Allow policy.VERSION and modules to ship with package
This commit is contained in:
parent
8f6432aac9
commit
0535650520
223
Rules.modular
223
Rules.modular
@ -1,223 +0,0 @@
|
||||
########################################
|
||||
#
|
||||
# Rules and Targets for building modular policies
|
||||
#
|
||||
|
||||
all_modules := $(base_mods) $(mod_mods) $(off_mods)
|
||||
all_interfaces := $(all_modules:.te=.if)
|
||||
|
||||
base_pkg := $(builddir)base.pp
|
||||
base_fc := $(builddir)base.fc
|
||||
base_conf := $(builddir)base.conf
|
||||
base_mod := $(tmpdir)/base.mod
|
||||
|
||||
users_extra := $(tmpdir)/users_extra
|
||||
|
||||
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
||||
|
||||
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
||||
base_te_files := $(base_mods)
|
||||
base_post_te_files := $(user_files) $(poldir)/constraints
|
||||
base_fc_files := $(base_mods:.te=.fc)
|
||||
|
||||
mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
|
||||
|
||||
# policy packages to install
|
||||
instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
|
||||
|
||||
# search layer dirs for source files
|
||||
vpath %.te $(all_layers)
|
||||
vpath %.if $(all_layers)
|
||||
vpath %.fc $(all_layers)
|
||||
|
||||
.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
|
||||
|
||||
########################################
|
||||
#
|
||||
# default action: create all module packages
|
||||
#
|
||||
default: policy
|
||||
|
||||
all policy: base modules
|
||||
|
||||
base: $(base_pkg)
|
||||
|
||||
modules: $(mod_pkgs)
|
||||
|
||||
install: $(instpkg) $(appfiles)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load all configured modules
|
||||
#
|
||||
load: $(instpkg) $(appfiles)
|
||||
# make sure two directories exist since they are not
|
||||
# created by semanage
|
||||
@mkdir -p $(policypath) $(dir $(fcpath))
|
||||
@echo "Loading configured modules."
|
||||
$(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install policy packages
|
||||
#
|
||||
$(modpkgdir)/%.pp: $(builddir)%.pp
|
||||
@mkdir -p $(modpkgdir)
|
||||
@echo "Installing $(NAME) $(@F) policy package."
|
||||
$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Build module packages
|
||||
#
|
||||
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
|
||||
@echo "Compliling $(NAME) $(@F) module"
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(call perrole-expansion,$(basename $(@F)),$@.role)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
||||
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
||||
|
||||
$(tmpdir)/%.mod.fc: $(m4support) %.fc
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
|
||||
|
||||
$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
|
||||
@echo "Creating $(NAME) $(@F) policy package"
|
||||
@test -d $(builddir) || mkdir -p $(builddir)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
|
||||
|
||||
########################################
|
||||
#
|
||||
# Create a base module package
|
||||
#
|
||||
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
|
||||
@echo "Creating $(NAME) base module package"
|
||||
@test -d $(builddir) || mkdir -p $(builddir)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
|
||||
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(base_mod): $(base_conf)
|
||||
@echo "Compiling $(NAME) base module"
|
||||
$(verbose) $(CHECKMODULE) $^ -o $@
|
||||
|
||||
$(tmpdir)/seusers: $(seusers)
|
||||
@mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
|
||||
|
||||
$(users_extra): $(m4support) $(user_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
|
||||
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct a base.conf
|
||||
#
|
||||
$(base_conf): $(base_sections)
|
||||
@echo "Creating $(NAME) base module $(@F)"
|
||||
@test -d $(@D) || mkdir -p $(@D)
|
||||
$(verbose) cat $^ > $@
|
||||
|
||||
$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/generated_definitions.conf:
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
# define all available object classes
|
||||
$(verbose) $(genperm) $(avs) $(secclass) > $@
|
||||
$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
||||
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
||||
|
||||
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
@echo "divert(-1)" > $@
|
||||
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
|
||||
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
||||
@echo "divert" >> $@
|
||||
|
||||
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/rolemap.conf: $(rolemap)
|
||||
$(verbose) echo "" > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
|
||||
ifeq "$(strip $(base_te_files))" ""
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
||||
|
||||
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
# extract attributes and put them first. extract post te stuff
|
||||
# like genfscon and put last.
|
||||
$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
|
||||
$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
|
||||
$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
|
||||
# these have to run individually because order matters:
|
||||
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct a base.fc
|
||||
#
|
||||
$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
|
||||
$(verbose) $(fcsort) $< $@
|
||||
|
||||
$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
|
||||
ifeq ($(base_fc_files),)
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@echo "Creating $(NAME) base module file contexts."
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Appconfig files
|
||||
#
|
||||
$(appdir)/customizable_types: $(base_conf)
|
||||
@mkdir -p $(appdir)
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
|
||||
$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Validate linking and expanding of modules
|
||||
#
|
||||
validate: $(base_pkg) $(mod_pkgs)
|
||||
@echo "Validating policy linking."
|
||||
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
|
||||
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
|
||||
@echo "Success."
|
||||
|
||||
########################################
|
||||
#
|
||||
# Clean the sources
|
||||
#
|
||||
clean:
|
||||
rm -f $(base_conf)
|
||||
rm -f $(base_fc)
|
||||
rm -f $(builddir)*.pp
|
||||
rm -f $(net_contexts)
|
||||
rm -fR $(tmpdir)
|
||||
|
||||
.PHONY: default all policy base modules install load clean validate
|
258
Rules.monolithic
258
Rules.monolithic
@ -1,258 +0,0 @@
|
||||
########################################
|
||||
#
|
||||
# Rules and Targets for building monolithic policies
|
||||
#
|
||||
|
||||
# determine the policy version and current kernel version if possible
|
||||
pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
|
||||
kv := $(shell cat /selinux/policyvers)
|
||||
|
||||
# dont print version warnings if we are unable to determine
|
||||
# the currently running kernel's policy version
|
||||
ifeq "$(kv)" ""
|
||||
kv := $(pv)
|
||||
endif
|
||||
|
||||
policy_conf = $(builddir)policy.conf
|
||||
fc = $(builddir)file_contexts
|
||||
polver = $(builddir)policy.$(pv)
|
||||
homedir_template = $(builddir)homedir_template
|
||||
|
||||
M4PARAM += -D self_contained_policy
|
||||
|
||||
# install paths
|
||||
loadpath = $(policypath)/$(notdir $(polver))
|
||||
|
||||
appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
|
||||
|
||||
# for monolithic policy use all base and module to create policy
|
||||
all_modules := $(strip $(base_mods) $(mod_mods))
|
||||
# off module interfaces included to make sure all interfaces are expanded.
|
||||
all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
|
||||
all_te_files := $(all_modules)
|
||||
all_fc_files := $(all_modules:.te=.fc)
|
||||
|
||||
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
||||
post_te_files := $(user_files) $(poldir)/constraints
|
||||
|
||||
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
||||
|
||||
# search layer dirs for source files
|
||||
vpath %.te $(all_layers)
|
||||
vpath %.if $(all_layers)
|
||||
vpath %.fc $(all_layers)
|
||||
|
||||
########################################
|
||||
#
|
||||
# default action: build policy locally
|
||||
#
|
||||
default: policy
|
||||
|
||||
policy: $(polver)
|
||||
|
||||
install: $(loadpath) $(fcpath) $(appfiles)
|
||||
|
||||
load: $(tmpdir)/load
|
||||
|
||||
checklabels: $(fcpath)
|
||||
restorelabels: $(fcpath)
|
||||
relabel: $(fcpath)
|
||||
resetlabels: $(fcpath)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Build a binary policy locally
|
||||
#
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(polver): CHECKPOLICY += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(polver): $(policy_conf)
|
||||
@echo "Compiling $(NAME) $(polver)"
|
||||
ifneq ($(pv),$(kv))
|
||||
@echo
|
||||
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
|
||||
@echo
|
||||
endif
|
||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install a binary policy
|
||||
#
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(loadpath): $(policy_conf)
|
||||
@mkdir -p $(policypath)
|
||||
@echo "Compiling and installing $(NAME) $(loadpath)"
|
||||
ifneq ($(pv),$(kv))
|
||||
@echo
|
||||
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
|
||||
@echo
|
||||
endif
|
||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load the binary policy
|
||||
#
|
||||
reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
|
||||
@echo "Loading $(NAME) $(loadpath)"
|
||||
$(verbose) $(LOADPOLICY) -q $(loadpath)
|
||||
@touch $(tmpdir)/load
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct a monolithic policy.conf
|
||||
#
|
||||
$(policy_conf): $(policy_sections)
|
||||
@echo "Creating $(NAME) $(@F)"
|
||||
@test -d $(@D) || mkdir -p $(@D)
|
||||
$(verbose) cat $^ > $@
|
||||
|
||||
$(tmpdir)/pre_te_files.conf: $(pre_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/generated_definitions.conf: $(all_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
# define all available object classes
|
||||
$(verbose) $(genperm) $(avs) $(secclass) > $@
|
||||
$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
|
||||
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
||||
|
||||
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
@echo "divert(-1)" > $@
|
||||
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
|
||||
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
||||
@echo "divert" >> $@
|
||||
|
||||
$(tmpdir)/rolemap.conf: $(rolemap)
|
||||
$(verbose) echo "" > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
|
||||
ifeq "$(strip $(all_te_files))" ""
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
||||
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
# extract attributes and put them first. extract post te stuff
|
||||
# like genfscon and put last.
|
||||
$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
|
||||
$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
|
||||
$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
|
||||
# these have to run individually because order matters:
|
||||
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
|
||||
|
||||
########################################
|
||||
#
|
||||
# Remove the dontaudit rules from the policy.conf
|
||||
#
|
||||
enableaudit: $(policy_conf)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
|
||||
$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
|
||||
$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct file_contexts
|
||||
#
|
||||
$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
|
||||
$(verbose) $(fcsort) $< $@
|
||||
$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
|
||||
$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
|
||||
|
||||
$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
|
||||
ifeq ($(all_fc_files),)
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@echo "Creating $(NAME) file_contexts."
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(homedir_template): $(fc)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install file_contexts
|
||||
#
|
||||
$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
|
||||
@echo "Validating $(NAME) file_contexts."
|
||||
$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
|
||||
@echo "Installing file_contexts."
|
||||
@mkdir -p $(contextpath)/files
|
||||
$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
|
||||
$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
|
||||
$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
|
||||
ifeq "$(DISTRO)" "rhel4"
|
||||
# Setfiles in RHEL4 does not look at file_contexts.homedirs.
|
||||
$(verbose) cat $@.homedirs >> $@
|
||||
# Delete the file_contexts.homedirs in case the toolchain has
|
||||
# been updated, to prevent duplicate match errors.
|
||||
$(verbose) rm -f $@.homedirs
|
||||
endif
|
||||
|
||||
########################################
|
||||
#
|
||||
# Intall netfilter_contexts
|
||||
#
|
||||
$(ncpath): $(net_contexts)
|
||||
@echo "Installing $(NAME) netfilter_contexts."
|
||||
$(verbose) $(INSTALL) -m 0644 $^ $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Run policy source checks
|
||||
#
|
||||
check: $(builddir)check.res
|
||||
$(builddir)check.res: $(policy_conf) $(fc)
|
||||
$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
|
||||
|
||||
longcheck: $(builddir)longcheck.res
|
||||
$(builddir)longcheck.res: $(policy_conf) $(fc)
|
||||
$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Appconfig files
|
||||
#
|
||||
$(appdir)/customizable_types: $(policy_conf)
|
||||
@mkdir -p $(appdir)
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
|
||||
$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
|
||||
|
||||
$(installdir)/seusers: $(seusers)
|
||||
@mkdir -p $(installdir)
|
||||
$(verbose) $(INSTALL) -m 644 $^ $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Clean the sources
|
||||
#
|
||||
clean:
|
||||
rm -f $(policy_conf)
|
||||
rm -f $(polver)
|
||||
rm -f $(fc)
|
||||
rm -f $(homedir_template)
|
||||
rm -f $(net_contexts)
|
||||
rm -f *.res
|
||||
rm -fR $(tmpdir)
|
||||
|
||||
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
|
@ -8,20 +8,17 @@
|
||||
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
|
||||
%define BUILD_MINIMUM 1
|
||||
%endif
|
||||
%if %{?BUILD_OLPC:0}%{!?BUILD_OLPC:1}
|
||||
%define BUILD_OLPC 0
|
||||
%endif
|
||||
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
|
||||
%define BUILD_MLS 1
|
||||
%endif
|
||||
%define POLICYVER 26
|
||||
%define libsepolver 2.0.44-2
|
||||
%define POLICYCOREUTILSVER 2.0.85-28
|
||||
%define POLICYCOREUTILSVER 2.0.86-10
|
||||
%define CHECKPOLICYVER 2.0.26-1
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.16
|
||||
Release: 25%{?dist}
|
||||
Release: 25.1%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -33,10 +30,6 @@ Source4: setrans-targeted.conf
|
||||
Source5: modules-mls.conf
|
||||
Source6: booleans-mls.conf
|
||||
Source8: setrans-mls.conf
|
||||
Source9: modules-olpc.conf
|
||||
Source10: booleans-olpc.conf
|
||||
Source11: setrans-olpc.conf
|
||||
Source12: securetty_types-olpc
|
||||
Source13: policygentool
|
||||
Source14: securetty_types-targeted
|
||||
Source15: securetty_types-mls
|
||||
@ -48,7 +41,6 @@ Source20: customizable_types
|
||||
Source21: config.tgz
|
||||
Source22: users-mls
|
||||
Source23: users-targeted
|
||||
Source24: users-olpc
|
||||
Source25: users-minimum
|
||||
Source26: file_contexts.subs_dist
|
||||
|
||||
@ -56,8 +48,8 @@ Url: http://oss.tresys.com/repos/refpolicy/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildArch: noarch
|
||||
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
|
||||
Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-4
|
||||
Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk /usr/bin/md5sum
|
||||
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
|
||||
Obsoletes: selinux-policy-devel <= %{version}-%{release}
|
||||
Provides: selinux-policy-devel = %{version}-%{release}
|
||||
@ -109,9 +101,8 @@ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
|
||||
make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \
|
||||
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||
#%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
|
||||
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||
@ -125,14 +116,18 @@ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/seli
|
||||
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
|
||||
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \
|
||||
bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp.bz2 > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/$i; done \
|
||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
||||
semodule -n -B -p %{buildroot}; \
|
||||
/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} > %{buildroot}%{_sysconfdir}/selinux/%1/policy/.policymd5 \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
%nil
|
||||
|
||||
%define fileList() \
|
||||
%defattr(-,root,root) \
|
||||
%dir %{_usr}/share/selinux/%1 \
|
||||
%{_usr}/share/selinux/%1/*.pp.bz2 \
|
||||
%{_usr}/share/selinux/%1/modules.lst \
|
||||
%dir %{_sysconfdir}/selinux/%1 \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
@ -141,9 +136,12 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' .
|
||||
%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||
%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||
%attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
||||
%config(noreplace) %dir %{_sysconfdir}/selinux/%1/modules/active/* \
|
||||
%config %dir %{_sysconfdir}/selinux/%1/modules/active/modules/* \
|
||||
#%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||
%ghost %{_sysconfdir}/selinux/%1/policy/policy.* \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||
%{_sysconfdir}/selinux/%1/policy/.policymd5 \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||
@ -180,11 +178,6 @@ if [ -s /etc/selinux/config ]; then \
|
||||
fi \
|
||||
fi
|
||||
|
||||
%define loadpolicy() \
|
||||
( cd /usr/share/selinux/%1; \
|
||||
semodule -b base.pp.bz2 -i %2 -s %1; \
|
||||
); \
|
||||
|
||||
%define relabel() \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||
@ -207,7 +200,7 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26};do
|
||||
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
|
||||
cp $i selinux_config
|
||||
done
|
||||
tar zxvf selinux_config/config.tgz
|
||||
@ -245,13 +238,6 @@ make clean
|
||||
%installCmds mls mls n y deny
|
||||
%endif
|
||||
|
||||
%if %{BUILD_OLPC}
|
||||
# Build olpc policy
|
||||
# Commented out because only olpc ref policy currently builds
|
||||
%makeCmds olpc mcs n y allow
|
||||
%installCmds olpc mcs n y allow
|
||||
%endif
|
||||
|
||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
||||
@ -329,14 +315,21 @@ SELinux Reference policy targeted base module.
|
||||
%saveFileContext targeted
|
||||
|
||||
%post targeted
|
||||
packages=`cat /usr/share/selinux/targeted/modules.lst`
|
||||
if [ $1 -eq 1 ]; then
|
||||
%loadpolicy targeted $packages
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
md5=`md5sum /etc/selinux/targeted/policy/policy.%{POLICYVER}`
|
||||
checkmd5=`cat /etc/selinux/targeted/policy/policy.%{POLICYVER}.md5sum`
|
||||
if [ "$md5" != "$checkmd5" ] ; then
|
||||
if [ $1 -ne 1 ]; then
|
||||
semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
fi
|
||||
semodule -B -s targeted
|
||||
else
|
||||
semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
%loadpolicy targeted $packages
|
||||
%relabel targeted
|
||||
[ "${SELINUXTYPE}" == "targeted" ] && [ selinuxenabled ] && load_policy
|
||||
fi
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
%relabel targeted
|
||||
fi
|
||||
exit 0
|
||||
|
||||
@ -383,7 +376,7 @@ SELinux Reference policy minimum base module.
|
||||
|
||||
%post minimum
|
||||
packages="execmem.pp.bz2 unconfined.pp.bz2 unconfineduser.pp.bz2 application.pp.bz2 userdomain.pp.bz2 authlogin.pp.bz2 logging.pp.bz2 selinuxutil.pp.bz2 init.pp.bz2 systemd.pp.bz2 sysnetwork.pp.bz2 miscfiles.pp.bz2 libraries.pp.bz2 modutils.pp.bz2 sysadm.pp.bz2 locallogin.pp.bz2 dbus.pp.bz2 rpm.pp.bz2 mount.pp.bz2 fstools.pp.bz2 usermanage.pp.bz2 mta.pp.bz2"
|
||||
%loadpolicy minimum $packages
|
||||
semodule -B -s minimum
|
||||
if [ $1 -eq 1 ]; then
|
||||
semanage -S minimum -i - << __eof
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
||||
@ -401,38 +394,6 @@ exit 0
|
||||
%fileList minimum
|
||||
%endif
|
||||
|
||||
%if %{BUILD_OLPC}
|
||||
%package olpc
|
||||
Summary: SELinux olpc base policy
|
||||
Group: System Environment/Base
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
Conflicts: seedit
|
||||
|
||||
%description olpc
|
||||
SELinux Reference policy olpc base module.
|
||||
|
||||
%pre olpc
|
||||
%saveFileContext olpc
|
||||
|
||||
%post olpc
|
||||
packages=`cat /usr/share/selinux/olpc/modules.lst`
|
||||
%loadpolicy olpc $packages
|
||||
|
||||
if [ $1 -ne 1 ]; then
|
||||
%relabel olpc
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%files olpc
|
||||
%defattr(-,root,root,-)
|
||||
%fileList olpc
|
||||
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MLS}
|
||||
%package mls
|
||||
Summary: SELinux mls base policy
|
||||
@ -454,13 +415,12 @@ SELinux Reference policy mls base module.
|
||||
|
||||
%post mls
|
||||
semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
packages=`cat /usr/share/selinux/mls/modules.lst`
|
||||
%loadpolicy mls $packages
|
||||
semodule -B -s mls
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
%relabel mls
|
||||
%relabel mls
|
||||
fi
|
||||
exit 0
|
||||
|
||||
@ -472,6 +432,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jun 2 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-25.1
|
||||
- Add policy.26 to the payload
|
||||
|
||||
* Thu Jun 2 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-25
|
||||
- Fixes for sanlock policy
|
||||
- Fixes for colord policy
|
||||
|
Loading…
Reference in New Issue
Block a user