SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
m4iferror := $(support)/iferror.m4
+m4divert := $(support)/divert.m4
+m4undivert := $(support)/undivert.m4
# use our own genhomedircon to make sure we have a known usable one,
# so policycoreutils updates are not required (RHEL4)
genhomedircon := $(PYTHON) -E $(support)/genhomedircon
CHECKPOLICY += -c $(OUTPUT_POLICY)
endif
+ifneq "$(CUSTOM_BUILDOPT)" ""
+ M4PARAM += $(foreach opt,$(CUSTOM_BUILDOPT),-D $(opt))
+endif
+
# if not set, use the type as the name.
NAME ?= $(TYPE)
M4PARAM += -D direct_sysadm_daemon
endif
+ifeq "$(UBAC)" "y"
+ M4PARAM += -D enable_ubac
+endif
+
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
-MLS_CATS ?= 256
-MCS_CATS ?= 256
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
ifeq ($(QUIET),y)
verbose = @
CTAGS ?= ctags
-m4support := $(wildcard $(poldir)/support/*.spt)
+m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
ifdef LOCAL_ROOT
m4support += $(wildcard $(local_poldir)/support/*.spt)
endif
+m4support += $(m4undivert)
appconf := config/appconfig-$(TYPE)
seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
# filesystems to be used in labeling targets
-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
+filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
########################################
#
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \
- | $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
$(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
- $(verbose) $(INSTALL) -m 644 $< $@
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $< > $@
########################################
#
#
install-headers: $(layerxml) $(tunxml) $(boolxml)
@mkdir -p $(headerdir)
- @echo "Installing $(TYPE) policy headers."
+ @echo "Installing $(NAME) policy headers."
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
$(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
$(verbose) mkdir -p $(headerdir)/support
endif
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
# Filesystem labeling
#
checklabels:
- @echo "Checking labels on filesystem types: ext2 ext3 xfs jfs"
+ @echo "Checking labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
$(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
restorelabels:
- @echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs"
+ @echo "Restoring labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
$(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
relabel:
- @echo "Relabeling filesystem types: ext2 ext3 xfs jfs"
+ @echo "Relabeling filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
$(verbose) $(SETFILES) $(fcpath) $(filesystems)
resetlabels:
- @echo "Resetting labels on filesystem types: ext2 ext3 xfs jfs"
+ @echo "Resetting labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
projects / people / stevee / selinux-policy.git / blobdiff