Commit Graph

71 Commits

Author SHA1 Message Date
Richard Haines
037ac427f8 Ensure correct monolithic binary policy is loaded
When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).

Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.
Resolve this by using selinux_binary_policy_path(3) to determine the
current configured policy name and its location.

Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the
developer thought would be loaded).
Resolve this by checking if DESTDIR has been set.

Remove the '@touch $(tmpdir)/load' line as the file is never referenced.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2021-01-13 09:54:48 -05:00
Chris PeBenito
26ed37c991 Makefile: Add -E to setfiles labeling targets.
This will cause setfiles to error if there are conflicting labeling
specifications for files due to hardlinks.

closes #218

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-06 13:53:46 -05:00
Chris PeBenito
e167e1a4d4 Makefile: Give a value to build options so they can be used in ifelse.
Set build options to expand to "true".  This will enable writing build
options using m4 ifelse, for example:

ifelse(`init_systemd',`true',`
[init_systemd rules]
',`direct_sysadm_daemon',`true',
[direct_sysadm_daemon rules]
',` dnl else
[else rules]
')

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-27 11:37:32 -04:00
Christian Göttsche
a3811f4eb4 Makefile: add target build-interface-db
Build the policy interface database with 'sepolgen-ifgen'.
This database is required for reference style policy generation by
'audit2allow --reference'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-02 20:35:30 +02:00
Christian Göttsche
7366235e1e Makefile: remove obsolete .SUFFIXES
With the removal of fc_sort there are no more .c files in the repository.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-21 11:42:45 +02:00
Topi Miettinen
79731d6fd2
Build and install Netfilter rules
Build SECMARK rules for iptables and NFT, install them as
/usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-24 16:36:56 +03:00
Christian Göttsche
82a8b7bfb7 Makefile: generate temporary documentation files in separate directory
Use a separate directory for files generated my 'make conf', so the clean targets from Rules.* do not remove them.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-04-14 19:42:41 +02:00
Chris PeBenito
d38afda010 Makefile: Remove shell brace expansion in ctags target.
This doesn't work on dash, the default shell on Debian.

Closes #110

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-01 15:01:50 -04:00
Chris PeBenito
9ee2a6d42e Makefile: Warn if policy.xml xmllint check does not run.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-19 13:59:06 -04:00
Christian Göttsche
16af31d5a1 re-implement fc_sort in python
fc_sort is the only/last build tool that requires a C compiler

Re-implement it in python, so that gcc dependencies can be dropped

The output of the C and the python version differ slightly in the order of equally specific file contexts

old:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /opt/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
    /usr/.*		system_u:object_r:usr_t
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /run/.*		<<none>>
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t

new:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t
    /opt/.*		system_u:object_r:usr_t
    /run/.*		<<none>>
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /usr/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
2019-10-06 00:11:30 +02:00
Christian Göttsche
25bb0cab98 fix Makefile for policy-module directories with same ending
Currently policy module directories must have a same ending.
Reproduce with:

  mv policy/modules/admin/ policy/modules/adminapps
  make conf

Results in:

  ...
  cat policy/modules/adminapps/metadata.xml policy/modules/apps/metadata.xml > tmp/apps.xml
  ...
  doc/policy.xml:4332: element layer: validity error : Element layer content does not follow the DTD, expecting (summary , module+), got (summary summary module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module )
  Document doc/policy.xml does not validate against doc/policy.dtd
  make: *** [Makefile:452: doc/policy.xml] Error 3

Add a leading slash to the filter pattern, to not match partial names
2019-10-01 20:24:29 +02:00
Laurent Bigonville
d90860861f Makefile: Avoid regenerating the iftemplates at everyrun
Fixes: #26
2019-07-21 16:02:21 +02:00
Ondrej Mosnacek
cd77bbc1ed Fix find commands in Makefiles
Without this fix, building a custom module in a directory that contains
a file with special characters in its name (e.g. '(') triggers a syntax
error:

$ cat >foo.te <<EOF
module foo 1.0;
require {
	class file entrypoint;
	type shell_exec_t;
	type vmtools_unconfined_t;
}
allow vmtools_unconfined_t shell_exec_t : file entrypoint;
EOF
$ touch "my broken (file)"
$ make -f /usr/share/selinux/devel/Makefile foo.pp
/bin/sh: -c: line 0: syntax error near unexpected token `('
/bin/sh: -c: line 0: `find anaconda-ks.cfg my broken (file) vncserver.strace systemd.strace rhel-server-7.6-x86_64-boot.iso rt_minimal.c vnc.cil foo.te rsyslog tmp virt-install.log evil_banner.sh livemedia.log program.log foo.if rhel7-minimal.ks TestZip.java TestZip.class foo.fc sudoloop foo.pp strace.log -maxdepth 0 -type d'

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1692676
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-22 09:00:23 +02:00
David Sugar
8e18a55457 Update CUSTOM_BUILDOPT
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-10-27 14:56:34 -04:00
Chris PeBenito
34de8814b7 Makefile: Tweak cli output. 2018-06-10 13:23:25 -04:00
Sven Vermeulen
7304f10c9b Generate template code and update genxml call for documentation generation
Update the Makefile to first build the template files (template code
definitions) and then have all segenxml calls use these files.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Chris PeBenito
ef6e79a082 Switch all remaining Python references to the Python 3 interpreter. 2018-05-31 17:41:59 -04:00
Daniel Jurgens
25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Jason Zaman
299e1ce6be appconfig: Add openrc_contexts file 2017-05-11 19:35:53 -04:00
cgzones
c9e77f5dde clean up python3 cache on make bare 2017-03-29 17:18:04 +02:00
cgzones
3b3e6f75d3 travis: run make xml, html and install(-.*)? targets 2017-03-18 15:35:15 +01:00
cgzones
82b0a6d4d5 convert build scripts to python3 2017-03-15 02:09:20 +01:00
Chris PeBenito
dd03d589e2 Implement WERROR build option to treat warnings as errors.
Add this to all Travis-CI builds.
2017-02-18 10:20:20 -05:00
cgzones
2315912719 fix permission of installed segenxml.py by install-headers 2017-01-05 10:54:08 +01:00
cgzones
1cda50620c using intermediate target instead of splitting up conf files generation 2016-12-04 14:18:21 +01:00
cgzones
4e199ae145 update Makefile 2016-11-30 01:16:41 +01:00
Jeroen Roovers
396de5ff1d Use $(AWK) not plain awk
Since the awk scripts appear to use some GNU extensions, make sure we always use $(AWK).

Fixes an issue where the system /usr/bin/awk may be another implementation, say mawk on a Ubuntu system.
2016-09-01 12:14:03 +02:00
Laurent Bigonville
ca6fefc3c8 Add lxc_contexts config file
selinux_lxc_contexts_path() function in upstream libselinux points to
this config file. It is ATM used by libvirt.

The file from Fedora also contains sandbox_lxc_process and
sandbox_kvm_process parameters, but I cannot find where they are used,
keep them out of the file for the time being.
2016-02-19 16:50:42 +01:00
Chris PeBenito
bf0cfe940a Add systemd build option. 2015-10-20 15:01:23 -04:00
Chris PeBenito
6624f9cf7a Drop RHEL4 and RHEL5 support. 2014-09-24 13:10:37 -04:00
Chris PeBenito
cce73689ea Always use the unknown permissions handling build option.
This compile-time feature is in the minimum-required checkpolicy/checkmodule
for building the policy, so it should always be used.
2014-06-19 10:52:14 -04:00
Chris PeBenito
0dc377caa4 Add file for placing default_* statements. 2014-04-28 10:00:36 -04:00
Chris PeBenito
f27f36ff15 Make the QUIET build option apply to clean and bare targets. 2014-01-16 11:25:42 -05:00
Chris PeBenito
3bf7fd504c Use python libselinux bindings to determine policy version.
This eliminates the hardcoded /selinux in Rules.monolithic, which
broke when the filesystem mount was moved to /sys/fs/selinux.
2013-06-06 09:27:40 -04:00
Chris PeBenito
d04cbbc8de Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH. 2012-09-17 09:30:59 -04:00
Sven Vermeulen
f78979eadd Adding default context rules for libvirt
The libvirt infrastructure requires the availability of the context files.

In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 10:18:45 -04:00
Chris PeBenito
458ab7d2ba Fix makefiles to install files with the correct DAC permissions if the umask is not 022.
trac ticket #50
2011-10-19 10:59:16 -04:00
Chris PeBenito
d1af485661 Remove rolemap and per-role template support.
This support was deprecated and unused in Reference Policy November 5 2008.
2011-10-14 08:52:21 -04:00
Chris PeBenito
f82712416e Add m4 diverts in corenetwork generation code to clean up resultant files. 2011-10-04 16:00:08 -04:00
Chris PeBenito
f1aed68ac3 Support for file context path substitutions (file_contexts.subs).
Install file_contexts.subs_dist out of Refpolicy. This is TYPE-agnostic
so the file goes in config/.  Populate the file with current substitutions.
2011-07-28 13:12:28 -04:00
KaiGai Kohei
b98aba85d9 Add sepgsql_contexts into appconfig-*
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
2011-01-04 13:27:40 -05:00
Chris PeBenito
db774a54a6 Add support for custom build options. 2010-09-30 14:53:44 -04:00
Chris PeBenito
0001e26f4f Increased default number of categories to 1024, from Russell Coker. 2010-06-28 09:04:24 -04:00
Chris PeBenito
0bf2bc9156 Fix Makefile info message for installing policy headers
The Makefile is currently using the policy TYPE (standard|mls|mcs) rather
than the more informative NAME (eg strict, targeted, etc).  Fix the Makefile
to use NAME.
2009-08-17 09:49:53 -04:00
Chris PeBenito
0f5e26b620 Add btrfs and ext4 to labeling targets. 2009-08-11 09:01:58 -04:00
Chris PeBenito
90286f4292 Fix infrastructure to expand macros in initrc_context when installing.
The initrc_context file uses the mls_systemhigh macro and needs to be properly
expanded based on the build.conf settings.  Add makefile support to do this.
2009-08-10 14:00:34 -04:00
Chris PeBenito
019dfaf9dc trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project. 2009-01-15 20:31:06 +00:00
Chris PeBenito
296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito
c07f9ccd18 trunk: Add file for enabling policy capabilities. 2008-04-18 14:21:01 +00:00
Chris PeBenito
2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00