[people/stevee/selinux-policy.git] / refpolicy / Makefile

########################################
#
# Configurable portions of the Makefile
#

# Build compatibility policies 
POLICYCOMPAT = -c 18

# set distribution
#override M4PARAM += -D distro_redhat

# Uncomment this to disable command echoing
#QUIET:=@

########################################
#
# Invariant portions of the Makefile
#

# executable paths
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy
SETFILES := $(SBINDIR)/setfiles

# determine the policy version and current kernel version if possible
PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)

# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq ($(KV),)
KV := $(PV)
endif

FC := file_contexts
POLVER := policy.$(PV)
TYPE := strict

# install paths
TOPDIR = $(DESTDIR)/etc/selinux
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template

BASE_MODULE = kernel
FLASKDIR = $(BASE_MODULE)/flask/
MISCDIR = $(BASE_MODULE)/misc/

DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS))

PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts)

ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))

POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf

override M4PARAM += -D monolithic_policy

########################################
#
# default action: build policy locally
#
default: policy

policy: $(POLVER)

install: $(LOADPATH)

########################################
#
# Build a binary policy locally
#
$(POLVER): policy.conf
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER)

########################################
#
# Install a binary policy
#
$(LOADPATH): policy.conf
	@mkdir -p $(POLICYPATH)
ifneq ($(PV),$(KV))
	@echo
	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
	@echo
endif
	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)

########################################
#
# Construct a monolithic policy.conf
#
policy.conf: $(POLICY_SECTIONS)
	$(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp
	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
	$(QUIET) # the ordering of these ocontexts matters:
	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true

tmp/pre_te_files.conf: $(PRE_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
	@test -d tmp || mkdir -p tmp
	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
	$(QUIET) for i in $(ALL_MODULES); do \
		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
			>> $@ ;\
	done
	$(QUIET) echo "')" >> $@
	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
		echo "define(\`$$i')" >> $@ ;\
	done
	$(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@

tmp/all_interfaces.conf: $(ALL_INTERFACES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/all_te_files.conf: $(ALL_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

tmp/post_te_files.conf: $(POST_TE_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) cat $^ > $@

# extract attributes and put them first. extract post te stuff
# like genfscon and put last.  portcon, nodecon, and netifcon
# is delayed since they are generated by m4
tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true
	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
	$(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf

########################################
#
# Construct file_contexts
#
$(FC): $(ALL_FC_FILES)
	@test -d tmp || mkdir -p tmp
	$(QUIET) m4 $(M4PARAM) $^ > $@

########################################
#
# Filesystem labeling
#
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`

checklabels: $(SETFILES)
	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)

restorelabels: $(SETFILES)
	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)

relabel:  $(FC) $(SETFILES)
	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)

clean:
	rm -fR tmp
	rm -f policy.conf
	rm -f policy.$(PV)
	rm -f $(FC)

.PHONY: default clean policy install
Commit	Line	Data
b4cd1533 CP	1	########################################
	2	#
	3	# Configurable portions of the Makefile
	4	#
	5
	6	# Build compatibility policies
	7	POLICYCOMPAT = -c 18
	8
	9	# set distribution
	10	#override M4PARAM += -D distro_redhat
	11
	12	# Uncomment this to disable command echoing
	13	#QUIET:=@
	14
	15	########################################
	16	#
	17	# Invariant portions of the Makefile
	18	#
	19
	20	# executable paths
	21	PREFIX := /usr
	22	BINDIR := $(PREFIX)/bin
	23	SBINDIR := $(PREFIX)/sbin
	24	CHECKPOLICY := $(BINDIR)/checkpolicy
	25	SETFILES := $(SBINDIR)/setfiles
	26
	27	# determine the policy version and current kernel version if possible
	28	PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V \|cut -f 1 -d ' ')
	29	KV := $(shell cat /selinux/policyvers)
	30
	31	# dont print version warnings if we are unable to determine
	32	# the currently running kernel's policy version
	33	ifeq ($(KV),)
	34	KV := $(PV)
	35	endif
	36
	37	FC := file_contexts
	38	POLVER := policy.$(PV)
	39	TYPE := strict
	40
	41	# install paths
	42	TOPDIR = $(DESTDIR)/etc/selinux
	43	INSTALLDIR = $(TOPDIR)/$(TYPE)
	44	POLICYPATH = $(INSTALLDIR)/policy
	45	SRCPATH = $(INSTALLDIR)/src
	46	USERPATH = $(INSTALLDIR)/users
	47	CONTEXTPATH = $(INSTALLDIR)/contexts
	48	LOADPATH = $(POLICYPATH)/$(POLVER)
	49	FCPATH = $(CONTEXTPATH)/files/file_contexts
	50	HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
	51
	52	BASE_MODULE = kernel
	53	FLASKDIR = $(BASE_MODULE)/flask/
	54	MISCDIR = $(BASE_MODULE)/misc/
	55
	56	DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
	57	ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS))
	58
	59	PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
	60	ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
	61	ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
	62	POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts)
	63
	64	ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
65
66	POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf
67
68	override M4PARAM += -D monolithic_policy
69
70	########################################
71	#
72	# default action: build policy locally
73	#
74	default: policy
75
76	policy: $(POLVER)
77
78	install: $(LOADPATH)
79
80	########################################
81	#
82	# Build a binary policy locally
83	#
84	$(POLVER): policy.conf
85	ifneq ($(PV),$(KV))
86	@echo
87	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
88	@echo
89	endif
90	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER)
91
92	########################################
93	#
94	# Install a binary policy
95	#
96	$(LOADPATH): policy.conf
97	@mkdir -p $(POLICYPATH)
98	ifneq ($(PV),$(KV))
99	@echo
100	@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
101	@echo
102	endif
103	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)
104
105	########################################
106	#
107	# Construct a monolithic policy.conf
108	#
109	policy.conf: $(POLICY_SECTIONS)
110	$(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp
111	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
112	$(QUIET) # the ordering of these ocontexts matters:
113	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ \|\| true
114	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ \|\| true
115	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ \|\| true
116
117	tmp/pre_te_files.conf: $(PRE_TE_FILES)
118	@test -d tmp \|\| mkdir -p tmp
119	$(QUIET) cat $^ > $@
120
121	tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
122	@test -d tmp \|\| mkdir -p tmp
123	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
124	$(QUIET) for i in $(ALL_MODULES); do \
125	echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
126	>> $@ ;\
127	done
128	$(QUIET) echo "')" >> $@
129	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
130	echo "define(\`$$i')" >> $@ ;\
131	done
132	$(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
133	\| sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@
134
135	tmp/all_interfaces.conf: $(ALL_INTERFACES)
136	@test -d tmp \|\| mkdir -p tmp
137	$(QUIET) cat $^ > $@
138
139	tmp/all_te_files.conf: $(ALL_TE_FILES)
140	@test -d tmp \|\| mkdir -p tmp
141	$(QUIET) cat $^ > $@
142
143	tmp/post_te_files.conf: $(POST_TE_FILES)
144	@test -d tmp \|\| mkdir -p tmp
145	$(QUIET) cat $^ > $@
146
147	# extract attributes and put them first. extract post te stuff
148	# like genfscon and put last. portcon, nodecon, and netifcon
149	# is delayed since they are generated by m4
150	tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
151	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf \|\| true
152	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
153	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf \|\| true
154	$(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
155
156	########################################
157	#
158	# Construct file_contexts
159	#
160	$(FC): $(ALL_FC_FILES)
161	@test -d tmp \|\| mkdir -p tmp
162	$(QUIET) m4 $(M4PARAM) $^ > $@
163
164	########################################
165	#
166	# Filesystem labeling
167	#
168	FILESYSTEMS=`mount \| grep -v "context=" \| egrep -v '\((\|.,)bind(,.\|)\)' \| awk '/(ext[23]\| xfs\| jfs).*rw/{print $$3}';`
169
170	checklabels: $(SETFILES)
171	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
172
173	restorelabels: $(SETFILES)
174	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
175
176	relabel: $(FC) $(SETFILES)
177	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
178
179	clean:
180	rm -fR tmp
181	rm -f policy.conf
182	rm -f policy.$(PV)
183	rm -f $(FC)
184
185	.PHONY: default clean policy install