bring over more targets from strict policy, and add more checking

This commit is contained in:
Chris PeBenito 2005-04-19 13:53:51 +00:00
parent 5496553038
commit 88d14a22b6
1 changed files with 52 additions and 3 deletions

View File

@ -1,3 +1,20 @@
#
# Makefile for the security policy.
#
# Targets:
#
# install - compile and install the policy configuration, and context files.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# checklabels - check filesystems against the file context configuration
# restorelabels - check filesystems against the file context configuration
# and restore the label of files with incorrect labels
# policy - compile the policy configuration locally for testing/development.
#
# The default target is 'policy'.
#
######################################## ########################################
# #
# Configurable portions of the Makefile # Configurable portions of the Makefile
@ -102,6 +119,16 @@ ifneq ($(PV),$(KV))
endif endif
$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH) $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)
########################################
#
# Load the binary policy
#
reload tmp/load: $(LOADPATH) $(FCPATH)
$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
@touch tmp/load
load: tmp/load
######################################## ########################################
# #
# Construct a monolithic policy.conf # Construct a monolithic policy.conf
@ -161,19 +188,41 @@ $(FC): $(ALL_FC_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $^ > $@ $(QUIET) m4 $(M4PARAM) $^ > $@
########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: policy.conf
@test -d tmp || mkdir -p tmp
@echo "Removing dontaudit rules from policy.conf"
$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
$(QUIET) mv tmp/policy.audit policy.conf
######################################## ########################################
# #
# Filesystem labeling # Filesystem labeling
# #
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
checklabels: $(SETFILES) checklabels: $(FC) $(SETFILES)
@if test -z "$(FILESYSTEMS)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
restorelabels: $(SETFILES) restorelabels: $(FC) $(SETFILES)
@if test -z "$(FILESYSTEMS)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
relabel: $(FC) $(SETFILES) relabel: $(FC) $(SETFILES)
@if test -z "$(FILESYSTEMS)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
clean: clean: