bring over more targets from strict policy, and add more checking
This commit is contained in:
Chris PeBenito
parent
5496553038
commit
88d14a22b6
|
|
@ -1,3 +1,20 @@
|
||||||
|
#
|
||||||
|
# Makefile for the security policy.
|
||||||
|
#
|
||||||
|
# Targets:
|
||||||
|
#
|
||||||
|
# install - compile and install the policy configuration, and context files.
|
||||||
|
# load - compile, install, and load the policy configuration.
|
||||||
|
# reload - compile, install, and load/reload the policy configuration.
|
||||||
|
# relabel - relabel filesystems based on the file contexts configuration.
|
||||||
|
# checklabels - check filesystems against the file context configuration
|
||||||
|
# restorelabels - check filesystems against the file context configuration
|
||||||
|
# and restore the label of files with incorrect labels
|
||||||
|
# policy - compile the policy configuration locally for testing/development.
|
||||||
|
#
|
||||||
|
# The default target is 'policy'.
|
||||||
|
#
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Configurable portions of the Makefile
|
# Configurable portions of the Makefile
|
||||||
|
|
@ -102,6 +119,16 @@ ifneq ($(PV),$(KV))
|
||||||
endif
|
endif
|
||||||
$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)
|
$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Load the binary policy
|
||||||
|
#
|
||||||
|
reload tmp/load: $(LOADPATH) $(FCPATH)
|
||||||
|
$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
|
||||||
|
@touch tmp/load
|
||||||
|
|
||||||
|
load: tmp/load
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Construct a monolithic policy.conf
|
# Construct a monolithic policy.conf
|
||||||
|
|
@ -161,19 +188,41 @@ $(FC): $(ALL_FC_FILES)
|
||||||
@test -d tmp || mkdir -p tmp
|
@test -d tmp || mkdir -p tmp
|
||||||
$(QUIET) m4 $(M4PARAM) $^ > $@
|
$(QUIET) m4 $(M4PARAM) $^ > $@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Remove the dontaudit rules from the policy.conf
|
||||||
|
#
|
||||||
|
enableaudit: policy.conf
|
||||||
|
@test -d tmp || mkdir -p tmp
|
||||||
|
@echo "Removing dontaudit rules from policy.conf"
|
||||||
|
$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
|
||||||
|
$(QUIET) mv tmp/policy.audit policy.conf
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Filesystem labeling
|
# Filesystem labeling
|
||||||
#
|
#
|
||||||
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
|
FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
|
||||||
|
|
||||||
checklabels: $(SETFILES)
|
checklabels: $(FC) $(SETFILES)
|
||||||
|
@if test -z "$(FILESYSTEMS)"; then \
|
||||||
|
echo "No filesystems with extended attributes found!" ;\
|
||||||
|
false ;\
|
||||||
|
fi
|
||||||
$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
|
$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
|
||||||
|
|
||||||
restorelabels: $(SETFILES)
|
restorelabels: $(FC) $(SETFILES)
|
||||||
|
@if test -z "$(FILESYSTEMS)"; then \
|
||||||
|
echo "No filesystems with extended attributes found!" ;\
|
||||||
|
false ;\
|
||||||
|
fi
|
||||||
$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
|
$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
|
||||||
|
|
||||||
relabel: $(FC) $(SETFILES)
|
relabel: $(FC) $(SETFILES)
|
||||||
|
@if test -z "$(FILESYSTEMS)"; then \
|
||||||
|
echo "No filesystems with extended attributes found!" ;\
|
||||||
|
false ;\
|
||||||
|
fi
|
||||||
$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
|
$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue