLICYCOMPAT = 18

# Build MLS policies
MLS=n

# set distribution
override M4PARAM += -D distro_redhat

# Uncomment this to disable command echoing
#QUIET:=@

########################################
#
# Invariant portions of the Makefile
#

# executable paths
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy
LOADPOLICY := $(SBINDIR)/load_policy
SETFILES := $(SBINDIR)/setfiles
XMLLINT := $(BINDIR)/xmllint

# enable MLS if requested.
ifeq ($(MLS),y)
	override M4PARAM += -D enable_mls
	CHECKPOLICY += -M
endif

ifneq ($(POLICYCOMPAT),)
	CHECKPOLICY += -c $(POLICYCOMPAT)
endif

# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)

# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq ($(KV),)
	KV := $(PV)
endif

FC := file_contexts
POLVER := policy.$(PV)
TYPE := strict

# install paths
TOPDIR = $(DESTDIR)/etc/selinux
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template

BASE_MODULE = kernel
FLASKDIR = flask
APPCONF = appconfig

APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := users 

DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS))

PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls
ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
POST_TE_FILES := users constraints initial_sid_contexts fs_use

ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))

POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf

########################################
#
# default action: build policy locally
#
default: policy

policy: $(POLVER)

install: $(LOADPATH) $(FCPATH) $(USERPATH)/local.users

load: tmp/load

########################################
#
# Build a binary policy locally
#
$(POLVER): policy.conf
	@echo "Compiling $(POLVER)"
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $^ -o $@

########################################
#
# Install a binary policy
#
$(LOADPATH): policy.conf
	@mkdir -p $(POLICYPATH)
	@echo "Compiling and installing $(LOADPATH)"
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $^ -o $@

########################################
#
# Load the binary policy
#
reload tmp/load: $(LOADPATH) $(FCPATH)
	@echo "Loading $(LOADPATH)"
	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	@touch tmp/load

########################################
#
# Construct a monolithic policy.conf
#
policy.conf: $(POLICY_SECTIONS)
	@echo "Creating policy.conf"
# checkpolicy can use the #line directives provided by -s for error reporting:
	$(QUIET) m4 $(M4PARAM) -D monolithic_policy -s $^ > tmp/$@.tmp
	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
# the ordering of these ocontexts matters:
	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true

tmp/pre_te_files.conf: $(PRE_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
	@test -d tmp || mkdir -p tmp
	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \
		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
			>> $@ ;\
	done
	$(QUIET) echo "')" >> $@
	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
		echo "define(\`$$i')" >> $@ ;\
	done
	$(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
		| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \
		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
# this is so the xml works:
	$(QUIET) echo "## </module>" >> $@

tmp/all_interfaces.conf: $(ALL_INTERFACES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/all_te_files.conf: $(ALL_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/post_te_files.conf: $(POST_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

# extract attributes and put them first. extract post te stuff
# like genfscon and put last.  portcon, nodecon, and netifcon
# is delayed since they are generated by m4
tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
	$(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf

########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: policy.conf
	@test -d tmp || mkdir -p tmp
	@echo "Removing dontaudit rules from policy.conf"
	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	$(QUIET) mv tmp/policy.audit policy.conf

########################################
#
# Construct file_contexts
#
$(FC): kernel/global.if $(ALL_FC_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) m4 $(M4PARAM) $^ > $@

########################################
#
# Install file_contexts
#
$(FCPATH): $(FC) $(USERPATH)/system.users 
	@mkdir -p $(CONTEXTPATH)/files
	$(QUIET) install -m 644 $(FC) $(FCPATH)
#	$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
#	$(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)

########################################
#
# Filesystem labeling
#
FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`

checklabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)

restorelabels: $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)

relabel:  $(FC) $(SETFILES)
	@if test -z "$(FILESYSTEMS)"; then \
		echo "No filesystems with extended attributes found!" ;\
		false ;\
	fi
	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)

########################################
#
# Documentation generation
#

xml: policy.xml

policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
	@echo "Creating $@"
	$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
	$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
	$(QUIET) echo "<policy>" >> $@
# process this through m4 to eliminate the generated definitions.
# currently these are only in corenetwork.if
	$(QUIET) m4 $^ | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@
	$(QUIET) echo "</policy>" >> $@
	$(QUIET) if test -x $(XMLLINT) && test -f policy.dtd; then \
		$(XMLLINT) --noout --dtdvalid policy.dtd $@ ;\
	fi

########################################
#
# Runtime binary policy patching of users
#
$(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf
	@mkdir -p $(USERPATH)
	@echo "Installing system.users"
	@echo "# " > tmp/system.users
	@echo "# Do not edit this file. " >> tmp/system.users
	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
	@echo "# Please edit local.users to make local changes." >> tmp/system.users
	@echo "#" >> tmp/system.users
	$(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \
		egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users
	$(QUIET) install -m 644 tmp/system.users $@

$(USERPATH)/local.users: local.users
	@mkdir -p $(USERPATH)
	@echo "Installing local.users"
	$(QUIET) install -C -b -m 644 $< $@

########################################
#
# Appconfig files
#
install-appconfig: $(APPFILES)

$(CONTEXTPATH)/files/media: $(APPCONF)/media
	mkdir -p $(CONTEXTPATH)/files/
	install -m 644 $< $@

$(APPDIR)/default_contexts: $(APPCONF)/default_contexts
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/removable_context: $(APPCONF)/removable_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/customizable_types: policy.conf
	mkdir -p $(APPDIR)
	@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
	install -m 644 tmp/customizable_types $@ 

$(APPDIR)/default_type: $(APPCONF)/default_type
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/initrc_context: $(APPCONF)/initrc_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
	mkdir -p $(APPDIR)
	install -m 644 $< $@

$(APPDIR)/users/root: $(APPCONF)/root_default_contexts
	mkdir -p $(APPDIR)/users
	install -m 644 $< $@

clean:
	rm -fR tmp
	rm -f policy.xml
	rm -f policy.conf
	rm -f policy.$(PV)
	rm -f $(FC)

.PHONY: default policy install reload enableaudit checklabels restorelabels relabel xml clean
Commit	Line	Data
88d14a22 CP	1	#
	2	# Makefile for the security policy.
	3	#
	4	# Targets:
	5	#
	6	# install - compile and install the policy configuration, and context files.
	7	# load - compile, install, and load the policy configuration.
	8	# reload - compile, install, and load/reload the policy configuration.
	9	# relabel - relabel filesystems based on the file contexts configuration.
	10	# checklabels - check filesystems against the file context configuration
	11	# restorelabels - check filesystems against the file context configuration
	12	# and restore the label of files with incorrect labels
	13	# policy - compile the policy configuration locally for testing/development.
	14	#
	15	# The default target is 'policy'.
	16	#
	17
b4cd1533 CP	18	########################################
	19	#
	20	# Configurable portions of the Makefile
	21	#
	22
	23	# Build compatibility policies
134191be CP	24	POLICYCOMPAT = 18
	25
	26	# Build MLS policies
	27	MLS=n
b4cd1533 CP	28
b4cd1533 CP	29	# set distribution
c9a26b3e	30	override M4PARAM += -D distro_redhat
b4cd1533 CP	31
	32	# Uncomment this to disable command echoing
	33	#QUIET:=@
	34
	35	########################################
	36	#
	37	# Invariant portions of the Makefile
	38	#
	39
	40	# executable paths
	41	PREFIX := /usr
	42	BINDIR := $(PREFIX)/bin
	43	SBINDIR := $(PREFIX)/sbin
	44	CHECKPOLICY := $(BINDIR)/checkpolicy
547283e2	45	LOADPOLICY := $(SBINDIR)/load_policy
b4cd1533	46	SETFILES := $(SBINDIR)/setfiles
004db90d	47	XMLLINT := $(BINDIR)/xmllint
b4cd1533	48
134191be CP	49	# enable MLS if requested.
	50	ifeq ($(MLS),y)
	51	override M4PARAM += -D enable_mls
	52	CHECKPOLICY += -M
	53	endif
	54
	55	ifneq ($(POLICYCOMPAT),)
	56	CHECKPOLICY += -c $(POLICYCOMPAT)
	57	endif
	58
b4cd1533	59	# determine the policy version and current kernel version if possible
134191be	60	PV := $(shell $(CHECKPOLICY) -V \|cut -f 1 -d ' ')
b4cd1533 CP	61	KV := $(shell cat /selinux/policyvers)
	62
	63	# dont print version warnings if we are unable to determine
	64	# the currently running kernel's policy version
	65	ifeq ($(KV),)
134191be	66	KV := $(PV)
b4cd1533 CP	67	endif
	68
	69	FC := file_contexts
	70	POLVER := policy.$(PV)
	71	TYPE := strict
	72
	73	# install paths
	74	TOPDIR = $(DESTDIR)/etc/selinux
	75	INSTALLDIR = $(TOPDIR)/$(TYPE)
	76	POLICYPATH = $(INSTALLDIR)/policy
	77	SRCPATH = $(INSTALLDIR)/src
	78	USERPATH = $(INSTALLDIR)/users
	79	CONTEXTPATH = $(INSTALLDIR)/contexts
	80	LOADPATH = $(POLICYPATH)/$(POLVER)
	81	FCPATH = $(CONTEXTPATH)/files/file_contexts
	82	HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
	83
	84	BASE_MODULE = kernel
134191be	85	FLASKDIR = flask
2926f9c7	86	APPCONF = appconfig
b4cd1533	87
c9a26b3e CP	88	APPDIR := $(CONTEXTPATH)
c9a26b3e CP	89	APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
2926f9c7	90	CONTEXTFILES += $(wildcard $(APPCONF)/_context) $(APPCONF)/media
134191be	91	USER_FILES := users
c9a26b3e	92
b4cd1533	93	DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
2926f9c7	94	ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS))
b4cd1533	95
134191be	96	PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls
2926f9c7 CP	97	ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
2926f9c7 CP	98	ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
134191be	99	POST_TE_FILES := users constraints initial_sid_contexts fs_use
b4cd1533	100
2926f9c7	101	ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))
b4cd1533	102
f66a1af9	103	POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf
b4cd1533	104
b4cd1533 CP	105	########################################
	106	#
	107	# default action: build policy locally
	108	#
	109	default: policy
	110
	111	policy: $(POLVER)
	112
c9a26b3e CP	113	install: $(LOADPATH) $(FCPATH) $(USERPATH)/local.users
	114
	115	load: tmp/load
b4cd1533 CP	116
	117	########################################
	118	#
	119	# Build a binary policy locally
	120	#
	121	$(POLVER): policy.conf
88c72f44	122	@echo "Compiling $(POLVER)"
b4cd1533 CP	123	ifneq ($(PV),$(KV))
	124	@echo
	125	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
	126	@echo
	127	endif
134191be	128	$(QUIET) $(CHECKPOLICY) $^ -o $@
b4cd1533 CP	129
	130	########################################
	131	#
	132	# Install a binary policy
	133	#
	134	$(LOADPATH): policy.conf
	135	@mkdir -p $(POLICYPATH)
88c72f44	136	@echo "Compiling and installing $(LOADPATH)"
b4cd1533 CP	137	ifneq ($(PV),$(KV))
	138	@echo
	139	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
	140	@echo
	141	endif
134191be	142	$(QUIET) $(CHECKPOLICY) $^ -o $@
b4cd1533	143
88d14a22 CP	144	########################################
	145	#
	146	# Load the binary policy
	147	#
	148	reload tmp/load: $(LOADPATH) $(FCPATH)
88c72f44	149	@echo "Loading $(LOADPATH)"
88d14a22 CP	150	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
	151	@touch tmp/load
	152
b4cd1533 CP	153	########################################
	154	#
	155	# Construct a monolithic policy.conf
	156	#
	157	policy.conf: $(POLICY_SECTIONS)
88c72f44 CP	158	@echo "Creating policy.conf"
88c72f44 CP	159	# checkpolicy can use the #line directives provided by -s for error reporting:
c9a26b3e	160	$(QUIET) m4 $(M4PARAM) -D monolithic_policy -s $^ > tmp/$@.tmp
b4cd1533	161	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
88c72f44	162	# the ordering of these ocontexts matters:
b4cd1533 CP	163	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ \|\| true
	164	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ \|\| true
	165	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ \|\| true
	166
	167	tmp/pre_te_files.conf: $(PRE_TE_FILES)
	168	@test -d tmp \|\| mkdir -p tmp
	169	$(QUIET) cat $^ > $@
	170
2926f9c7	171	tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
b4cd1533 CP	172	@test -d tmp \|\| mkdir -p tmp
b4cd1533 CP	173	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
0634b6e7	174	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \
b4cd1533 CP	175	echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
	176	>> $@ ;\
	177	done
	178	$(QUIET) echo "')" >> $@
	179	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
	180	echo "define(\`$$i')" >> $@ ;\
	181	done
c9a26b3e CP	182	$(QUIET) egrep "^network_(interface\|node\|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
c9a26b3e CP	183	\| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \
bd202fe1	184	\| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
88c72f44 CP	185	# this is so the xml works:
88c72f44 CP	186	$(QUIET) echo "## </module>" >> $@
b4cd1533 CP	187
	188	tmp/all_interfaces.conf: $(ALL_INTERFACES)
	189	@test -d tmp \|\| mkdir -p tmp
	190	$(QUIET) cat $^ > $@
	191
	192	tmp/all_te_files.conf: $(ALL_TE_FILES)
	193	@test -d tmp \|\| mkdir -p tmp
	194	$(QUIET) cat $^ > $@
	195
	196	tmp/post_te_files.conf: $(POST_TE_FILES)
	197	@test -d tmp \|\| mkdir -p tmp
	198	$(QUIET) cat $^ > $@
	199
	200	# extract attributes and put them first. extract post te stuff
	201	# like genfscon and put last. portcon, nodecon, and netifcon
	202	# is delayed since they are generated by m4
f66a1af9 CP	203	tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	204	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf \|\| true
	205	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
b4cd1533 CP	206	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
b4cd1533 CP	207	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf \|\| true
f66a1af9	208	$(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
b4cd1533	209
88d14a22 CP	210	########################################
	211	#
	212	# Remove the dontaudit rules from the policy.conf
	213	#
	214	enableaudit: policy.conf
	215	@test -d tmp \|\| mkdir -p tmp
	216	@echo "Removing dontaudit rules from policy.conf"
	217	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
	218	$(QUIET) mv tmp/policy.audit policy.conf
	219
6d314fd3 CP	220	########################################
	221	#
	222	# Construct file_contexts
	223	#
	224	$(FC): kernel/global.if $(ALL_FC_FILES)
	225	@test -d tmp \|\| mkdir -p tmp
	226	$(QUIET) m4 $(M4PARAM) $^ > $@
	227
547283e2 CP	228	########################################
	229	#
	230	# Install file_contexts
	231	#
c9a26b3e	232	$(FCPATH): $(FC) $(USERPATH)/system.users
547283e2 CP	233	@mkdir -p $(CONTEXTPATH)/files
	234	$(QUIET) install -m 644 $(FC) $(FCPATH)
	235	# $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
	236	# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
	237
b4cd1533 CP	238	########################################
	239	#
	240	# Filesystem labeling
	241	#
88d14a22	242	FILESYSTEMS := `mount \| grep -v "context=" \| egrep -v '\((\|.,)bind(,.\|)\)' \| awk '/(ext[23]\| xfs\| jfs).*rw/{print $$3}';`
b4cd1533	243
88d14a22 CP	244	checklabels: $(FC) $(SETFILES)
	245	@if test -z "$(FILESYSTEMS)"; then \
	246	echo "No filesystems with extended attributes found!" ;\
	247	false ;\
	248	fi
b4cd1533 CP	249	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
b4cd1533 CP	250
88d14a22 CP	251	restorelabels: $(FC) $(SETFILES)
	252	@if test -z "$(FILESYSTEMS)"; then \
	253	echo "No filesystems with extended attributes found!" ;\
	254	false ;\
	255	fi
b4cd1533 CP	256	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
	257
	258	relabel: $(FC) $(SETFILES)
88d14a22 CP	259	@if test -z "$(FILESYSTEMS)"; then \
	260	echo "No filesystems with extended attributes found!" ;\
	261	false ;\
	262	fi
b4cd1533 CP	263	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
b4cd1533 CP	264
6d314fd3 CP	265	########################################
	266	#
	267	# Documentation generation
	268	#
	269
	270	xml: policy.xml
	271
	272	policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
88c72f44	273	@echo "Creating $@"
004db90d CP	274	$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
	275	$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
	276	$(QUIET) echo "<policy>" >> $@
3c62aa31 CP	277	# process this through m4 to eliminate the generated definitions.
3c62aa31 CP	278	# currently these are only in corenetwork.if
004db90d	279	$(QUIET) m4 $^ \| egrep -h "^##[[:blank:]]" \| sed -e 's/^##[[:blank:]]//g' >> $@
88c72f44	280	$(QUIET) echo "</policy>" >> $@
004db90d CP	281	$(QUIET) if test -x $(XMLLINT) && test -f policy.dtd; then \
	282	$(XMLLINT) --noout --dtdvalid policy.dtd $@ ;\
	283	fi
6d314fd3	284
c9a26b3e CP	285	########################################
	286	#
	287	# Runtime binary policy patching of users
	288	#
	289	$(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf
	290	@mkdir -p $(USERPATH)
	291	@echo "Installing system.users"
	292	@echo "# " > tmp/system.users
	293	@echo "# Do not edit this file. " >> tmp/system.users
	294	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
	295	@echo "# Please edit local.users to make local changes." >> tmp/system.users
	296	@echo "#" >> tmp/system.users
	297	$(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) \| \
	298	egrep -v "^[[:space:]]*($$\|#)" >> tmp/system.users
	299	$(QUIET) install -m 644 tmp/system.users $@
	300
	301	$(USERPATH)/local.users: local.users
	302	@mkdir -p $(USERPATH)
	303	@echo "Installing local.users"
	304	$(QUIET) install -C -b -m 644 $< $@
	305
	306	########################################
	307	#
	308	# Appconfig files
	309	#
	310	install-appconfig: $(APPFILES)
	311
2926f9c7	312	$(CONTEXTPATH)/files/media: $(APPCONF)/media
c9a26b3e CP	313	mkdir -p $(CONTEXTPATH)/files/
	314	install -m 644 $< $@
	315
2926f9c7	316	$(APPDIR)/default_contexts: $(APPCONF)/default_contexts
c9a26b3e CP	317	mkdir -p $(APPDIR)
	318	install -m 644 $< $@
	319
2926f9c7	320	$(APPDIR)/removable_context: $(APPCONF)/removable_context
c9a26b3e CP	321	mkdir -p $(APPDIR)
	322	install -m 644 $< $@
	323
	324	$(APPDIR)/customizable_types: policy.conf
	325	mkdir -p $(APPDIR)
	326	@grep "^type .*customizable" $< \| cut -d',' -f1 \| cut -d' ' -f2 > tmp/customizable_types
	327	install -m 644 tmp/customizable_types $@
	328
2926f9c7	329	$(APPDIR)/default_type: $(APPCONF)/default_type
c9a26b3e CP	330	mkdir -p $(APPDIR)
	331	install -m 644 $< $@
	332
2926f9c7	333	$(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
c9a26b3e CP	334	mkdir -p $(APPDIR)
	335	install -m 644 $< $@
	336
2926f9c7	337	$(APPDIR)/initrc_context: $(APPCONF)/initrc_context
c9a26b3e CP	338	mkdir -p $(APPDIR)
	339	install -m 644 $< $@
	340
2926f9c7	341	$(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
c9a26b3e CP	342	mkdir -p $(APPDIR)
	343	install -m 644 $< $@
	344
2926f9c7	345	$(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
c9a26b3e CP	346	mkdir -p $(APPDIR)
	347	install -m 644 $< $@
	348
2926f9c7	349	$(APPDIR)/users/root: $(APPCONF)/root_default_contexts
c9a26b3e CP	350	mkdir -p $(APPDIR)/users
	351	install -m 644 $< $@
	352
b4cd1533 CP	353	clean:
b4cd1533 CP	354	rm -fR tmp
6d314fd3	355	rm -f policy.xml
b4cd1533 CP	356	rm -f policy.conf
	357	rm -f policy.$(PV)
	358	rm -f $(FC)
	359
88c72f44	360	.PHONY: default policy install reload enableaudit checklabels restorelabels relabel xml clean