rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

start adding module disable and tunable infrastructure

Browse Source
This commit is contained in:
Chris PeBenito 2005-06-07 15:11:47 +00:00
parent 02b584a174
commit 0fbe15dc8a
1 changed files with 36 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
refpolicy/Makefile
View File

@ -111,20 +111,26 @@ FLASKDIR = $(POLDIR)/flask
APPCONF = config/appconfig APPCONF = config/appconfig
M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt) M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt)
MOD_DISABLE := $(POLDIR)/modules.disable
TUNABLES = $(POLDIR)/tunables.conf
APPDIR := $(CONTEXTPATH) APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/users USER_FILES := $(POLDIR)/users
DISABLEMOD := $(foreach mod,$(shell egrep -v '^[[:blank:]]*\#' $(MOD_DISABLE)),$(shell find -iname $(mod).te))
DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d) DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS)) ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS))
DETECTED_MODS := $(foreach dir,$(ALL_LAYERS),$(wildcard ./$(dir)/*.te))
ALL_MODULES := $(filter-out $(DISABLEMOD),$(DETECTED_MODS))
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls
ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if)) ALL_INTERFACES := $(ALL_MODULES:.te=.if)
ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) ALL_TE_FILES := $(ALL_MODULES)
POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc)) ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf
@ -205,13 +211,13 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor
# per-userdomain templates: # per-userdomain templates:
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
>> $@ ;\ >> $@ ;\
done done
$(QUIET) echo "')" >> $@ $(QUIET) echo "')" >> $@
# define foo.te # define foo.te
$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \ $(QUIET) for i in $(notdir $(ALL_MODULES)); do \
echo "define(\`$$i')" >> $@ ;\ echo "define(\`$$i')" >> $@ ;\
done done
# generate network interfaces # generate network interfaces
@ -221,13 +227,13 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor
# this is so the xml works: # this is so the xml works:
$(QUIET) echo "## </module>" >> $@ $(QUIET) echo "## </module>" >> $@
tmp/all_interfaces.conf: $(ALL_INTERFACES) tmp/all_interfaces.conf: $(ALL_INTERFACES) $(MOD_DISABLE)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(QUIET) cat $(ALL_INTERFACES) > $@
tmp/all_te_files.conf: $(ALL_TE_FILES) tmp/all_te_files.conf: $(ALL_TE_FILES) $(MOD_DISABLE)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(QUIET) cat $(ALL_TE_FILES) > $@
tmp/post_te_files.conf: $(POST_TE_FILES) tmp/post_te_files.conf: $(POST_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
@ -247,6 +253,21 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
< tmp/all_te_files.conf > tmp/only_te_rules.conf < tmp/all_te_files.conf > tmp/only_te_rules.conf
########################################
#
# Create config files
#
conf $(MOD_DISABLE) $(TUNABLES):
$(QUIET) touch $(TUNABLES)
@echo "Creating $(MOD_DISABLE)"
@echo "# This file contains a listing of available modules." > $(MOD_DISABLE)
@echo "# To prevent a module from being used in policy" >> $(MOD_DISABLE)
@echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE)
@echo "" >> $(MOD_DISABLE)
@for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \
echo "#$$i" >> $(MOD_DISABLE) ;\
done
######################################## ########################################
# #
# Remove the dontaudit rules from the policy.conf # Remove the dontaudit rules from the policy.conf
@ -269,7 +290,7 @@ $(FC): $(M4SUPPORT) $(ALL_FC_FILES)
# #
# Install file_contexts # Install file_contexts
# #
$(FCPATH): $(FC) $(USERPATH)/system.users $(FCPATH): $(FC) $(USERPATH)/system.users $(MOD_DISABLE)
@mkdir -p $(CONTEXTPATH)/files @mkdir -p $(CONTEXTPATH)/files
$(QUIET) install -m 644 $(FC) $(FCPATH) $(QUIET) install -m 644 $(FC) $(FCPATH)
# $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) # $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
@ -396,4 +417,8 @@ clean:
rm -f policy.$(PV) rm -f policy.$(PV)
rm -f $(FC) rm -f $(FC)
.PHONY: default policy install reload enableaudit checklabels restorelabels relabel clean bare: clean
rm -f $(MOD_DISABLE)
rm -f $(TUNABLES)
.PHONY: default policy install reload enableaudit checklabels restorelabels relabel conf clean bare