]>
Commit | Line | Data |
---|---|---|
b4cd1533 CP |
1 | ######################################## |
2 | # | |
3 | # Configurable portions of the Makefile | |
4 | # | |
5 | ||
6 | # Build compatibility policies | |
7 | POLICYCOMPAT = -c 18 | |
8 | ||
9 | # set distribution | |
10 | #override M4PARAM += -D distro_redhat | |
11 | ||
12 | # Uncomment this to disable command echoing | |
13 | #QUIET:=@ | |
14 | ||
15 | ######################################## | |
16 | # | |
17 | # Invariant portions of the Makefile | |
18 | # | |
19 | ||
20 | # executable paths | |
21 | PREFIX := /usr | |
22 | BINDIR := $(PREFIX)/bin | |
23 | SBINDIR := $(PREFIX)/sbin | |
24 | CHECKPOLICY := $(BINDIR)/checkpolicy | |
25 | SETFILES := $(SBINDIR)/setfiles | |
26 | ||
27 | # determine the policy version and current kernel version if possible | |
28 | PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') | |
29 | KV := $(shell cat /selinux/policyvers) | |
30 | ||
31 | # dont print version warnings if we are unable to determine | |
32 | # the currently running kernel's policy version | |
33 | ifeq ($(KV),) | |
34 | KV := $(PV) | |
35 | endif | |
36 | ||
37 | FC := file_contexts | |
38 | POLVER := policy.$(PV) | |
39 | TYPE := strict | |
40 | ||
41 | # install paths | |
42 | TOPDIR = $(DESTDIR)/etc/selinux | |
43 | INSTALLDIR = $(TOPDIR)/$(TYPE) | |
44 | POLICYPATH = $(INSTALLDIR)/policy | |
45 | SRCPATH = $(INSTALLDIR)/src | |
46 | USERPATH = $(INSTALLDIR)/users | |
47 | CONTEXTPATH = $(INSTALLDIR)/contexts | |
48 | LOADPATH = $(POLICYPATH)/$(POLVER) | |
49 | FCPATH = $(CONTEXTPATH)/files/file_contexts | |
50 | HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template | |
51 | ||
52 | BASE_MODULE = kernel | |
53 | FLASKDIR = $(BASE_MODULE)/flask/ | |
54 | MISCDIR = $(BASE_MODULE)/misc/ | |
55 | ||
56 | DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) | |
57 | ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS)) | |
58 | ||
59 | PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) | |
60 | ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if)) | |
61 | ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te)) | |
62 | POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts) | |
63 | ||
64 | ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc)) | |
65 | ||
66 | POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf | |
67 | ||
68 | override M4PARAM += -D monolithic_policy | |
69 | ||
70 | ######################################## | |
71 | # | |
72 | # default action: build policy locally | |
73 | # | |
74 | default: policy | |
75 | ||
76 | policy: $(POLVER) | |
77 | ||
78 | install: $(LOADPATH) | |
79 | ||
80 | ######################################## | |
81 | # | |
82 | # Build a binary policy locally | |
83 | # | |
84 | $(POLVER): policy.conf | |
85 | ifneq ($(PV),$(KV)) | |
86 | @echo | |
87 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
88 | @echo | |
89 | endif | |
90 | $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER) | |
91 | ||
92 | ######################################## | |
93 | # | |
94 | # Install a binary policy | |
95 | # | |
96 | $(LOADPATH): policy.conf | |
97 | @mkdir -p $(POLICYPATH) | |
98 | ifneq ($(PV),$(KV)) | |
99 | @echo | |
100 | @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" | |
101 | @echo | |
102 | endif | |
103 | $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH) | |
104 | ||
105 | ######################################## | |
106 | # | |
107 | # Construct a monolithic policy.conf | |
108 | # | |
109 | policy.conf: $(POLICY_SECTIONS) | |
110 | $(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp | |
111 | $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ | |
112 | $(QUIET) # the ordering of these ocontexts matters: | |
113 | $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true | |
114 | $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true | |
115 | $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true | |
116 | ||
117 | tmp/pre_te_files.conf: $(PRE_TE_FILES) | |
118 | @test -d tmp || mkdir -p tmp | |
119 | $(QUIET) cat $^ > $@ | |
120 | ||
121 | tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te | |
122 | @test -d tmp || mkdir -p tmp | |
123 | $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ | |
124 | $(QUIET) for i in $(ALL_MODULES); do \ | |
125 | echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ | |
126 | >> $@ ;\ | |
127 | done | |
128 | $(QUIET) echo "')" >> $@ | |
129 | $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ | |
130 | echo "define(\`$$i')" >> $@ ;\ | |
131 | done | |
132 | $(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \ | |
133 | | sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@ | |
134 | ||
135 | tmp/all_interfaces.conf: $(ALL_INTERFACES) | |
136 | @test -d tmp || mkdir -p tmp | |
137 | $(QUIET) cat $^ > $@ | |
138 | ||
139 | tmp/all_te_files.conf: $(ALL_TE_FILES) | |
140 | @test -d tmp || mkdir -p tmp | |
141 | $(QUIET) cat $^ > $@ | |
142 | ||
143 | tmp/post_te_files.conf: $(POST_TE_FILES) | |
144 | @test -d tmp || mkdir -p tmp | |
145 | $(QUIET) cat $^ > $@ | |
146 | ||
147 | # extract attributes and put them first. extract post te stuff | |
148 | # like genfscon and put last. portcon, nodecon, and netifcon | |
149 | # is delayed since they are generated by m4 | |
150 | tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf | |
151 | $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true | |
152 | $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf | |
153 | $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true | |
154 | $(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf | |
155 | ||
156 | ######################################## | |
157 | # | |
158 | # Construct file_contexts | |
159 | # | |
160 | $(FC): $(ALL_FC_FILES) | |
161 | @test -d tmp || mkdir -p tmp | |
162 | $(QUIET) m4 $(M4PARAM) $^ > $@ | |
163 | ||
164 | ######################################## | |
165 | # | |
166 | # Filesystem labeling | |
167 | # | |
168 | FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` | |
169 | ||
170 | checklabels: $(SETFILES) | |
171 | $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) | |
172 | ||
173 | restorelabels: $(SETFILES) | |
174 | $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) | |
175 | ||
176 | relabel: $(FC) $(SETFILES) | |
177 | $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) | |
178 | ||
179 | clean: | |
180 | rm -fR tmp | |
181 | rm -f policy.conf | |
182 | rm -f policy.$(PV) | |
183 | rm -f $(FC) | |
184 | ||
185 | .PHONY: default clean policy install |