From 458ab7d2bafae89cb4a8c3b3b5ef8b765484d9fc Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 19 Oct 2011 10:59:16 -0400
Subject: [PATCH] Fix makefiles to install files with the correct DAC
 permissions if the umask is not 022.

trac ticket #50
---
 Changelog        |  2 ++
 Makefile         | 30 ++++++++++++++++--------------
 Rules.modular    |  8 ++++----
 Rules.monolithic | 19 ++++++++++---------
 4 files changed, 32 insertions(+), 27 deletions(-)

diff --git a/Changelog b/Changelog
index 85a66a5c3..a6eb4c04e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Fix makefiles to install files with the correct DAC permissions if the
+  umask is not 022.
 - Remove deprecated support macros.
 - Remove rolemap and per-role template support.
 - Change corenetwork port declaration to apply the reserved port type
diff --git a/Makefile b/Makefile
index 6eff493fa..5a439192b 100644
--- a/Makefile
+++ b/Makefile
@@ -74,6 +74,7 @@ M4 ?= m4
 PYTHON ?= python
 SED ?= sed
 SORT ?= LC_ALL=C sort
+UMASK ?= umask
 
 CFLAGS += -Wall
 
@@ -448,7 +449,6 @@ html $(tmpdir)/html: $(polxml)
 #
 $(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
 	@mkdir -p $(tmpdir)
-	@mkdir -p $(userpath)
 	@echo "Installing system.users"
 	@echo "# " > $(tmpdir)/system.users
 	@echo "# Do not edit this file. " >> $(tmpdir)/system.users
@@ -457,12 +457,13 @@ $(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(us
 	@echo "#" >> $(tmpdir)/system.users
 	$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
 		-e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
-	$(verbose) $(INSTALL) -m 644 $(tmpdir)/system.users $@
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/system.users $@
 
 $(userpath)/local.users: config/local.users
-	@mkdir -p $(userpath)
 	@echo "Installing local.users"
-	$(verbose) $(INSTALL) -b -m 644 $< $@
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -b -m 0644 $< $@
 
 ########################################
 #
@@ -480,26 +481,27 @@ install-appconfig: $(appfiles)
 
 $(installdir)/booleans: $(booleans)
 	@mkdir -p $(tmpdir)
-	@mkdir -p $(installdir)
 	$(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
 		-e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
-	$(verbose) $(INSTALL) -m 644 $(tmpdir)/booleans $@
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/booleans $@
 
 $(contextpath)/files/media: $(appconf)/media
-	@mkdir -p $(contextpath)/files/
-	$(verbose) $(INSTALL) -m 644 $< $@
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $< $@
 
 $(fcsubspath): config/file_contexts.subs_dist
-	@mkdir -p $(contextpath)/files/
-	$(verbose) $(INSTALL) -m 644 $< $@
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $< $@
 
 $(contextpath)/users/%: $(appconf)/%_default_contexts
-	@mkdir -p $(appdir)/users
-	$(verbose) $(INSTALL) -m 644 $^ $@
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $^ $@
 
 $(appdir)/%: $(appconf)/%
-	@mkdir -p $(appdir)
-	$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $@
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $(tmpdir)/$(@F)
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/$(@F) $@
 
 ########################################
 #
diff --git a/Rules.modular b/Rules.modular
index 0e1f96025..313d8375b 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -53,8 +53,8 @@ install: $(instpkg) $(appfiles)
 load: $(instpkg) $(appfiles)
 # make sure two directories exist since they are not
 # created by semanage
-	@mkdir -p $(policypath) $(dir $(fcpath))
 	@echo "Loading configured modules."
+	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
 	$(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
 
 ########################################
@@ -62,8 +62,8 @@ load: $(instpkg) $(appfiles)
 # Install policy packages
 #
 $(modpkgdir)/%.pp: $(builddir)%.pp
-	@mkdir -p $(modpkgdir)
 	@echo "Installing $(NAME) $(@F) policy package."
+	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
 
 ########################################
@@ -189,9 +189,9 @@ endif
 # Appconfig files
 #
 $(appdir)/customizable_types: $(base_conf)
-	@mkdir -p $(appdir)
 	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
-	$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ 
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
 
 ########################################
 #
diff --git a/Rules.monolithic b/Rules.monolithic
index 1185c8801..7c4d03555 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -83,13 +83,13 @@ ifneq "$(UNK_PERMS)" ""
 $(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
 endif
 $(loadpath): $(policy_conf)
-	@mkdir -p $(policypath)
 	@echo "Compiling and installing $(NAME) $(loadpath)"
 ifneq ($(pv),$(kv))
 	@echo
 	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
 	@echo
 endif
+	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(CHECKPOLICY) $^ -o $@
 
 ########################################
@@ -193,10 +193,10 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users
 	@echo "Validating $(NAME) file_contexts."
 	$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
 	@echo "Installing file_contexts."
-	@mkdir -p $(contextpath)/files
-	$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
-	$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
-	$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
+	$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
+	$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
 ifeq "$(DISTRO)" "rhel4"
 # Setfiles in RHEL4 does not look at file_contexts.homedirs.
 	$(verbose) cat $@.homedirs >> $@
@@ -211,6 +211,7 @@ endif
 #
 $(ncpath): $(net_contexts)
 	@echo "Installing $(NAME) netfilter_contexts."
+	@$(INSTALL) -d -m 0755 $(@D)
 	$(verbose) $(INSTALL) -m 0644 $^ $@
 
 ########################################
@@ -230,14 +231,14 @@ $(builddir)longcheck.res: $(policy_conf) $(fc)
 # Appconfig files
 #
 $(appdir)/customizable_types: $(policy_conf)
-	@mkdir -p $(appdir)
 	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
-	$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ 
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
 
 $(installdir)/seusers: $(seusers)
-	@mkdir -p $(installdir)
 	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers
-	$(verbose) $(INSTALL) -m 644 $(tmpdir)/seusers $@
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@
 
 ########################################
 #