######################################## # # Rules and Targets for building monolithic policies # # determine the policy version and current kernel version if possible pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') kv := $(shell $(policyvers)) # dont print version warnings if we are unable to determine # the currently running kernel's policy version ifeq "$(kv)" "" kv := $(pv) endif # dont print version warnings if we specified a lower version than the kernel supports ifneq "$(OUTPUT_POLICY)" "" kv := $(shell if test $(kv) -gt $(pv); then echo $(pv); else echo $(kv); fi) endif # load_policy(8) loads policy from /etc/selinux//policy/policy.$(pv) # It does this by reading the /etc/selinux/config file SELINUXTYPE entry to # form the full path. $(polbinpath) will contain this evaluated path for use as # a validation check. polbinpath := $(shell $(binary_policy_path)) policy_conf = $(builddir)policy.conf policy_cil = $(builddir)policy.cil fc = $(builddir)file_contexts polver = $(builddir)policy.$(pv) homedir_template = $(builddir)homedir_template M4PARAM += -D self_contained_policy # install paths loadpath = $(policypath)/$(notdir $(polver)) appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users # for monolithic policy use all base and module to create policy all_modules := $(strip $(base_mods) $(mod_mods)) # off module interfaces included to make sure all interfaces are expanded. all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if) all_te_files := $(all_modules) all_fc_files := $(all_modules:.te=.fc) pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(ctx_defaults) $(poldir)/mls $(poldir)/mcs $(policycaps) post_te_files := $(user_files) $(poldir)/constraints policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf # search layer dirs for source files vpath %.te $(all_layers) vpath %.if $(all_layers) vpath %.fc $(all_layers) ######################################## # # default action: build policy locally # default: all all: policy $(builtappfiles) policy: $(polver) install: $(loadpath) $(fcpath) $(appfiles) load: $(tmpdir)/load checklabels: $(fcpath) restorelabels: $(fcpath) relabel: $(fcpath) resetlabels: $(fcpath) ######################################## # # Build a binary policy locally # $(polver): $(policy_conf) @echo "Compiling $(NAME) $(polver)" ifneq ($(pv),$(kv)) @echo @echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?" @echo endif $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) -S -O -E $^ -o $@ ######################################## # # Build a CIL policy locally # $(policy_cil): $(policy_conf) @echo "Compiling $(NAME) $(policy_cil)" ifneq ($(pv),$(kv)) @echo @echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?" @echo endif $(verbose) $(CHECKPOLICY) -C -U $(UNK_PERMS) -S -O -E $^ -o $@ ######################################## # # Install a binary policy # $(loadpath): $(policy_conf) @echo "Compiling and installing $(NAME) $(loadpath)" ifneq ($(pv),$(kv)) @echo @echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?" @echo endif @$(INSTALL) -d -m 0755 $(@D) $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) -S -O -E $^ -o $@ ######################################## # # Load the binary policy # reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) ifneq ($(DESTDIR),) $(error Cannot load policy as '$$DESTDIR' is set to $(DESTDIR), \ creating an invalid policy load path) endif ifneq ($(polbinpath).$(pv),$(loadpath)) $(error Cannot load policy as invalid policy path: $(polbinpath).$(pv) - \ Check $(topdir)/config file entry is: "SELINUXTYPE=$(NAME)") endif @echo "Loading $(NAME) $(loadpath)" $(verbose) $(LOADPOLICY) ######################################## # # Construct a monolithic policy.conf # $(policy_conf): $(policy_sections) @echo "Creating $(NAME) $(@F)" @test -d $(@D) || mkdir -p $(@D) $(verbose) cat $^ > $@ $(tmpdir)/pre_te_files.conf: $(pre_te_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $^ > $@ $(tmpdir)/generated_definitions.conf: $(all_te_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) # define all available object classes @cat $(m4divert) > $@ $(verbose) $(genperm) $(avs) $(secclass) >> $@ $(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@) $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true @cat $(m4undivert) >> $@ $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun) $(verbose) $(M4) $(M4PARAM) $^ > $@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror) @test -d $(tmpdir) || mkdir -p $(tmpdir) @cat $(m4divert) > $@ $(verbose) $(M4) $^ > $(tmpdir)/$(@F).tmp $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@ @cat $(m4undivert) >> $@ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(m4terminate) ifeq "$(strip $(all_te_files))" "" $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") endif @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) -s $^ > $@ $(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files) $(tmpdir)/all_te_files.conf @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(GREP) '^[[:blank:]]*user ' $(tmpdir)/all_te_files.conf > $@ || true $(verbose) $(M4) $(M4PARAM) $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files) >> $@ # extract attributes and put them first. extract post te stuff # like genfscon and put last. $(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf $(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf $(verbose) cat $(tmpdir)/post_te_files.conf > $@ # these have to run individually because order matters: $(verbose) $(GREP) '^[[:blank:]]*sid ' $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) '^[[:blank:]]*fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) '^[[:blank:]]*genfscon' $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) '^[[:blank:]]*portcon' $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) '^[[:blank:]]*netifcon' $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) '^[[:blank:]]*nodecon' $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) '^[[:blank:]]*ibpkeycon' $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) '^[[:blank:]]*ibendportcon' $(tmpdir)/all_te_files.conf >> $@ || true $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf $(verbose) $(comment_move_decl) $^ > $@ ######################################## # # Remove the dontaudit rules from the policy.conf # enableaudit: $(policy_conf) @test -d $(tmpdir) || mkdir -p $(tmpdir) @echo "Removing dontaudit rules from $(notdir $(policy_conf))" $(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit $(verbose) mv $(tmpdir)/policy.audit $(policy_conf) ######################################## # # Construct file_contexts # $(fc): $(tmpdir)/$(notdir $(fc)).tmp $(verbose) $(fcsort) $< $@ $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template) $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@ $(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files) ifeq ($(all_fc_files),) $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") endif @echo "Creating $(NAME) file_contexts." @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $^ > $@ $(homedir_template): $(fc) ######################################## # # Install file_contexts # $(fcpath): $(fc) $(loadpath) $(userpath)/system.users @echo "Validating $(NAME) file_contexts." $(verbose) $(SETFILES) -q -c $(loadpath) $(fc) @echo "Installing file_contexts." @$(INSTALL) -d -m 0755 $(@D) $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath) $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(verbose) if $(SEFCONTEXT_COMPILE) -i > /dev/null 2>&1 ; then \ $(SEFCONTEXT_COMPILE) $(fcpath) ;\ $(SEFCONTEXT_COMPILE) $(fcpath).homedirs ;\ else \ echo "$@ Pre-compiled file context not generated! Please install the sefcontext_compile tool (commonly part of libselinux-utils)." ;\ fi ######################################## # # Validate file contexts and appconfig # validate: $(fc) $(polver) $(builtappfiles) @echo "Validating $(NAME) file_contexts." $(verbose) $(SETFILES) -q -c $(polver) $(fc) @echo "Validating $(NAME) appconfig." $(verbose) $(validateappconfig) $(builtappconf) $(polver) @echo "Success." ######################################## # # Run policy source checks # check: $(builddir)check.res $(builddir)check.res: $(policy_conf) $(fc) $(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@ longcheck: $(builddir)longcheck.res $(builddir)longcheck.res: $(policy_conf) $(fc) $(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@ ######################################## # # Appconfig files # $(builtappconf)/customizable_types: $(policy_conf) @mkdir -p $(@D) $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $@ $(installdir)/seusers: $(seusers) $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers @$(INSTALL) -d -m 0755 $(@D) $(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@ ######################################## # # Clean the sources # clean: $(verbose) rm -f $(policy_conf) $(verbose) rm -f $(polver) $(verbose) rm -f $(policy_cil) $(verbose) rm -f $(fc) $(verbose) rm -f $(homedir_template) $(verbose) rm -f $(net_contexts) $(net_contexts_nft) $(verbose) rm -f *.res $(verbose) rm -fR $(tmpdir) .PHONY: default policy install load reload enableaudit checklabels restorelabels relabel resetlabels validate check longcheck clean