448be4bd31
Add a target for modular polices to load all built modules while simultaneously removing all non Reference Policy ones. This will remove dropped Reference Policy modules and user installed ones. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
241 lines
8.8 KiB
Plaintext
241 lines
8.8 KiB
Plaintext
########################################
|
|
#
|
|
# Rules and Targets for building modular policies
|
|
#
|
|
|
|
all_modules := $(base_mods) $(mod_mods) $(off_mods)
|
|
all_interfaces := $(all_modules:.te=.if)
|
|
enabled_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(base_mods:.te=.mod.fc) $(mod_mods:.te=.mod.fc)))
|
|
|
|
base_pkg := $(builddir)base.pp
|
|
base_fc := $(builddir)base.fc
|
|
base_conf := $(builddir)base.conf
|
|
base_mod := $(tmpdir)/base.mod
|
|
|
|
users_extra := $(tmpdir)/users_extra
|
|
|
|
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
|
|
|
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(ctx_defaults) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
|
base_te_files := $(base_mods)
|
|
base_post_te_files := $(user_files) $(poldir)/constraints
|
|
base_fc_files := $(base_mods:.te=.fc)
|
|
|
|
mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
|
|
|
|
# policy packages to install
|
|
instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
|
|
|
|
# search layer dirs for source files
|
|
vpath %.te $(all_layers)
|
|
vpath %.if $(all_layers)
|
|
vpath %.fc $(all_layers)
|
|
|
|
.SECONDARY: $(enabled_mod_fc:.mod.fc=.mod) $(enabled_mod_fc)
|
|
|
|
########################################
|
|
#
|
|
# default action: create all module packages
|
|
#
|
|
default: policy
|
|
|
|
all policy: base modules
|
|
|
|
base: $(base_pkg)
|
|
|
|
modules: $(mod_pkgs)
|
|
|
|
install: $(instpkg) $(appfiles)
|
|
|
|
########################################
|
|
#
|
|
# Load all configured modules
|
|
#
|
|
load: $(instpkg) $(appfiles)
|
|
# make sure two directories exist since they are not
|
|
# created by semanage
|
|
@echo "Loading configured modules."
|
|
@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
|
|
$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
|
|
|
|
########################################
|
|
#
|
|
# Load all configured modules and remove foreign ones
|
|
#
|
|
pure-load: $(instpkg) $(appfiles)
|
|
# make sure two directories exist since they are not
|
|
# created by semanage
|
|
@echo "Loading configured modules."
|
|
@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
|
|
$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) $(foreach omod,$(filter-out base $(notdir $(mod_mods:.te=)),$(shell $(SEMODULE) -l)),-r $(omod))
|
|
|
|
########################################
|
|
#
|
|
# Install policy packages
|
|
#
|
|
$(modpkgdir)/%.pp: $(builddir)%.pp
|
|
@echo "Installing $(NAME) $(@F) policy package."
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
|
|
|
|
########################################
|
|
#
|
|
# Build module packages
|
|
#
|
|
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te $(m4terminate)
|
|
@echo "Compiling $(NAME) $(@F) module"
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
|
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
|
|
|
$(tmpdir)/%.mod.fc: $(m4support) %.fc
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
|
|
|
|
$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
|
|
@echo "Creating $(NAME) $(@F) policy package"
|
|
@test -d $(builddir) || mkdir -p $(builddir)
|
|
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
|
|
|
|
$(tmpdir)/all_mods.fc: $(enabled_mod_fc)
|
|
$(verbose) cat $^ > $@
|
|
|
|
########################################
|
|
#
|
|
# Create a base module package
|
|
#
|
|
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
|
|
@echo "Creating $(NAME) base module package"
|
|
@test -d $(builddir) || mkdir -p $(builddir)
|
|
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
|
|
|
|
$(base_mod): $(base_conf)
|
|
@echo "Compiling $(NAME) base module"
|
|
$(verbose) $(CHECKMODULE) -U $(UNK_PERMS) $^ -o $@
|
|
|
|
$(tmpdir)/seusers: $(seusers)
|
|
@mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
|
|
|
|
$(users_extra): $(m4support) $(user_files)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
|
|
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
|
|
|
|
########################################
|
|
#
|
|
# Construct a base.conf
|
|
#
|
|
$(base_conf): $(base_sections)
|
|
@echo "Creating $(NAME) base module $(@F)"
|
|
@test -d $(@D) || mkdir -p $(@D)
|
|
$(verbose) cat $^ > $@
|
|
|
|
$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
$(tmpdir)/generated_definitions.conf:
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
# define all available object classes
|
|
@cat $(m4divert) > $@
|
|
$(verbose) $(genperm) $(avs) $(secclass) >> $@
|
|
$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
|
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
|
@cat $(m4undivert) >> $@
|
|
|
|
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
@cat $(m4divert) > $@
|
|
$(verbose) $(M4) $^ > $(tmpdir)/$(@F).tmp
|
|
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
|
@cat $(m4undivert) >> $@
|
|
|
|
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(m4terminate)
|
|
ifeq "$(strip $(base_te_files))" ""
|
|
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
|
endif
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
|
|
|
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
|
|
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files) $(tmpdir)/all_te_files.conf
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(GREP) '^[[:blank:]]*user ' $(tmpdir)/all_te_files.conf > $@ || true
|
|
$(verbose) $(M4) $(M4PARAM) $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files) >> $@
|
|
|
|
# extract attributes and put them first. extract post te stuff
|
|
# like genfscon and put last.
|
|
$(tmpdir)/all_attrs_types.conf: $(tmpdir)/all_te_files.conf
|
|
$(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@
|
|
|
|
$(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
|
|
$(verbose) cat $(tmpdir)/post_te_files.conf > $@
|
|
# these have to run individually because order matters:
|
|
$(verbose) $(GREP) '^[[:blank:]]*sid ' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^[[:blank:]]*fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^[[:blank:]]*genfscon' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^[[:blank:]]*portcon' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^[[:blank:]]*netifcon' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^[[:blank:]]*nodecon' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^[[:blank:]]*ibpkeycon' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
$(verbose) $(GREP) '^[[:blank:]]*ibendportcon' $(tmpdir)/all_te_files.conf >> $@ || true
|
|
|
|
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
|
|
$(verbose) $(comment_move_decl) $^ > $@
|
|
|
|
########################################
|
|
#
|
|
# Construct a base.fc
|
|
#
|
|
$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp
|
|
$(verbose) $(fcsort) $< $@
|
|
|
|
$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
|
|
ifeq ($(base_fc_files),)
|
|
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
|
endif
|
|
@echo "Creating $(NAME) base module file contexts."
|
|
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
|
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
|
|
########################################
|
|
#
|
|
# Appconfig files
|
|
#
|
|
$(appdir)/customizable_types: $(base_conf)
|
|
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
|
|
@$(INSTALL) -d -m 0755 $(@D)
|
|
$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
|
|
|
|
########################################
|
|
#
|
|
# Validate linking and expanding of modules
|
|
#
|
|
validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc
|
|
@echo "Validating policy linking."
|
|
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)
|
|
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
|
|
@echo "Validating policy file contexts."
|
|
$(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc
|
|
@echo "Success."
|
|
|
|
########################################
|
|
#
|
|
# Clean the sources
|
|
#
|
|
clean:
|
|
$(verbose) rm -f $(base_conf)
|
|
$(verbose) rm -f $(base_fc)
|
|
$(verbose) rm -f $(builddir)*.pp
|
|
$(verbose) rm -f $(net_contexts) $(net_contexts_nft)
|
|
$(verbose) rm -fR $(tmpdir)
|
|
|
|
.PHONY: default all policy base modules install load pure-load clean validate
|