Rules.modular

   1 ########################################
   2 #
   3 # Rules and Targets for building modular policies
   4 #
   5
   6 ALL_MODULES := $(BASE_MODS) $(MOD_MODS) $(OFF_MODS)
   7 ALL_INTERFACES := $(ALL_MODULES:.te=.if)
   8
   9 BASE_PKG := $(BUILDDIR)base.pp
  10 BASE_FC := $(BUILDDIR)base.fc
  11 BASE_CONF := $(BUILDDIR)base.conf
  12 BASE_MOD := $(TMPDIR)/base.mod
  13
  14 USERS_EXTRA := $(TMPDIR)/users_extra
  15
  16 BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/global_bools.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
  17
  18 BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
  19 BASE_TE_FILES := $(BASE_MODS)
  20 BASE_POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
  21 BASE_FC_FILES := $(BASE_MODS:.te=.fc)
  22
  23 MOD_MODULES := $(MOD_MODS:.te=.mod)
  24 MOD_PKGS := $(addprefix $(BUILDDIR),$(notdir $(MOD_MODS:.te=.pp)))
  25
  26 # policy packages to install
  27 INSTPKG := $(addprefix $(MODPKGDIR)/,$(notdir $(BASE_PKG)) $(MOD_PKGS))
  28
  29 # search layer dirs for source files
  30 vpath %.te $(ALL_LAYERS)
  31 vpath %.if $(ALL_LAYERS)
  32 vpath %.fc $(ALL_LAYERS)
  33
  34 # broken in make 3.81:
  35 #.SECONDARY:
  36
  37 ########################################
  38 #
  39 # default action: create all module packages
  40 #
  41 default: policy
  42
  43 all policy: base modules
  44
  45 base: $(BASE_PKG)
  46
  47 modules: $(MOD_PKGS)
  48
  49 install: $(INSTPKG) $(APPFILES)
  50
  51 ########################################
  52 #
  53 # Load all configured modules
  54 #
  55 load: $(INSTPKG) $(APPFILES)
  56         @echo "Loading configured modules."
  57         $(verbose) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(notdir $(BASE_PKG)) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod))
  58
  59 ########################################
  60 #
  61 # Install policy packages
  62 #
  63 $(MODPKGDIR)/%.pp: $(BUILDDIR)%.pp
  64         @mkdir -p $(MODPKGDIR)
  65         @echo "Installing $(NAME) $(@F) policy package."
  66         $(verbose) install -m 0644 $^ $(MODPKGDIR)
  67
  68 ########################################
  69 #
  70 # Build module packages
  71 #
  72 $(TMPDIR)/%.mod: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf %.te
  73         @echo "Compliling $(NAME) $(@F) module"
  74         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
  75         $(call peruser-expansion,$(basename $(@F)),$@.role)
  76         $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
  77         $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
  78
  79 $(TMPDIR)/%.mod.fc: $(M4SUPPORT) %.fc
  80         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
  81         $(verbose) $(M4) $(M4PARAM) $(M4SUPPORT) $^ > $@
  82
  83 $(BUILDDIR)%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
  84         @echo "Creating $(NAME) $(@F) policy package"
  85         @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
  86         $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
  87
  88 ########################################
  89 #
  90 # Create a base module package
  91 #
  92 $(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS) $(net_contexts)
  93         @echo "Creating $(NAME) base module package"
  94         @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
  95         $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS) -n $(net_contexts)
  96
  97 $(BASE_MOD): $(BASE_CONF)
  98         @echo "Compiling $(NAME) base module"
  99         $(verbose) $(CHECKMODULE) $^ -o $@
 100
 101 $(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
 102         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 103         $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
 104                 $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
 105
 106 ########################################
 107 #
 108 # Construct a base.conf
 109 #
 110 $(BASE_CONF): $(BASE_SECTIONS)
 111         @echo "Creating $(NAME) base module $(@F)"
 112         @test -d $(@D) || mkdir -p $(@D)
 113         $(verbose) cat $^ > $@
 114
 115 $(TMPDIR)/pre_te_files.conf: M4PARAM += -D self_contained_policy
 116 $(TMPDIR)/pre_te_files.conf: $(BASE_PRE_TE_FILES)
 117         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 118         $(verbose) $(M4) $(M4PARAM) $^ > $@
 119
 120 $(TMPDIR)/generated_definitions.conf: $(BASE_TE_FILES)
 121         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 122 # define all available object classes
 123         $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@
 124 # per-userdomain templates
 125         $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
 126         $(verbose) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
 127                 echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
 128                         >> $@ ;\
 129         done
 130         $(verbose) echo "')" >> $@
 131         $(verbose) test -f $(BOOLEANS) && $(SETBOOLS) $(BOOLEANS) >> $@ || true
 132
 133 $(TMPDIR)/global_bools.conf: M4PARAM += -D self_contained_policy
 134 $(TMPDIR)/global_bools.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(GLOBALBOOL) $(GLOBALTUN)
 135         $(verbose) $(M4) $(M4PARAM) $^ > $@
 136
 137 $(TMPDIR)/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
 138         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 139         @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(TMPDIR)/iferror.m4
 140         @echo "divert(-1)" > $@
 141         $(verbose) $(M4) $^ $(TMPDIR)/iferror.m4 >> $(TMPDIR)/$(@F).tmp
 142         $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(TMPDIR)/$(@F).tmp >> $@
 143         @echo "divert" >> $@
 144
 145 $(TMPDIR)/rolemap.conf: M4PARAM += -D self_contained_policy
 146 $(TMPDIR)/rolemap.conf: $(ROLEMAP)
 147         $(call parse-rolemap,base,$@)
 148
 149 $(TMPDIR)/all_te_files.conf: M4PARAM += -D self_contained_policy
 150 $(TMPDIR)/all_te_files.conf: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(BASE_TE_FILES) $(TMPDIR)/rolemap.conf
 151 ifeq "$(strip $(BASE_TE_FILES))" ""
 152         $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
 153 endif
 154         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 155         $(verbose) $(M4) $(M4PARAM) -s $^ > $@
 156
 157 $(TMPDIR)/post_te_files.conf: M4PARAM += -D self_contained_policy
 158 $(TMPDIR)/post_te_files.conf: $(M4SUPPORT) $(BASE_POST_TE_FILES)
 159         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 160         $(verbose) $(M4) $(M4PARAM) $^ > $@
 161
 162 # extract attributes and put them first. extract post te stuff
 163 # like genfscon and put last.
 164 $(TMPDIR)/all_attrs_types.conf $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf: $(TMPDIR)/all_te_files.conf $(TMPDIR)/post_te_files.conf
 165         $(verbose) $(get_type_attr_decl) $(TMPDIR)/all_te_files.conf | $(SORT) > $(TMPDIR)/all_attrs_types.conf
 166         $(verbose) cat $(TMPDIR)/post_te_files.conf > $(TMPDIR)/all_post.conf
 167 # these have to run individually because order matters:
 168         $(verbose) $(GREP) '^sid ' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
 169         $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
 170         $(verbose) $(GREP) ^genfscon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
 171         $(verbose) $(GREP) ^portcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
 172         $(verbose) $(GREP) ^netifcon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
 173         $(verbose) $(GREP) ^nodecon $(TMPDIR)/all_te_files.conf >> $(TMPDIR)/all_post.conf || true
 174         $(verbose) $(comment_move_decl) $(TMPDIR)/all_te_files.conf > $(TMPDIR)/only_te_rules.conf
 175
 176 ########################################
 177 #
 178 # Construct a base.fc
 179 #
 180 $(BASE_FC): $(TMPDIR)/$(notdir $(BASE_FC)).tmp $(FCSORT)
 181         $(verbose) $(FCSORT) $< $@
 182
 183 $(TMPDIR)/$(notdir $(BASE_FC)).tmp: $(M4SUPPORT) $(TMPDIR)/generated_definitions.conf $(BASE_FC_FILES)
 184 ifeq ($(BASE_FC_FILES),)
 185         $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
 186 endif
 187         @echo "Creating $(NAME) base module file contexts."
 188         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 189         $(verbose) $(M4) $(M4PARAM) $^ > $@
 190
 191 ########################################
 192 #
 193 # Remove the dontaudit rules from the base.conf
 194 #
 195 enableaudit: $(BASE_CONF)
 196         @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 197         @echo "Removing dontaudit rules from $(^F)"
 198         $(verbose) $(GREP) -v dontaudit $(BASE_CONF) > $(TMPDIR)/base.audit
 199         $(verbose) mv $(TMPDIR)/base.audit $(BASE_CONF)
 200
 201 ########################################
 202 #
 203 # Appconfig files
 204 #
 205 $(APPDIR)/customizable_types: $(BASE_CONF)
 206         @mkdir -p $(APPDIR)
 207         $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
 208         $(verbose) install -m 644 $(TMPDIR)/customizable_types $@
 209
 210 ########################################
 211 #
 212 # Validate linking and expanding of modules
 213 #
 214 validate: $(BASE_PKG) $(MOD_PKGS)
 215         @echo "Validating policy linking."
 216         $(verbose) $(SEMOD_LNK) -o $(TMPDIR)/test.lnk $^
 217         $(verbose) $(SEMOD_EXP) $(TMPDIR)/test.lnk $(TMPDIR)/policy.bin
 218         @echo "Success."
 219
 220 ########################################
 221 #
 222 # Clean the sources
 223 #
 224 clean:
 225         rm -f $(BASE_CONF)
 226         rm -f $(BASE_FC)
 227         rm -f $(BUILDDIR)*.pp
 228         rm -f $(net_contexts)
 229         rm -fR $(TMPDIR)
 230
 231 .PHONY: default all policy base modules install load clean validate