From a3811f4eb436b82d8b63c4e741f7b01e8ef8bfa8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Thu, 28 May 2020 14:27:55 +0200
Subject: [PATCH 1/3] Makefile: add target build-interface-db
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Build the policy interface database with 'sepolgen-ifgen'.
This database is required for reference style policy generation by
'audit2allow --reference'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 Makefile | 13 ++++++++++++-
 README   |  5 +++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 2d2dcd0af..58a9896eb 100644
--- a/Makefile
+++ b/Makefile
@@ -62,6 +62,7 @@ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
 SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
 SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
 LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
 SETFILES ?= $(tc_sbindir)/setfiles
 XMLLINT ?= $(BINDIR)/xmllint
 SECHECK ?= $(BINDIR)/sechecker
@@ -228,6 +229,8 @@ MCS_CATS ?= 1024
 
 ifeq ($(QUIET),y)
 	verbose = @
+else
+	VERBOSE_FLAG = --verbose
 endif
 
 M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
@@ -554,6 +557,14 @@ endif
 	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
 	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
 
+########################################
+#
+# Build policy interface database
+#
+build-interface-db: install-headers
+	@mkdir -p $(DESTDIR)/var/lib/sepolgen $(tmpdir)
+	$(verbose) $(SEPOLGEN_IFGEN) $(VERBOSE_FLAG) --interfaces $(headerdir) --output $(DESTDIR)/var/lib/sepolgen/interface_info
+
 ########################################
 #
 # Install policy documentation
@@ -657,4 +668,4 @@ ifneq ($(generated_fc),)
 endif
 endif
 
-.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
+.PHONY: install-src install-appconfig install-headers build-interface-db generate xml conf html bare tags
diff --git a/README b/README
index 7ac92f25d..1fdc4e5be 100644
--- a/README
+++ b/README
@@ -60,6 +60,11 @@ install-headers		Install the policy headers into /usr/share/selinux/NAME.
 			for this policy configuration should be set before
 			using this target.
 
+build-interface-db	Build the policy interface database with
+			'sepolgen-ifgen'.  This database is required for
+			reference style policy generation by
+			'audit2allow --reference'.
+
 Make targets specific to monolithic policies:
 
 policy			Compile a policy locally for development and testing.

From dcb01ec4ccfff5075e012026e7b056608a79116a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Thu, 28 May 2020 14:27:59 +0200
Subject: [PATCH 2/3] devices/storage: quote arguments to tunable_policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Match the overall style and please sepolgen-ifgen

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 policy/modules/kernel/devices.if | 6 +++---
 policy/modules/kernel/storage.if | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index cfc9d4f7d..9f6c79293 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2802,7 +2802,7 @@ interface(`dev_read_raw_memory_cond',`
 	')
 
 	typeattribute $1 memory_raw_read;
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		read_chr_files_pattern($1, device_t, memory_device_t)
 		allow $1 self:capability sys_rawio;
 	')
@@ -2880,7 +2880,7 @@ interface(`dev_write_raw_memory_cond',`
 	')
 
 	typeattribute $1 memory_raw_write;
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		write_chr_files_pattern($1, device_t, memory_device_t)
 		allow $1 self:capability sys_rawio;
 	')
@@ -2956,7 +2956,7 @@ interface(`dev_wx_raw_memory_cond',`
 
 	typeattribute $1 memory_raw_write;
 	dev_write_raw_memory_cond($1, $2)
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		allow $1 memory_device_t:chr_file { map execute };
 	')
 ')
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 3739a111a..6dec6b757 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -130,7 +130,7 @@ interface(`storage_raw_read_fixed_disk_cond',`
 	')
 
 	typeattribute $1 fixed_disk_raw_read;
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		dev_list_all_dev_nodes($1)
 		allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
 		allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;

From b4180614b6a9a35cda80408ba7330260f147def1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Thu, 28 May 2020 14:28:04 +0200
Subject: [PATCH 3/3] apache: quote gen_tunable name argument
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Match the style of tunable_policy and gen_tunable statements in userdomain

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 policy/modules/services/apache.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 1d39b01ab..75bdbb2c8 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -32,7 +32,7 @@ template(`apache_content_template',`
 	##	be labeled public_content_rw_t.
 	##	</p>
 	## </desc>
-	gen_tunable(allow_httpd_$1_script_anon_write, false)
+	gen_tunable(`allow_httpd_$1_script_anon_write', false)
 
 	type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
 	files_type(httpd_$1_content_t)