more fixes

This commit is contained in:
Chris PeBenito 2005-06-08 13:44:23 +00:00
parent a7197232e8
commit 84eb353cd9
2 changed files with 31 additions and 27 deletions

View File

@ -57,6 +57,7 @@ SETFILES := $(SBINDIR)/setfiles
SUPPORT := support SUPPORT := support
GENDOC := $(SUPPORT)/sedoctool.py GENDOC := $(SUPPORT)/sedoctool.py
FCSORT := $(SUPPORT)/fc_sort FCSORT := $(SUPPORT)/fc_sort
SETTUN := $(SUPPORT)/set_tunables
XMLLINT := $(BINDIR)/xmllint XMLLINT := $(BINDIR)/xmllint
@ -115,8 +116,9 @@ FLASKDIR = $(POLDIR)/flask
APPCONF = config/appconfig APPCONF = config/appconfig
M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt) M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt)
GLOBALTUN := $(POLDIR)/global_tunables
MOD_DISABLE := $(POLDIR)/modules.disable MOD_DISABLE := $(POLDIR)/modules.disable
TUNABLES = $(POLDIR)/tunables.conf TUNABLES := $(POLDIR)/tunables.conf
APPDIR := $(CONTEXTPATH) APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
@ -136,7 +138,7 @@ POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
ALL_FC_FILES := $(ALL_MODULES:.te=.fc) ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
DOCTOOLS = doc DOCTOOLS = doc
XMLDTD = $(DOCTOOLS)/policy.dtd XMLDTD = $(DOCTOOLS)/policy.dtd
@ -199,10 +201,10 @@ reload tmp/load: $(LOADPATH) $(FCPATH)
# #
policy.conf: $(POLICY_SECTIONS) policy.conf: $(POLICY_SECTIONS)
@echo "Creating $(NAME) policy.conf" @echo "Creating $(NAME) policy.conf"
# checkpolicy can use the #line directives provided by -s for error reporting: # checkpolicy can use the #line directives provided by -s for error reporting:
$(QUIET) m4 $(M4PARAM) -s $^ > tmp/$@.tmp $(QUIET) m4 $(M4PARAM) -s $^ > tmp/$@.tmp
$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
# the ordering of these ocontexts matters: # the ordering of these ocontexts matters:
$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
@ -211,8 +213,8 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(QUIET) cat $^ > $@
tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te $(TUNABLES)
# per-userdomain templates: # per-userdomain templates:
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
@ -220,16 +222,14 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor
>> $@ ;\ >> $@ ;\
done done
$(QUIET) echo "')" >> $@ $(QUIET) echo "')" >> $@
# define foo.te # define foo.te
$(QUIET) for i in $(notdir $(ALL_MODULES)); do \ $(QUIET) for i in $(notdir $(ALL_MODULES)); do \
echo "define(\`$$i')" >> $@ ;\ echo "define(\`$$i')" >> $@ ;\
done done
# generate network interfaces
$(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \ $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \ | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
# this is so the xml works: $(QUIET) $(SETTUN) $(TUNABLES) >> $@
$(QUIET) echo "## </module>" >> $@
tmp/all_interfaces.conf: $(ALL_INTERFACES) tmp/all_interfaces.conf: $(ALL_INTERFACES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
@ -257,21 +257,6 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
< tmp/all_te_files.conf > tmp/only_te_rules.conf < tmp/all_te_files.conf > tmp/only_te_rules.conf
########################################
#
# Create config files
#
conf $(MOD_DISABLE) $(TUNABLES): tmp/policy.xml
@echo "Creating $(MOD_DISABLE) and $(TUNABLES)"
# @echo "# This file contains a listing of available modules." > $(MOD_DISABLE)
# @echo "# To prevent a module from being used in policy" >> $(MOD_DISABLE)
# @echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE)
# @echo "" >> $(MOD_DISABLE)
# @for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \
# echo "#$$i" >> $(MOD_DISABLE) ;\
# done
$(QUIET) $(GENDOC) -x tmp/policy.xml -t $(TUNABLES) -m $(MOD_DISABLE)
######################################## ########################################
# #
# Remove the dontaudit rules from the policy.conf # Remove the dontaudit rules from the policy.conf
@ -328,19 +313,31 @@ relabel: $(FC) $(SETFILES)
fi fi
$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
########################################
#
# Create config files
#
conf $(MOD_DISABLE) $(TUNABLES): tmp/policy.xml
@echo "Creating $(MOD_DISABLE) and $(TUNABLES)"
$(QUIET) cd tmp && ../$(GENDOC) -t ../$(TUNABLES) -m ../$(MOD_DISABLE) -x ../tmp/policy.xml
######################################## ########################################
# #
# Documentation generation # Documentation generation
# #
tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf # no dependencies here, because we don't want to rebuild
# this and its dependents every time the dependencies
# change
tmp/policy.xml:
@echo "Creating $@" @echo "Creating $@"
@mkdir -p tmp
$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@ $(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@ $(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
$(QUIET) echo "<policy>" >> $@ $(QUIET) echo "<policy>" >> $@
# process this through m4 to eliminate the generated definitions templates. # process this through m4 to eliminate the generated definitions templates.
# currently these are only in corenetwork.if # currently these are only in corenetwork.if
$(QUIET) m4 $^ | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@ $(QUIET) m4 $(ALL_INTERFACES) $(GLOBALTUN) | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@
$(QUIET) echo "</policy>" >> $@ $(QUIET) echo "</policy>" >> $@
$(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \ $(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
cp $(XMLDTD) tmp ;\ cp $(XMLDTD) tmp ;\

7
refpolicy/support/set_tunables Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# this file exists because this line is
# too hard to escape correctly in a makefile
egrep -v '^[[:blank:]]*(\#.*)?$' $1 \
| awk '{ print "define(`"$1"_conf'\'',`"$3"'\'')" }'