de6cdd96c6
- enable optimizations (3.0071247e8f4
) - fail on warnings (3.162a91d7d71
) - sort ocontexts (2.99077c5c056
) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
271 lines
9.3 KiB
Plaintext
271 lines
9.3 KiB
Plaintext
########################################
|
|
#
|
|
# Rules and Targets for building monolithic policies
|
|
#
|
|
|
|
# determine the policy version and current kernel version if possible
|
|
pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
|
|
kv := $(shell $(policyvers))
|
|
|
|
# dont print version warnings if we are unable to determine
|
|
# the currently running kernel's policy version
|
|
ifeq "$(kv)" ""
|
|
kv := $(pv)
|
|
endif
|
|
|
|
# dont print version warnings if we specified a lower version than the kernel supports
|
|
ifneq "$(OUTPUT_POLICY)" ""
|
|
kv := $(shell if test $(kv) -gt $(pv); then echo $(pv); else echo $(kv); fi)
|
|
endif
|
|
|
|
# load_policy(8) loads policy from /etc/selinux/<SELINUXTYPE>/policy/policy.$(pv)
|
|
# It does this by reading the /etc/selinux/config file SELINUXTYPE entry to
|
|
# form the full path. $(polbinpath) will contain this evaluated path for use as
|
|
# a validation check.
|
|
polbinpath := $(shell $(binary_policy_path))
|
|
|
|
policy_conf = $(builddir)policy.conf
|
|
fc = $(builddir)file_contexts
|
|
polver = $(builddir)policy.$(pv)
|
|
homedir_template = $(builddir)homedir_template
|
|
|
|
M4PARAM += -D self_contained_policy
|
|
|
|
# install paths
|
|
loadpath = $(policypath)/$(notdir $(polver))
|
|
|
|
appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
|
|
|
|
# for monolithic policy use all base and module to create policy
|
|
all_modules := $(strip $(base_mods) $(mod_mods))
|
|
# off module interfaces included to make sure all interfaces are expanded.
|
|
all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
|
|
all_te_files := $(all_modules)
|
|
all_fc_files := $(all_modules:.te=.fc)
|
|
|
|
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(ctx_defaults) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
|
post_te_files := $(user_files) $(poldir)/constraints
|
|
|
|
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
|
|
|
# search layer dirs for source files
|
|
vpath %.te $(all_layers)
|
|
vpath %.if $(all_layers)
|
|
vpath %.fc $(all_layers)
|
|
|
|
########################################
|
|
#
|
|
# default action: build policy locally
|
|
#
|
|
default: policy
|
|
|
|
policy: $(polver)
|
|
|
|
install: $(loadpath) $(fcpath) $(appfiles)
|
|
|
|
load: $(tmpdir)/load
|
|
|
|
checklabels: $(fcpath)
|
|
restorelabels: $(fcpath)
|
|
relabel: $(fcpath)
|
|
resetlabels: $(fcpath)
|
|
|
|
########################################
|
|
#
|
|
# Build a binary policy locally
|
|
#
|
|
$(polver): $(policy_conf)
|
|
@echo "Compiling $(NAME) $(polver)"
|
|
ifneq ($(pv),$(kv))
|
|
@echo
|
|
@echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?"
|
|
@echo
|
|
endif
|
|
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) -S -O -E $^ -o $@
|
|
|
|
########################################
|
|
#
|
|
# Install a binary policy
|
|
#
|
|
$(loadpath): $(policy_conf)
|
|
@echo "Compiling and installing $(NAME) $(loadpath)"
|
|
ifneq ($(pv),$(kv))
|
|
@echo
|
|
@echo "WARNING: Policy version mismatch (policy:$(pv) kernel:$(kv))! Is your OUTPUT_POLICY set correctly?"
|
|
@echo
|
|
endif
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) -S -O -E $^ -o $@
|
|
|
|
########################################
|
|
#
|
|
# Load the binary policy
|
|
#
|
|
reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
|
|
ifneq ($(DESTDIR),)
|
|
$(error Cannot load policy as '$$DESTDIR' is set to $(DESTDIR), \
|
|
creating an invalid policy load path)
|
|
endif
|
|
ifneq ($(polbinpath).$(pv),$(loadpath))
|
|
$(error Cannot load policy as invalid policy path: $(polbinpath).$(pv) - \
|
|
Check $(topdir)/config file entry is: "SELINUXTYPE=$(NAME)")
|
|
endif
|
|
@echo "Loading $(NAME) $(loadpath)"
|
|
$(verbose) $(LOADPOLICY)
|
|
|
|
########################################
|
|
#
|
|
# Construct a monolithic policy.conf
|
|
#
|
|
$(policy_conf): $(policy_sections)
|
|
@echo "Creating $(NAME) $(@F)"
|
|
@test -d $(@D) || mkdir -p $(@D)
|
|
$(verbose) cat $^ > $@
|
|
|
|
$(tmpdir)/pre_te_files.conf: $(pre_te_files)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
$(tmpdir)/generated_definitions.conf: $(all_te_files)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
# define all available object classes
|
|
@cat $(m4divert) > $@
|
|
$(verbose) $(genperm) $(avs) $(secclass) >> $@
|
|
$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
|
|
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
|
@cat $(m4undivert) >> $@
|
|
|
|
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
@cat $(m4divert) > $@
|
|
$(verbose) $(M4) $^ > $(tmpdir)/$(@F).tmp
|
|
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
|
@cat $(m4undivert) >> $@
|
|
|
|
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(m4terminate)
|
|
ifeq "$(strip $(all_te_files))" ""
|
|
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
|
endif
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
|
|
|
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files) $(tmpdir)/all_te_files.conf
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(GREP) '^[[:blank:]]*user ' $(tmpdir)/all_te_files.conf > $@ || true
|
|
$(verbose) $(M4) $(M4PARAM) $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files) >> $@
|
|
|
|
# extract attributes and put them first. extract post te stuff
|
|
# like genfscon and put last.
|
|
$(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
|
|
$(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@
|
|
|
|
$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
|
|
$(verbose) cat $(tmpdir)/post_te_files.conf > $@
|
|
# these have to run individually because order matters:
|
|
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
|
|
|
|
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
|
|
$(verbose) $(comment_move_decl) $^ > $@
|
|
|
|
########################################
|
|
#
|
|
# Remove the dontaudit rules from the policy.conf
|
|
#
|
|
enableaudit: $(policy_conf)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
|
|
$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
|
|
$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
|
|
|
|
########################################
|
|
#
|
|
# Construct file_contexts
|
|
#
|
|
$(fc): $(tmpdir)/$(notdir $(fc)).tmp
|
|
$(verbose) $(fcsort) $< $@
|
|
$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
|
|
$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
|
|
|
|
$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
|
|
ifeq ($(all_fc_files),)
|
|
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
|
endif
|
|
@echo "Creating $(NAME) file_contexts."
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
$(homedir_template): $(fc)
|
|
|
|
########################################
|
|
#
|
|
# Install file_contexts
|
|
#
|
|
$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
|
|
@echo "Validating $(NAME) file_contexts."
|
|
$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
|
|
@echo "Installing file_contexts."
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
|
|
$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
|
|
$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
|
|
|
|
########################################
|
|
#
|
|
# Validate file contexts
|
|
#
|
|
validate: $(fc) $(polver)
|
|
@echo "Validating $(NAME) file_contexts."
|
|
$(verbose) $(SETFILES) -q -c $(polver) $(fc)
|
|
@echo "Success."
|
|
|
|
########################################
|
|
#
|
|
# Run policy source checks
|
|
#
|
|
check: $(builddir)check.res
|
|
$(builddir)check.res: $(policy_conf) $(fc)
|
|
$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
|
|
|
|
longcheck: $(builddir)longcheck.res
|
|
$(builddir)longcheck.res: $(policy_conf) $(fc)
|
|
$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
|
|
|
|
########################################
|
|
#
|
|
# Appconfig files
|
|
#
|
|
$(appdir)/customizable_types: $(policy_conf)
|
|
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
|
|
|
|
$(installdir)/seusers: $(seusers)
|
|
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@
|
|
|
|
########################################
|
|
#
|
|
# Clean the sources
|
|
#
|
|
clean:
|
|
$(verbose) rm -f $(policy_conf)
|
|
$(verbose) rm -f $(polver)
|
|
$(verbose) rm -f $(fc)
|
|
$(verbose) rm -f $(homedir_template)
|
|
$(verbose) rm -f $(net_contexts) $(net_contexts_nft)
|
|
$(verbose) rm -f *.res
|
|
$(verbose) rm -fR $(tmpdir)
|
|
|
|
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
|