Commit Graph

36 Commits

Author SHA1 Message Date
Christian Göttsche 448be4bd31 Rules.modular: add pure-load target
Add a target for modular polices to load all built modules while
simultaneously removing all non Reference Policy ones.  This will remove
dropped Reference Policy modules and user installed ones.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-22 19:08:18 +01:00
Chris PeBenito df99dfe8ea Rules.modular/Rules.monolithic: Fix intdented labeling statement moves.
The secure_mode_policyload Boolean labeling statement was lost moving the
statement to the proper place in the policy.conf/base.conf.

Fix this for all other labeling statements too.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-03-19 15:22:46 -04:00
Chris PeBenito d41607c714 Move user definitions to the right place during compilation.
This will allow user definitions in modules to work for monolithic policies
and base module.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-16 10:52:39 -04:00
Christian Göttsche 13337ba8df Override old all_interfaces.conf.tmp file
Do not keep interfaces from previous builds.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-04-29 17:34:45 +02:00
Topi Miettinen 79731d6fd2
Build and install Netfilter rules
Build SECMARK rules for iptables and NFT, install them as
/usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-24 16:36:56 +03:00
Daniel Burgener 54912480ee Add divert to generated_definitions creation, and fix all_interfaces.conf divert creation.
During normal m4 parsing, m4 outputs a blank line for each define() call.  This results in the first roughly 500 lines of the .tmp files for each module being largely blank lines.  Adding divert() calls to the m4 generation for generated_definitions redirects this output, so the beginning of the actual policy appears near the top of the .tmp files.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-04-17 15:56:24 -04:00
Christian Göttsche 0ee922264a Rules: allow the usage of class sets in context_defaults
Allow class sets , e.g. defined in policy/support/obj_perm_sets.spt, to
be used in default_* statements in the file policy/context_defaults

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-03-23 17:17:15 +01:00
Christian Göttsche 16af31d5a1 re-implement fc_sort in python
fc_sort is the only/last build tool that requires a C compiler

Re-implement it in python, so that gcc dependencies can be dropped

The output of the C and the python version differ slightly in the order of equally specific file contexts

old:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /opt/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
    /usr/.*		system_u:object_r:usr_t
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /run/.*		<<none>>
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t

new:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t
    /opt/.*		system_u:object_r:usr_t
    /run/.*		<<none>>
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /usr/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
2019-10-06 00:11:30 +02:00
Chris PeBenito 2b74c54f62 Rules.modular: Fix file context verification.
Disabled modules were included in the file contexts, resulting in false
verification errors.
2017-08-06 16:54:40 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Nicolas Iooss 4bd455bf90
Make "validate" target verify file contexts
When I synchronized my personal policy with the git master branch, "git
rebase" merged the file contexts I have defined for some systemd
components with the ones which have recently been merged. This resulted
in duplicated file contexts in systemd.fc, which made the policy unable
to be loaded.

This issue has not been detected by "make validate" because this command
only verifies policy linking, not the correctness of the file contexts.
Moreover this behavior of "make validate" only happens when building a
modular policy. Indeed Rules.monolithic calls setfiles in order to
validate the file contexts:

    validate: $(fc) $(polver)
        @echo "Validating $(NAME) file_contexts."
        $(verbose) $(SETFILES) -q -c $(polver) $(fc)
        @echo "Success."

Invoke setfiles in Rules.modular too in order to catch issues in file
contexts with "make validate". With the issue I experienced, I would
have got the following message:

    Validating policy file contexts.
    /sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc
    tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?.
    tmp/all_mods.fc: Invalid argument
    make: *** [Rules.modular:210: validate] Error 1

While at it, simplify .SECONDARY definition with a newly-introduced
$(all_mod_fc) variable.
2017-02-27 22:02:52 +01:00
Chris PeBenito dd03d589e2 Implement WERROR build option to treat warnings as errors.
Add this to all Travis-CI builds.
2017-02-18 10:20:20 -05:00
Guido Trentalancia 1e0561caed Remove deprecated semodule options from Makefile
Avoid using deprecated semodule options (-b or --base) during "make
load".

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-09-02 18:50:55 -04:00
Nicolas Iooss 4e8768d8a0 Fix typo in module compilation message 2016-04-27 08:31:49 -04:00
Chris PeBenito cce73689ea Always use the unknown permissions handling build option.
This compile-time feature is in the minimum-required checkpolicy/checkmodule
for building the policy, so it should always be used.
2014-06-19 10:52:14 -04:00
Chris PeBenito 0dc377caa4 Add file for placing default_* statements. 2014-04-28 10:00:36 -04:00
Nicolas Iooss c1c11fa2f8 Fix parallel build of the policy
Before this commit, "make -j2" would execute twice at the same time the rules
written to build tmp/all_post.conf because these rules were applied every time
tmp/all_post.conf, tmp/all_attrs_types.conf and tmp/only_te_rules.conf needed
to be built. However, executing twice in parallel such line is buggy:

    $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> \
        tmpdir)/all_post.conf

This is why "make" reports following error for parallel builds:

    Compiling refpolicy-patched base module
    /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
    /usr/bin/checkmodule:  loading policy configuration from base.conf
    policy/modules/kernel/ubac.te":710:ERROR 'syntax error' at token
    'fs_use_trans' on line 26520:
    fs_use_trans devtmpfs system_u:object_r:device_t:s0;

    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
    make: *** [tmp/base.mod] Error 1

This commit fixes this bug by splitting the rules in 3 different targets, in
both monolithic and modular builds.
2014-03-14 08:46:46 -04:00
Chris PeBenito f27f36ff15 Make the QUIET build option apply to clean and bare targets. 2014-01-16 11:25:42 -05:00
Chris PeBenito 458ab7d2ba Fix makefiles to install files with the correct DAC permissions if the umask is not 022.
trac ticket #50
2011-10-19 10:59:16 -04:00
Chris PeBenito d1af485661 Remove rolemap and per-role template support.
This support was deprecated and unused in Reference Policy November 5 2008.
2011-10-14 08:52:21 -04:00
Chris PeBenito 296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito b19f862271 trunk: Remove enableaudit target from modular build as semodule -DB supplants it. 2008-10-15 14:30:14 +00:00
Chris PeBenito 9968e25bf5 trunk: remove unneeded dependency on generated_definitions.conf. 2008-05-26 14:53:22 +00:00
Chris PeBenito c07f9ccd18 trunk: Add file for enabling policy capabilities. 2008-04-18 14:21:01 +00:00
Chris PeBenito e276d50e21 trunk: Add iferror.m4 rather generate it out of the Makefiles. 2008-03-06 20:17:46 +00:00
Chris PeBenito 1a61ce02e3 trunk: fix .SECONDARY in modular makefile to work around a bug in make 3.81. 2007-12-17 20:17:34 +00:00
Chris PeBenito 8acfcbcc2a trunk: Add support for setting the unknown permissions handling. 2007-09-27 13:41:09 +00:00
Chris PeBenito 96fc0a45be trunk: Fix XML building for external reference builds and headers builds. 2007-09-21 15:06:58 +00:00
Chris PeBenito d17bab02cc stop adding netfilter contexts, as decided at the developers summit 2007-03-21 19:40:55 +00:00
Chris PeBenito 212832373e mkdir policy and file contexts dirs in make load of modular policy. 2006-10-10 15:09:59 +00:00
Chris PeBenito e070dd2df0 - Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
2006-10-04 17:25:34 +00:00
Chris PeBenito bbcd3c97dd add main part of role-o-matic 2006-09-06 22:07:25 +00:00
Chris PeBenito c634db20c6 fix makefile style so internal variables are lowercase 2006-08-31 17:28:35 +00:00
Chris PeBenito cfd5c5e157 add variable for install, and do other helper pgm cleanup 2006-08-08 21:56:45 +00:00
Chris PeBenito 5a7c06fdd1 add support for netfilter_contexts 2006-08-07 17:25:09 +00:00
Chris PeBenito 17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00