nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bf9da2ba78
selinux-refpolicy/Makefile
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports 
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00

652 lines
21 KiB
Makefile
Raw Blame History

#
# Makefile for the security policy.
#
# Targets:
#
# install - compile and install the policy configuration, and context files.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# checklabels - check filesystems against the file context configuration
# restorelabels - check filesystems against the file context configuration
# and restore the label of files with incorrect labels
# policy - compile the policy configuration locally for testing/development.
#
# The default target is 'policy'.
#
#
# Please see build.conf for policy build options.
#
########################################
#
# NO OPTIONS BELOW HERE
#
# Include the local build.conf if it exists, otherwise
# include the configuration of the root directory.
include build.conf
ifdef LOCAL_ROOT
-include $(LOCAL_ROOT)/build.conf
endif
# refpolicy version
version := $(shell cat VERSION)
ifdef LOCAL_ROOT
builddir := $(LOCAL_ROOT)/
tmpdir := $(LOCAL_ROOT)/tmp
tags := $(LOCAL_ROOT)/tags
else
tmpdir := tmp
tags := tags
endif
# executable paths
BINDIR ?= /usr/bin
SBINDIR ?= /usr/sbin
ifdef TEST_TOOLCHAIN
tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(BINDIR)
tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)/sbin
else
tc_usrbindir := $(BINDIR)
tc_usrsbindir := $(SBINDIR)
tc_sbindir := /sbin
endif
CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
CHECKMODULE ?= $(tc_usrbindir)/checkmodule
SEMODULE ?= $(tc_usrsbindir)/semodule
SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
SECHECK ?= $(BINDIR)/sechecker
# interpreters and aux tools
AWK ?= gawk
GREP ?= egrep
INSTALL ?= install
M4 ?= m4 -E -E
PYTHON ?= python -t -t -E -W error
SED ?= sed
SORT ?= LC_ALL=C sort
UMASK ?= umask
CFLAGS += -Wall -Wextra -Werror -O2
# policy source layout
poldir := policy
moddir := $(poldir)/modules
flaskdir := $(poldir)/flask
secclass := $(flaskdir)/security_classes
isids := $(flaskdir)/initial_sids
avs := $(flaskdir)/access_vectors
# local source layout
ifdef LOCAL_ROOT
local_poldir := $(LOCAL_ROOT)/policy
local_moddir := $(local_poldir)/modules
endif
# policy building support tools
support := support
genxml := $(PYTHON) $(support)/segenxml.py
gendoc := $(PYTHON) $(support)/sedoctool.py
genperm := $(PYTHON) $(support)/genclassperms.py
policyvers := $(PYTHON) $(support)/policyvers.py
fcsort := $(tmpdir)/fc_sort
setbools := $(AWK) -f $(support)/set_bools_tuns.awk
get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
gennetfilter := $(PYTHON) $(support)/gennetfilter.py
m4iferror := $(support)/iferror.m4
m4divert := $(support)/divert.m4
m4undivert := $(support)/undivert.m4
m4terminate := $(support)/fatal_error.m4
# use our own genhomedircon to make sure we have a known usable one,
# so policycoreutils updates are not required (RHEL4)
genhomedircon := $(PYTHON) $(support)/genhomedircon.py
# documentation paths
docs := doc
xmldtd := $(docs)/policy.dtd
metaxml := metadata.xml
doctemplate := $(docs)/templates
docfiles := $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
ifndef LOCAL_ROOT
polxml := $(docs)/policy.xml
tunxml := $(docs)/global_tunables.xml
boolxml := $(docs)/global_booleans.xml
htmldir := $(docs)/html
else
polxml := $(LOCAL_ROOT)/doc/policy.xml
tunxml := $(LOCAL_ROOT)/doc/global_tunables.xml
boolxml := $(LOCAL_ROOT)/doc/global_booleans.xml
htmldir := $(LOCAL_ROOT)/doc/html
endif
# config file paths
globaltun := $(poldir)/global_tunables
globalbool := $(poldir)/global_booleans
user_files := $(poldir)/users
policycaps := $(poldir)/policy_capabilities
ctx_defaults := $(poldir)/context_defaults
# local config file paths
ifndef LOCAL_ROOT
mod_conf := $(poldir)/modules.conf
booleans := $(poldir)/booleans.conf
tunables := $(poldir)/tunables.conf
else
mod_conf := $(local_poldir)/modules.conf
booleans := $(local_poldir)/booleans.conf
tunables := $(local_poldir)/tunables.conf
endif
# install paths
PKGNAME ?= refpolicy-$(version)
prefix := $(DESTDIR)/usr
topdir := $(DESTDIR)/etc/selinux
installdir := $(topdir)/$(strip $(NAME))
srcpath := $(installdir)/src
userpath := $(installdir)/users
policypath := $(installdir)/policy
contextpath := $(installdir)/contexts
homedirpath := $(contextpath)/files/homedir_template
fcpath := $(contextpath)/files/file_contexts
fcsubspath := $(contextpath)/files/file_contexts.subs_dist
ncpath := $(contextpath)/netfilter_contexts
sharedir := $(prefix)/share/selinux
modpkgdir := $(sharedir)/$(strip $(NAME))
headerdir := $(modpkgdir)/include
docsdir := $(prefix)/share/doc/$(PKGNAME)
# enable MLS if requested.
ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
gennetfilter += -m
endif
# enable MLS if MCS requested.
ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
gennetfilter += -c
endif
# enable distribution-specific policy
ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
endif
ifeq "$(DISTRO)" "ubuntu"
M4PARAM += -D distro_debian
endif
ifeq "$(SYSTEMD)" "y"
M4PARAM += -D init_systemd
endif
ifneq ($(OUTPUT_POLICY),)
CHECKPOLICY += -c $(OUTPUT_POLICY)
endif
ifneq "$(CUSTOM_BUILDOPT)" ""
M4PARAM += $(foreach opt,$(CUSTOM_BUILDOPT),-D $(opt))
endif
# if not set, use the type as the name.
NAME ?= $(TYPE)
# default unknown permissions setting
UNK_PERMS ?= deny
ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
ifeq "$(WERROR)" "y"
M4PARAM += -D m4_werror
endif
ifeq "$(UBAC)" "y"
M4PARAM += -D enable_ubac
endif
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 1024
MCS_CATS ?= 1024
ifeq ($(QUIET),y)
verbose = @
endif
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
# we need exuberant ctags; unfortunately it is named
# differently on different distros
ifeq ($(DISTRO),debian)
CTAGS := ctags-exuberant
endif
ifeq ($(DISTRO),gentoo)
CTAGS := exuberant-ctags
endif
CTAGS ?= ctags
m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
ifdef LOCAL_ROOT
m4support += $(wildcard $(local_poldir)/support/*.spt)
endif
m4support += $(m4undivert)
appconf := config/appconfig-$(TYPE)
seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types lxc_contexts openrc_contexts virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
ifdef LOCAL_ROOT
all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
endif
generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
# sort here since it removes duplicates, which can happen
# when a generated file is already generated
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
layer_names := $(sort $(notdir $(all_layers)))
all_metaxml = $(call detect-metaxml, $(layer_names))
# modules.conf setting for base module
configbase := base
# modules.conf setting for loadable module
configmod := module
# modules.conf setting for unused module
configoff := off
# test for module overrides from command line
mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
ifneq "$(strip $(mod_test))" ""
$(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
endif
# add on suffix to modules specified on command line
cmdline_base := $(addsuffix .te,$(APPS_BASE))
cmdline_mods := $(addsuffix .te,$(APPS_MODS))
cmdline_off := $(addsuffix .te,$(APPS_OFF))
# extract settings from modules.conf
mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
base_mods := $(cmdline_base)
mod_mods := $(cmdline_mods)
off_mods := $(cmdline_off)
base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
# add modules not in modules.conf to the off list
off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
# filesystems to be used in labeling targets
filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
########################################
#
# Functions
#
# detect-metaxml layer_names
ifdef LOCAL_ROOT
define detect-metaxml
$(shell for i in $1; do \
if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
echo $(local_moddir)/$$i/$(metaxml) ;\
else \
echo $(moddir)/$$i/$(metaxml) ;\
fi \
elif [ -d $(local_moddir)/$$i ]; then
echo $(local_moddir)/$$i/$(metaxml) ;\
else \
echo $(moddir)/$$i/$(metaxml) ;\
fi \
done )
endef
else
define detect-metaxml
$(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
endef
endif
########################################
#
# Load appropriate rules
#
ifeq ($(MONOLITHIC),y)
include Rules.monolithic
else
include Rules.modular
endif
########################################
#
# Generated files
#
# NOTE: There is no "local" version of these files.
#
generate: $(generated_te) $(generated_if) $(generated_fc)
$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
@echo "#" > $@
@echo "# This is a generated file! Instead of modifying this file, the" >> $@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
$(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \
| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
$(moddir)/kernel/corenetwork.te: $(m4divert) $(moddir)/kernel/corenetwork.te.m4 $(m4undivert) $(moddir)/kernel/corenetwork.te.in
@echo "#" > $@
@echo "# This is a generated file! Instead of modifying this file, the" >> $@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
########################################
#
# Network packet labeling
#
$(net_contexts): $(moddir)/kernel/corenetwork.te.in
@echo "Creating netfilter network labeling rules"
$(verbose) $(gennetfilter) $^ > $@
########################################
#
# Create config files
#
conf: $(mod_conf) $(booleans) generate
$(booleans) $(mod_conf): conf.intermediate
.INTERMEDIATE: conf.intermediate
conf.intermediate: $(polxml)
@echo "Updating $(booleans) and $(mod_conf)"
$(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
########################################
#
# Generate the fc_sort program
#
$(fcsort) : $(support)/fc_sort.c
$(verbose) $(CC) $(CFLAGS) $^ -o $@
########################################
#
# Documentation generation
#
$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
$(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
ifdef LOCAL_ROOT
$(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
endif
$(tunxml): $(globaltun)
$(verbose) $(genxml) -w -t $< > $@
$(boolxml): $(globalbool)
$(verbose) $(genxml) -w -b $< > $@
$(polxml): $(layerxml) $(tunxml) $(boolxml)
@echo "Creating $(@F)"
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
$(verbose) echo '<policy>' >> $@
$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
$(verbose) cat $(tunxml) $(boolxml) >> $@
$(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
xml: $(polxml)
html $(tmpdir)/html: $(polxml)
@echo "Building html interface reference documentation in $(htmldir)"
@test -d $(htmldir) || mkdir -p $(htmldir)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
$(verbose) cp $(doctemplate)/*.css $(htmldir)
@touch $(tmpdir)/html
########################################
#
# Runtime binary policy patching of users
#
$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
@mkdir -p $(tmpdir)
@echo "Installing system.users"
@echo "# " > $(tmpdir)/system.users
@echo "# Do not edit this file. " >> $(tmpdir)/system.users
@echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
@echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
@echo "#" >> $(tmpdir)/system.users
$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
-e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/system.users $@
$(userpath)/local.users: config/local.users
@echo "Installing local.users"
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -b -m 0644 $< $@
########################################
#
# Build Appconfig files
#
$(tmpdir)/initrc_context: $(appconf)/initrc_context
@mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
########################################
#
# Install Appconfig files
#
install-appconfig: $(appfiles)
$(installdir)/booleans: $(booleans)
@mkdir -p $(tmpdir)
$(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
-e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/booleans $@
$(contextpath)/files/media: $(appconf)/media
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $< $@
$(fcsubspath): config/file_contexts.subs_dist
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $< $@
$(contextpath)/users/%: $(appconf)/%_default_contexts
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $^ $@
$(appdir)/%: $(appconf)/%
$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $(tmpdir)/$(@F)
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/$(@F) $@
########################################
#
# Install policy headers
#
install-headers: $(layerxml) $(tunxml) $(boolxml)
@mkdir -p $(headerdir)
@echo "Installing $(NAME) policy headers."
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
$(verbose) mkdir -p $(headerdir)/support
$(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
$(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
$(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\
$(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
done
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
$(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
ifneq "$(DISTRO)" ""
$(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
endif
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
$(verbose) echo "SYSTEMD ?= $(SYSTEMD)" >> $(headerdir)/build.conf
$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
########################################
#
# Install policy documentation
#
install-docs: $(tmpdir)/html
@mkdir -p $(docsdir)/html
@echo "Installing policy documentation"
$(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
$(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
########################################
#
# Install policy sources
#
install-src:
rm -rf $(srcpath)/policy.old
if test -d $(srcpath)/policy; then \
mv $(srcpath)/policy $(srcpath)/policy.old ;\
fi
mkdir -p $(srcpath)/policy
cp -R . $(srcpath)/policy
########################################
#
# Generate tags file
#
tags: $(tags)
$(tags):
@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
@LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
--regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
--regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
--regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
--regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
--regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
--regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
########################################
#
# Filesystem labeling
#
checklabels:
@echo "Checking labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
restorelabels:
@echo "Restoring labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
relabel:
@echo "Relabeling filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) $(fcpath) $(filesystems)
resetlabels:
@echo "Resetting labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
########################################
#
# Clean everything
#
bare: clean
$(verbose) rm -f $(polxml)
$(verbose) rm -f $(layerxml)
$(verbose) rm -f $(modxml)
$(verbose) rm -f $(tunxml)
$(verbose) rm -f $(boolxml)
$(verbose) rm -f $(mod_conf)
$(verbose) rm -f $(booleans)
$(verbose) rm -fR $(htmldir)
$(verbose) rm -f $(tags)
# don't remove these files if we're given a local root
ifndef LOCAL_ROOT
$(verbose) rm -f $(fcsort)
$(verbose) rm -f $(support)/*.pyc
$(verbose) rm -Rf $(support)/__pycache__/
ifneq ($(generated_te),)
$(verbose) rm -f $(generated_te)
endif
ifneq ($(generated_if),)
$(verbose) rm -f $(generated_if)
endif
ifneq ($(generated_fc),)
$(verbose) rm -f $(generated_fc)
endif
endif
.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
.SUFFIXES:
.SUFFIXES: .c
Reference in New Issue View Git Blame Copy Permalink