]>
Commit | Line | Data |
---|---|---|
88d14a22 CP |
1 | # |
2 | # Makefile for the security policy. | |
3 | # | |
4 | # Targets: | |
5 | # | |
6 | # install - compile and install the policy configuration, and context files. | |
7 | # load - compile, install, and load the policy configuration. | |
8 | # reload - compile, install, and load/reload the policy configuration. | |
9 | # relabel - relabel filesystems based on the file contexts configuration. | |
10 | # checklabels - check filesystems against the file context configuration | |
11 | # restorelabels - check filesystems against the file context configuration | |
12 | # and restore the label of files with incorrect labels | |
13 | # policy - compile the policy configuration locally for testing/development. | |
14 | # | |
15 | # The default target is 'policy'. | |
16 | # | |
17 | ||
b4cd1533 CP |
18 | ######################################## |
19 | # | |
20 | # Configurable portions of the Makefile | |
21 | # | |
22 | ||
23 | # Build compatibility policies | |
134191be CP |
24 | POLICYCOMPAT = 18 |
25 | ||
26 | # Build MLS policies | |
27 | MLS=n | |
b4cd1533 CP |
28 | |
29 | # set distribution | |
c9a26b3e | 30 | override M4PARAM += -D distro_redhat |
b4cd1533 CP |
31 | |
32 | # Uncomment this to disable command echoing | |
33 | #QUIET:=@ | |
34 | ||
35 | ######################################## | |
36 | # | |
37 | # Invariant portions of the Makefile | |
38 | # | |
39 | ||
40 | # executable paths | |
41 | PREFIX := /usr | |
42 | BINDIR := $(PREFIX)/bin | |
43 | SBINDIR := $(PREFIX)/sbin | |
44 | CHECKPOLICY := $(BINDIR)/checkpolicy | |
547283e2 | 45 | LOADPOLICY := $(SBINDIR)/load_policy |
b4cd1533 | 46 | SETFILES := $(SBINDIR)/setfiles |
004db90d | 47 | XMLLINT := $(BINDIR)/xmllint |
b4cd1533 | 48 | |
134191be CP |
49 | # enable MLS if requested. |
50 | ifeq ($(MLS),y) | |
51 | override M4PARAM += -D enable_mls | |
52 | CHECKPOLICY += -M | |
53 | endif | |
54 | ||
55 | ifneq ($(POLICYCOMPAT),) | |
56 | CHECKPOLICY += -c $(POLICYCOMPAT) | |
57 | endif | |
58 | ||
b4cd1533 | 59 | # determine the policy version and current kernel version if possible |
134191be | 60 | PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') |
b4cd1533 CP |
61 | KV := $(shell cat /selinux/policyvers) |
62 | ||
63 | # dont print version warnings if we are unable to determine | |
64 | # the currently running kernel's policy version | |
65 | ifeq ($(KV),) | |
134191be | 66 | KV := $(PV) |
b4cd1533 CP |
67 | endif |
68 | ||
69 | FC := file_contexts | |
70 | POLVER := policy.$(PV) | |
71 | TYPE := strict | |
72 | ||
73 | # install paths | |
74 | TOPDIR = $(DESTDIR)/etc/selinux | |
75 | INSTALLDIR = $(TOPDIR)/$(TYPE) | |
76 | POLICYPATH = $(INSTALLDIR)/policy | |
77 | SRCPATH = $(INSTALLDIR)/src | |
78 | USERPATH = $(INSTALLDIR)/users | |
79 | CONTEXTPATH = $(INSTALLDIR)/contexts | |
80 | LOADPATH = $(POLICYPATH)/$(POLVER) | |
81 | FCPATH = $(CONTEXTPATH)/files/file_contexts | |
82 | HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template | |
83 | ||
84 | BASE_MODULE = kernel | |
134191be | 85 | FLASKDIR = flask |
2926f9c7 | 86 | APPCONF = appconfig |
b4cd1533 | 87 | |
c9a26b3e CP |
88 | APPDIR := $(CONTEXTPATH) |
89 | APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media | |
2926f9c7 | 90 | CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media |
134191be | 91 | USER_FILES := users |
c9a26b3e | 92 | |
b4cd1533 | 93 | DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) |
2926f9c7 | 94 | ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS)) |
b4cd1533 | 95 | |
134191be | 96 | PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls |
2926f9c7 CP |
97 | ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if)) |
98 | ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) | |
134191be | 99 | POST_TE_FILES := users constraints initial_sid_contexts fs_use |
b4cd1533 | 100 | |
2926f9c7 | 101 | ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc)) |
b4cd1533 | 102 | |
f66a1af9 | 103 | POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf |
b4cd1533 | 104 | |
b4cd1533 CP |
105 | ######################################## |
106 | # | |
107 | # default action: build policy locally | |
108 | # | |
109 | default: policy | |
110 | ||
111 | policy: $(POLVER) | |
112 | ||
c9a26b3e CP |
113 | install: $(LOADPATH) $(FCPATH) $(USERPATH)/local.users |
114 | ||
115 | load: tmp/load | |
b4cd1533 CP |
116 | |
117 | ######################################## | |
118 | # | |
119 | # Build a binary policy locally | |
120 | # | |
121 | $(POLVER): policy.conf | |
88c72f44 | 122 | @echo "Compiling $(POLVER)" |
b4cd1533 CP |
123 | ifneq ($(PV),$(KV)) |
124 | @echo | |
125 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
126 | @echo | |
127 | endif | |
134191be | 128 | $(QUIET) $(CHECKPOLICY) $^ -o $@ |
b4cd1533 CP |
129 | |
130 | ######################################## | |
131 | # | |
132 | # Install a binary policy | |
133 | # | |
134 | $(LOADPATH): policy.conf | |
135 | @mkdir -p $(POLICYPATH) | |
88c72f44 | 136 | @echo "Compiling and installing $(LOADPATH)" |
b4cd1533 CP |
137 | ifneq ($(PV),$(KV)) |
138 | @echo | |
139 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
140 | @echo | |
141 | endif | |
134191be | 142 | $(QUIET) $(CHECKPOLICY) $^ -o $@ |
b4cd1533 | 143 | |
88d14a22 CP |
144 | ######################################## |
145 | # | |
146 | # Load the binary policy | |
147 | # | |
148 | reload tmp/load: $(LOADPATH) $(FCPATH) | |
88c72f44 | 149 | @echo "Loading $(LOADPATH)" |
88d14a22 CP |
150 | $(QUIET) $(LOADPOLICY) -q $(LOADPATH) |
151 | @touch tmp/load | |
152 | ||
b4cd1533 CP |
153 | ######################################## |
154 | # | |
155 | # Construct a monolithic policy.conf | |
156 | # | |
157 | policy.conf: $(POLICY_SECTIONS) | |
88c72f44 CP |
158 | @echo "Creating policy.conf" |
159 | # checkpolicy can use the #line directives provided by -s for error reporting: | |
c9a26b3e | 160 | $(QUIET) m4 $(M4PARAM) -D monolithic_policy -s $^ > tmp/$@.tmp |
b4cd1533 | 161 | $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ |
88c72f44 | 162 | # the ordering of these ocontexts matters: |
b4cd1533 CP |
163 | $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true |
164 | $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true | |
165 | $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true | |
166 | ||
167 | tmp/pre_te_files.conf: $(PRE_TE_FILES) | |
168 | @test -d tmp || mkdir -p tmp | |
169 | $(QUIET) cat $^ > $@ | |
170 | ||
2926f9c7 | 171 | tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te |
b4cd1533 CP |
172 | @test -d tmp || mkdir -p tmp |
173 | $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ | |
0634b6e7 | 174 | $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \ |
b4cd1533 CP |
175 | echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ |
176 | >> $@ ;\ | |
177 | done | |
178 | $(QUIET) echo "')" >> $@ | |
179 | $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ | |
180 | echo "define(\`$$i')" >> $@ ;\ | |
181 | done | |
c9a26b3e CP |
182 | $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \ |
183 | | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \ | |
bd202fe1 | 184 | | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ |
88c72f44 CP |
185 | # this is so the xml works: |
186 | $(QUIET) echo "## </module>" >> $@ | |
b4cd1533 CP |
187 | |
188 | tmp/all_interfaces.conf: $(ALL_INTERFACES) | |
189 | @test -d tmp || mkdir -p tmp | |
190 | $(QUIET) cat $^ > $@ | |
191 | ||
192 | tmp/all_te_files.conf: $(ALL_TE_FILES) | |
193 | @test -d tmp || mkdir -p tmp | |
194 | $(QUIET) cat $^ > $@ | |
195 | ||
196 | tmp/post_te_files.conf: $(POST_TE_FILES) | |
197 | @test -d tmp || mkdir -p tmp | |
198 | $(QUIET) cat $^ > $@ | |
199 | ||
200 | # extract attributes and put them first. extract post te stuff | |
201 | # like genfscon and put last. portcon, nodecon, and netifcon | |
202 | # is delayed since they are generated by m4 | |
f66a1af9 CP |
203 | tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf |
204 | $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true | |
205 | $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf | |
b4cd1533 CP |
206 | $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf |
207 | $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true | |
f66a1af9 | 208 | $(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf |
b4cd1533 | 209 | |
88d14a22 CP |
210 | ######################################## |
211 | # | |
212 | # Remove the dontaudit rules from the policy.conf | |
213 | # | |
214 | enableaudit: policy.conf | |
215 | @test -d tmp || mkdir -p tmp | |
216 | @echo "Removing dontaudit rules from policy.conf" | |
217 | $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit | |
218 | $(QUIET) mv tmp/policy.audit policy.conf | |
219 | ||
6d314fd3 CP |
220 | ######################################## |
221 | # | |
222 | # Construct file_contexts | |
223 | # | |
224 | $(FC): kernel/global.if $(ALL_FC_FILES) | |
225 | @test -d tmp || mkdir -p tmp | |
226 | $(QUIET) m4 $(M4PARAM) $^ > $@ | |
227 | ||
547283e2 CP |
228 | ######################################## |
229 | # | |
230 | # Install file_contexts | |
231 | # | |
c9a26b3e | 232 | $(FCPATH): $(FC) $(USERPATH)/system.users |
547283e2 CP |
233 | @mkdir -p $(CONTEXTPATH)/files |
234 | $(QUIET) install -m 644 $(FC) $(FCPATH) | |
235 | # $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) | |
236 | # $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) | |
237 | ||
b4cd1533 CP |
238 | ######################################## |
239 | # | |
240 | # Filesystem labeling | |
241 | # | |
88d14a22 | 242 | FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` |
b4cd1533 | 243 | |
88d14a22 CP |
244 | checklabels: $(FC) $(SETFILES) |
245 | @if test -z "$(FILESYSTEMS)"; then \ | |
246 | echo "No filesystems with extended attributes found!" ;\ | |
247 | false ;\ | |
248 | fi | |
b4cd1533 CP |
249 | $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) |
250 | ||
88d14a22 CP |
251 | restorelabels: $(FC) $(SETFILES) |
252 | @if test -z "$(FILESYSTEMS)"; then \ | |
253 | echo "No filesystems with extended attributes found!" ;\ | |
254 | false ;\ | |
255 | fi | |
b4cd1533 CP |
256 | $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) |
257 | ||
258 | relabel: $(FC) $(SETFILES) | |
88d14a22 CP |
259 | @if test -z "$(FILESYSTEMS)"; then \ |
260 | echo "No filesystems with extended attributes found!" ;\ | |
261 | false ;\ | |
262 | fi | |
b4cd1533 CP |
263 | $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) |
264 | ||
6d314fd3 CP |
265 | ######################################## |
266 | # | |
267 | # Documentation generation | |
268 | # | |
269 | ||
270 | xml: policy.xml | |
271 | ||
272 | policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf | |
88c72f44 | 273 | @echo "Creating $@" |
004db90d CP |
274 | $(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@ |
275 | $(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@ | |
276 | $(QUIET) echo "<policy>" >> $@ | |
3c62aa31 CP |
277 | # process this through m4 to eliminate the generated definitions. |
278 | # currently these are only in corenetwork.if | |
004db90d | 279 | $(QUIET) m4 $^ | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@ |
88c72f44 | 280 | $(QUIET) echo "</policy>" >> $@ |
004db90d CP |
281 | $(QUIET) if test -x $(XMLLINT) && test -f policy.dtd; then \ |
282 | $(XMLLINT) --noout --dtdvalid policy.dtd $@ ;\ | |
283 | fi | |
6d314fd3 | 284 | |
c9a26b3e CP |
285 | ######################################## |
286 | # | |
287 | # Runtime binary policy patching of users | |
288 | # | |
289 | $(USERPATH)/system.users: $(USER_FILES) tmp/generated_definitions.conf | |
290 | @mkdir -p $(USERPATH) | |
291 | @echo "Installing system.users" | |
292 | @echo "# " > tmp/system.users | |
293 | @echo "# Do not edit this file. " >> tmp/system.users | |
294 | @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users | |
295 | @echo "# Please edit local.users to make local changes." >> tmp/system.users | |
296 | @echo "#" >> tmp/system.users | |
297 | $(QUIET) m4 $(M4PARAM) tmp/generated_definitions.conf $(USER_FILES) | \ | |
298 | egrep -v "^[[:space:]]*($$|#)" >> tmp/system.users | |
299 | $(QUIET) install -m 644 tmp/system.users $@ | |
300 | ||
301 | $(USERPATH)/local.users: local.users | |
302 | @mkdir -p $(USERPATH) | |
303 | @echo "Installing local.users" | |
304 | $(QUIET) install -C -b -m 644 $< $@ | |
305 | ||
306 | ######################################## | |
307 | # | |
308 | # Appconfig files | |
309 | # | |
310 | install-appconfig: $(APPFILES) | |
311 | ||
2926f9c7 | 312 | $(CONTEXTPATH)/files/media: $(APPCONF)/media |
c9a26b3e CP |
313 | mkdir -p $(CONTEXTPATH)/files/ |
314 | install -m 644 $< $@ | |
315 | ||
2926f9c7 | 316 | $(APPDIR)/default_contexts: $(APPCONF)/default_contexts |
c9a26b3e CP |
317 | mkdir -p $(APPDIR) |
318 | install -m 644 $< $@ | |
319 | ||
2926f9c7 | 320 | $(APPDIR)/removable_context: $(APPCONF)/removable_context |
c9a26b3e CP |
321 | mkdir -p $(APPDIR) |
322 | install -m 644 $< $@ | |
323 | ||
324 | $(APPDIR)/customizable_types: policy.conf | |
325 | mkdir -p $(APPDIR) | |
326 | @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types | |
327 | install -m 644 tmp/customizable_types $@ | |
328 | ||
2926f9c7 | 329 | $(APPDIR)/default_type: $(APPCONF)/default_type |
c9a26b3e CP |
330 | mkdir -p $(APPDIR) |
331 | install -m 644 $< $@ | |
332 | ||
2926f9c7 | 333 | $(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context |
c9a26b3e CP |
334 | mkdir -p $(APPDIR) |
335 | install -m 644 $< $@ | |
336 | ||
2926f9c7 | 337 | $(APPDIR)/initrc_context: $(APPCONF)/initrc_context |
c9a26b3e CP |
338 | mkdir -p $(APPDIR) |
339 | install -m 644 $< $@ | |
340 | ||
2926f9c7 | 341 | $(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context |
c9a26b3e CP |
342 | mkdir -p $(APPDIR) |
343 | install -m 644 $< $@ | |
344 | ||
2926f9c7 | 345 | $(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts |
c9a26b3e CP |
346 | mkdir -p $(APPDIR) |
347 | install -m 644 $< $@ | |
348 | ||
2926f9c7 | 349 | $(APPDIR)/users/root: $(APPCONF)/root_default_contexts |
c9a26b3e CP |
350 | mkdir -p $(APPDIR)/users |
351 | install -m 644 $< $@ | |
352 | ||
b4cd1533 CP |
353 | clean: |
354 | rm -fR tmp | |
6d314fd3 | 355 | rm -f policy.xml |
b4cd1533 CP |
356 | rm -f policy.conf |
357 | rm -f policy.$(PV) | |
358 | rm -f $(FC) | |
359 | ||
88c72f44 | 360 | .PHONY: default policy install reload enableaudit checklabels restorelabels relabel xml clean |