nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f0cade07b2
selinux-refpolicy/Rules.monolithic
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports 
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00

259 lines
8.4 KiB
Plaintext
Raw Blame History

########################################
#
# Rules and Targets for building monolithic policies
#
# determine the policy version and current kernel version if possible
pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
kv := $(shell $(policyvers))
# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq "$(kv)" ""
kv := $(pv)
endif
policy_conf = $(builddir)policy.conf
fc = $(builddir)file_contexts
polver = $(builddir)policy.$(pv)
homedir_template = $(builddir)homedir_template
M4PARAM += -D self_contained_policy
# install paths
loadpath = $(policypath)/$(notdir $(polver))
appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
# for monolithic policy use all base and module to create policy
all_modules := $(strip $(base_mods) $(mod_mods))
# off module interfaces included to make sure all interfaces are expanded.
all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
all_te_files := $(all_modules)
all_fc_files := $(all_modules:.te=.fc)
pre_te_files := $(secclass) $(isids) $(avs) $(ctx_defaults) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
post_te_files := $(user_files) $(poldir)/constraints
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
# search layer dirs for source files
vpath %.te $(all_layers)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)
########################################
#
# default action: build policy locally
#
default: policy
policy: $(polver)
install: $(loadpath) $(fcpath) $(appfiles)
load: $(tmpdir)/load
checklabels: $(fcpath)
restorelabels: $(fcpath)
relabel: $(fcpath)
resetlabels: $(fcpath)
########################################
#
# Build a binary policy locally
#
$(polver): $(policy_conf)
@echo "Compiling $(NAME) $(polver)"
ifneq ($(pv),$(kv))
@echo
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo
endif
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
########################################
#
# Install a binary policy
#
$(loadpath): $(policy_conf)
@echo "Compiling and installing $(NAME) $(loadpath)"
ifneq ($(pv),$(kv))
@echo
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo
endif
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
########################################
#
# Load the binary policy
#
reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
@echo "Loading $(NAME) $(loadpath)"
$(verbose) $(LOADPOLICY) -q $(loadpath)
@touch $(tmpdir)/load
########################################
#
# Construct a monolithic policy.conf
#
$(policy_conf): $(policy_sections)
@echo "Creating $(NAME) $(@F)"
@test -d $(@D) || mkdir -p $(@D)
$(verbose) cat $^ > $@
$(tmpdir)/pre_te_files.conf: $(pre_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(tmpdir)/generated_definitions.conf: $(all_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
$(verbose) $(genperm) $(avs) $(secclass) > $@
$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
@echo "divert(-1)" > $@
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
@echo "divert" >> $@
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(m4terminate)
ifeq "$(strip $(all_te_files))" ""
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
# extract attributes and put them first. extract post te stuff
# like genfscon and put last.
$(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@
$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
$(verbose) cat $(tmpdir)/post_te_files.conf > $@
# these have to run individually because order matters:
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@
########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: $(policy_conf)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
########################################
#
# Construct file_contexts
#
$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
$(verbose) $(fcsort) $< $@
$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
ifeq ($(all_fc_files),)
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
@echo "Creating $(NAME) file_contexts."
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(homedir_template): $(fc)
########################################
#
# Install file_contexts
#
$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
@echo "Validating $(NAME) file_contexts."
$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
@echo "Installing file_contexts."
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
########################################
#
# Intall netfilter_contexts
#
$(ncpath): $(net_contexts)
@echo "Installing $(NAME) netfilter_contexts."
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $^ $@
########################################
#
# Validate file contexts
#
validate: $(fc) $(polver)
@echo "Validating $(NAME) file_contexts."
$(verbose) $(SETFILES) -q -c $(polver) $(fc)
@echo "Success."
########################################
#
# Run policy source checks
#
check: $(builddir)check.res
$(builddir)check.res: $(policy_conf) $(fc)
$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
longcheck: $(builddir)longcheck.res
$(builddir)longcheck.res: $(policy_conf) $(fc)
$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
########################################
#
# Appconfig files
#
$(appdir)/customizable_types: $(policy_conf)
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
$(installdir)/seusers: $(seusers)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers
@$(INSTALL) -d -m 0755 $(@D)
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@
########################################
#
# Clean the sources
#
clean:
$(verbose) rm -f $(policy_conf)
$(verbose) rm -f $(polver)
$(verbose) rm -f $(fc)
$(verbose) rm -f $(homedir_template)
$(verbose) rm -f $(net_contexts)
$(verbose) rm -f *.res
$(verbose) rm -fR $(tmpdir)
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
Reference in New Issue View Git Blame Copy Permalink