add headers and outside tree building support

This commit is contained in:
Chris PeBenito 2006-01-26 20:35:55 +00:00
parent 6259d8e857
commit 9b3756bfa8
6 changed files with 270 additions and 110 deletions

View File

@ -1,3 +1,7 @@
- Changed QUIET build option to a yes or no option.
- Add a Makefile used for compiling loadable modules in a
user's development environment, building against policy headers.
- Add Make target for installing policy headers.
- Separate per-userdomain template expansion from the userdomain - Separate per-userdomain template expansion from the userdomain
module and add infrastructure to expand templates in the modules module and add infrastructure to expand templates in the modules
that own the template. that own the template.

View File

@ -74,12 +74,14 @@ BOOLEANS := $(POLDIR)/booleans.conf
ROLEMAP := $(POLDIR)/rolemap ROLEMAP := $(POLDIR)/rolemap
# install paths # install paths
TOPDIR = $(DESTDIR)/etc/selinux TOPDIR := $(DESTDIR)/etc/selinux
INSTALLDIR = $(TOPDIR)/$(NAME) INSTALLDIR := $(TOPDIR)/$(NAME)
SRCPATH = $(INSTALLDIR)/src SRCPATH := $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users USERPATH := $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts CONTEXTPATH := $(INSTALLDIR)/contexts
MODPKGDIR = $(DESTDIR)/usr/share/selinux/$(NAME) SHAREDIR := $(DESTDIR)$(PREFIX)/share/selinux
MODPKGDIR := $(SHAREDIR)/$(NAME)
HEADERDIR := $(SHAREDIR)/refpolicy/include
# compile strict policy if requested. # compile strict policy if requested.
ifneq ($(findstring strict,$(TYPE)),) ifneq ($(findstring strict,$(TYPE)),)
@ -126,6 +128,10 @@ ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon M4PARAM += -D direct_sysadm_daemon
endif endif
ifeq ($(QUIET),y)
verbose = @
endif
M4PARAM += -D hide_broken_symptoms M4PARAM += -D hide_broken_symptoms
# we need exuberant ctags; unfortunately it is named # we need exuberant ctags; unfortunately it is named
@ -189,15 +195,15 @@ OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 ==
# parse-rolemap modulename,outputfile # parse-rolemap modulename,outputfile
define parse-rolemap define parse-rolemap
$(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \ $(verbose) m4 $(M4PARAM) $(ROLEMAP) | \
awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef endef
# peruser-expansion modulename,outputfile # peruser-expansion modulename,outputfile
define peruser-expansion define peruser-expansion
$(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2 $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
$(call parse-rolemap,$1,$2) $(call parse-rolemap,$1,$2)
$(QUIET) echo "')" >> $2 $(verbose) echo "')" >> $2
endef endef
######################################## ########################################
@ -220,8 +226,8 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
@echo "# This is a generated file! Instead of modifying this file, the" >> $@ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@ @echo "#" >> $@
$(QUIET) cat $(MODDIR)/kernel/corenetwork.if.in >> $@ $(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
$(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \ $(verbose) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
| m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \ | m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
@ -230,7 +236,7 @@ $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/ke
@echo "# This is a generated file! Instead of modifying this file, the" >> $@ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@ @echo "#" >> $@
$(QUIET) m4 -D self_contained_policy $(M4PARAM) $^ \ $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
######################################## ########################################
@ -241,7 +247,7 @@ conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
$(MOD_CONF) $(BOOLEANS): $(POLXML) $(MOD_CONF) $(BOOLEANS): $(POLXML)
@echo "Updating $(MOD_CONF) and $(BOOLEANS)" @echo "Updating $(MOD_CONF) and $(BOOLEANS)"
$(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML) $(verbose) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML)
######################################## ########################################
# #
@ -255,18 +261,18 @@ $(MOD_CONF) $(BOOLEANS): $(POLXML)
$(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXML)) $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXML))
@echo "Creating $@" @echo "Creating $@"
@mkdir -p tmp @mkdir -p tmp
$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@ $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(QUIET) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
$(QUIET) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) $(ALL_LAYERS) >> $@ $(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) $(ALL_LAYERS) >> $@
$(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \ $(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\ $(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
fi fi
html: $(POLXML) html: $(POLXML)
@echo "Building html interface reference documentation in $(HTMLDIR)" @echo "Building html interface reference documentation in $(HTMLDIR)"
@mkdir -p $(HTMLDIR) @mkdir -p $(HTMLDIR)
$(QUIET) cd $(DOCS) && ../$(GENDOC) -d ../$(HTMLDIR) -T ../$(DOCTEMPLATE) -x ../$(POLXML) $(verbose) cd $(DOCS) && ../$(GENDOC) -d ../$(HTMLDIR) -T ../$(DOCTEMPLATE) -x ../$(POLXML)
$(QUIET) cp $(DOCTEMPLATE)/*.css $(HTMLDIR) $(verbose) cp $(DOCTEMPLATE)/*.css $(HTMLDIR)
######################################## ########################################
# #
@ -280,14 +286,14 @@ $(USERPATH)/system.users: $(M4SUPPORT) tmp/generated_definitions.conf $(USER_FIL
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users @echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users @echo "#" >> tmp/system.users
$(QUIET) m4 -D self_contained_policy $(M4PARAM) $^ | sed -r -e 's/^[[:blank:]]+//' \ $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ | sed -r -e 's/^[[:blank:]]+//' \
-e '/^[[:blank:]]*($$|#)/d' >> tmp/system.users -e '/^[[:blank:]]*($$|#)/d' >> tmp/system.users
$(QUIET) install -m 644 tmp/system.users $@ $(verbose) install -m 644 tmp/system.users $@
$(USERPATH)/local.users: config/local.users $(USERPATH)/local.users: config/local.users
@mkdir -p $(USERPATH) @mkdir -p $(USERPATH)
@echo "Installing local.users" @echo "Installing local.users"
$(QUIET) install -b -m 644 $< $@ $(verbose) install -b -m 644 $< $@
######################################## ########################################
# #
@ -297,45 +303,54 @@ install-appconfig: $(APPFILES)
$(INSTALLDIR)/booleans: $(BOOLEANS) $(INSTALLDIR)/booleans: $(BOOLEANS)
@mkdir -p $(INSTALLDIR) @mkdir -p $(INSTALLDIR)
$(QUIET) sed -r -e 's/false/0/g' -e 's/true/1/g' \ $(verbose) sed -r -e 's/false/0/g' -e 's/true/1/g' \
-e '/^[[:blank:]]*($$|#)/d' $(BOOLEANS) | sort > tmp/booleans -e '/^[[:blank:]]*($$|#)/d' $(BOOLEANS) | sort > tmp/booleans
$(QUIET) install -m 644 tmp/booleans $@ $(verbose) install -m 644 tmp/booleans $@
$(CONTEXTPATH)/files/media: $(APPCONF)/media $(CONTEXTPATH)/files/media: $(APPCONF)/media
@mkdir -p $(CONTEXTPATH)/files/ @mkdir -p $(CONTEXTPATH)/files/
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/default_contexts: $(APPCONF)/default_contexts $(APPDIR)/default_contexts: $(APPCONF)/default_contexts
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/removable_context: $(APPCONF)/removable_context $(APPDIR)/removable_context: $(APPCONF)/removable_context
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/default_type: $(APPCONF)/default_type $(APPDIR)/default_type: $(APPCONF)/default_type
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context $(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/initrc_context: $(APPCONF)/initrc_context $(APPDIR)/initrc_context: $(APPCONF)/initrc_context
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context $(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts $(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
$(APPDIR)/users/root: $(APPCONF)/root_default_contexts $(APPDIR)/users/root: $(APPCONF)/root_default_contexts
@mkdir -p $(APPDIR)/users @mkdir -p $(APPDIR)/users
$(QUIET) install -m 644 $< $@ $(verbose) install -m 644 $< $@
########################################
#
# Install policy headers
#
install-headers: $(DETECTED_MODS:.te=.if) $(ROLEMAP) $(M4SUPPORT) $(SUPPORT)/Makefile.devel build.conf
mkdir -p $(HEADERDIR)
$(verbose) install -m 644 $^ $(HEADERDIR)
$(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/all_perms.spt
######################################## ########################################
# #

View File

@ -47,7 +47,7 @@ install: $(INSTPKG) $(APPFILES)
# #
load: $(INSTPKG) $(APPFILES) load: $(INSTPKG) $(APPFILES)
@echo "Loading configured modules." @echo "Loading configured modules."
$(QUIET) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(BASE_PKG) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod)) $(verbose) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(BASE_PKG) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod))
######################################## ########################################
# #
@ -56,7 +56,7 @@ load: $(INSTPKG) $(APPFILES)
$(MODPKGDIR)/%.pp: %.pp $(MODPKGDIR)/%.pp: %.pp
@mkdir -p $(MODPKGDIR) @mkdir -p $(MODPKGDIR)
@echo "Installing $(NAME) $(@F) policy package." @echo "Installing $(NAME) $(@F) policy package."
$(QUIET) install -m 0644 $^ $(MODPKGDIR) $(verbose) install -m 0644 $^ $(MODPKGDIR)
######################################## ########################################
# #
@ -65,15 +65,15 @@ $(MODPKGDIR)/%.pp: %.pp
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module" @echo "Compliling $(NAME) $(@F) module"
$(call peruser-expansion,$(basename $(@F)),$@.role) $(call peruser-expansion,$(basename $(@F)),$@.role)
$(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) $(verbose) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(M4SUPPORT) %.fc tmp/%.mod.fc: $(M4SUPPORT) %.fc
$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@ $(verbose) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@
%.pp: tmp/%.mod tmp/%.mod.fc %.pp: tmp/%.mod tmp/%.mod.fc
@echo "Creating $(NAME) $(@F) policy package" @echo "Creating $(NAME) $(@F) policy package"
$(QUIET) $(SEMOD_PKG) -o $@ -m $< -f $<.fc $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
######################################## ########################################
# #
@ -81,11 +81,11 @@ tmp/%.mod.fc: $(M4SUPPORT) %.fc
# #
$(BASE_PKG): tmp/base.mod $(BASE_FC) $(BASE_PKG): tmp/base.mod $(BASE_FC)
@echo "Creating $(NAME) base module package" @echo "Creating $(NAME) base module package"
$(QUIET) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC) $(verbose) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC)
tmp/base.mod: base.conf tmp/base.mod: base.conf
@echo "Compiling $(NAME) base module" @echo "Compiling $(NAME) base module"
$(QUIET) $(CHECKMODULE) $^ -o $@ $(verbose) $(CHECKMODULE) $^ -o $@
######################################## ########################################
# #
@ -94,64 +94,64 @@ tmp/base.mod: base.conf
base.conf: $(BASE_SECTIONS) base.conf: $(BASE_SECTIONS)
@echo "Creating $(NAME) base module base.conf" @echo "Creating $(NAME) base module base.conf"
# checkpolicy can use the #line directives provided by -s for error reporting: # checkpolicy can use the #line directives provided by -s for error reporting:
$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp $(verbose) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ $(verbose) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
# the ordering of these ocontexts matters: # the ordering of these ocontexts matters:
$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true $(verbose) grep ^portcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true $(verbose) grep ^netifcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true $(verbose) grep ^nodecon tmp/$@.tmp >> $@ || true
tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES) tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(verbose) cat $^ > $@
tmp/generated_definitions.conf: $(BASE_TE_FILES) tmp/generated_definitions.conf: $(BASE_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
# define all available object classes # define all available object classes
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@ $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@
# per-userdomain templates # per-userdomain templates
$(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@ $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \ $(verbose) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\ >> $@ ;\
done done
$(QUIET) echo "')" >> $@ $(verbose) echo "')" >> $@
# define foo.te # define foo.te
$(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \ $(verbose) for i in $(notdir $(BASE_TE_FILES)); do \
echo "define(\`$$i')" >> $@ ;\ echo "define(\`$$i')" >> $@ ;\
done done
$(QUIET) $(SETTUN) $(BOOLEANS) >> $@ $(verbose) $(SETTUN) $(BOOLEANS) >> $@
tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
ifeq ($(ALL_INTERFACES),) ifeq ($(ALL_INTERFACES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif endif
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
tmp/all_te_files.conf: $(BASE_TE_FILES) tmp/all_te_files.conf: $(BASE_TE_FILES)
ifeq ($(BASE_TE_FILES),) ifeq ($(BASE_TE_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif endif
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(verbose) cat $^ > $@
$(call parse-rolemap,base,$@) $(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(BASE_POST_TE_FILES) tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(verbose) cat $^ > $@
# extract attributes and put them first. extract post te stuff # extract attributes and put them first. extract post te stuff
# like genfscon and put last. portcon, nodecon, and netifcon # like genfscon and put last. portcon, nodecon, and netifcon
# is delayed since they are generated by m4 # is delayed since they are generated by m4
tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true $(verbose) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf $(verbose) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf $(verbose) cat tmp/post_te_files.conf > tmp/all_post.conf
$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true $(verbose) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true $(verbose) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true $(verbose) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ $(verbose) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
< tmp/all_te_files.conf > tmp/only_te_rules.conf < tmp/all_te_files.conf > tmp/only_te_rules.conf
@ -160,7 +160,7 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
# Construct a base.fc # Construct a base.fc
# #
$(BASE_FC): tmp/$(BASE_FC).tmp $(FCSORT) $(BASE_FC): tmp/$(BASE_FC).tmp $(FCSORT)
$(QUIET) $(FCSORT) $< $@ $(verbose) $(FCSORT) $< $@
tmp/$(BASE_FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) tmp/$(BASE_FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES)
ifeq ($(BASE_FC_FILES),) ifeq ($(BASE_FC_FILES),)
@ -168,7 +168,7 @@ ifeq ($(BASE_FC_FILES),)
endif endif
@echo "Creating $(NAME) base module file contexts." @echo "Creating $(NAME) base module file contexts."
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $^ > $@ $(verbose) m4 $(M4PARAM) $^ > $@
######################################## ########################################
# #
@ -177,8 +177,8 @@ endif
enableaudit: base.conf enableaudit: base.conf
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
@echo "Removing dontaudit rules from base.conf" @echo "Removing dontaudit rules from base.conf"
$(QUIET) grep -v dontaudit base.conf > tmp/base.audit $(verbose) grep -v dontaudit base.conf > tmp/base.audit
$(QUIET) mv tmp/base.audit base.conf $(verbose) mv tmp/base.audit base.conf
######################################## ########################################
# #
@ -186,8 +186,8 @@ enableaudit: base.conf
# #
$(APPDIR)/customizable_types: base.conf $(APPDIR)/customizable_types: base.conf
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types $(verbose) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
$(QUIET) install -m 644 tmp/customizable_types $@ $(verbose) install -m 644 tmp/customizable_types $@
######################################## ########################################
# #

View File

@ -56,7 +56,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo @echo
endif endif
$(QUIET) $(CHECKPOLICY) $^ -o $@ $(verbose) $(CHECKPOLICY) $^ -o $@
######################################## ########################################
# #
@ -70,7 +70,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo @echo
endif endif
$(QUIET) $(CHECKPOLICY) $^ -o $@ $(verbose) $(CHECKPOLICY) $^ -o $@
######################################## ########################################
# #
@ -78,7 +78,7 @@ endif
# #
reload tmp/load: $(LOADPATH) $(FCPATH) $(APPFILES) reload tmp/load: $(LOADPATH) $(FCPATH) $(APPFILES)
@echo "Loading $(NAME) $(LOADPATH)" @echo "Loading $(NAME) $(LOADPATH)"
$(QUIET) $(LOADPOLICY) -q $(LOADPATH) $(verbose) $(LOADPOLICY) -q $(LOADPATH)
@touch tmp/load @touch tmp/load
######################################## ########################################
@ -88,62 +88,62 @@ reload tmp/load: $(LOADPATH) $(FCPATH) $(APPFILES)
policy.conf: $(POLICY_SECTIONS) policy.conf: $(POLICY_SECTIONS)
@echo "Creating $(NAME) policy.conf" @echo "Creating $(NAME) policy.conf"
# checkpolicy can use the #line directives provided by -s for error reporting: # checkpolicy can use the #line directives provided by -s for error reporting:
$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp $(verbose) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ $(verbose) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
# the ordering of these ocontexts matters: # the ordering of these ocontexts matters:
$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true $(verbose) grep ^portcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true $(verbose) grep ^netifcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true $(verbose) grep ^nodecon tmp/$@.tmp >> $@ || true
tmp/pre_te_files.conf: $(PRE_TE_FILES) tmp/pre_te_files.conf: $(PRE_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(verbose) cat $^ > $@
tmp/generated_definitions.conf: $(ALL_TE_FILES) tmp/generated_definitions.conf: $(ALL_TE_FILES)
# per-userdomain templates: # per-userdomain templates:
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@ $(verbose) echo "define(\`base_per_userdomain_template',\`" > $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ $(verbose) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\ >> $@ ;\
done done
$(QUIET) echo "')" >> $@ $(verbose) echo "')" >> $@
# define foo.te # define foo.te
$(QUIET) for i in $(notdir $(ALL_MODULES)); do \ $(verbose) for i in $(notdir $(ALL_MODULES)); do \
echo "define(\`$$i')" >> $@ ;\ echo "define(\`$$i')" >> $@ ;\
done done
$(QUIET) $(SETTUN) $(BOOLEANS) >> $@ $(verbose) $(SETTUN) $(BOOLEANS) >> $@
tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
ifeq ($(ALL_INTERFACES),) ifeq ($(ALL_INTERFACES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif endif
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
tmp/all_te_files.conf: $(ALL_TE_FILES) tmp/all_te_files.conf: $(ALL_TE_FILES)
ifeq ($(ALL_TE_FILES),) ifeq ($(ALL_TE_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif endif
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(verbose) cat $^ > $@
$(call parse-rolemap,base,$@) $(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(POST_TE_FILES) tmp/post_te_files.conf: $(POST_TE_FILES)
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@ $(verbose) cat $^ > $@
# extract attributes and put them first. extract post te stuff # extract attributes and put them first. extract post te stuff
# like genfscon and put last. portcon, nodecon, and netifcon # like genfscon and put last. portcon, nodecon, and netifcon
# is delayed since they are generated by m4 # is delayed since they are generated by m4
tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true $(verbose) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf $(verbose) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf $(verbose) cat tmp/post_te_files.conf > tmp/all_post.conf
$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true $(verbose) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true $(verbose) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true $(verbose) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ $(verbose) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
< tmp/all_te_files.conf > tmp/only_te_rules.conf < tmp/all_te_files.conf > tmp/only_te_rules.conf
@ -154,17 +154,17 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
enableaudit: policy.conf enableaudit: policy.conf
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
@echo "Removing dontaudit rules from policy.conf" @echo "Removing dontaudit rules from policy.conf"
$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit $(verbose) grep -v dontaudit policy.conf > tmp/policy.audit
$(QUIET) mv tmp/policy.audit policy.conf $(verbose) mv tmp/policy.audit policy.conf
######################################## ########################################
# #
# Construct file_contexts # Construct file_contexts
# #
$(FC): tmp/$(FC).tmp $(FCSORT) $(FC): tmp/$(FC).tmp $(FCSORT)
$(QUIET) $(FCSORT) $< $@ $(verbose) $(FCSORT) $< $@
$(QUIET) grep -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE) $(verbose) grep -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE)
$(QUIET) sed -i -e /HOME/d -e /ROLE/d $@ $(verbose) sed -i -e /HOME/d -e /ROLE/d $@
tmp/$(FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) tmp/$(FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
ifeq ($(ALL_FC_FILES),) ifeq ($(ALL_FC_FILES),)
@ -172,7 +172,7 @@ ifeq ($(ALL_FC_FILES),)
endif endif
@echo "Creating $(NAME) file_contexts." @echo "Creating $(NAME) file_contexts."
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $^ > $@ $(verbose) m4 $(M4PARAM) $^ > $@
######################################## ########################################
# #
@ -180,12 +180,12 @@ endif
# #
$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users $(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
@echo "Validating $(NAME) file_contexts." @echo "Validating $(NAME) file_contexts."
$(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC) $(verbose) $(SETFILES) -q -c $(LOADPATH) $(FC)
@echo "Installing file_contexts." @echo "Installing file_contexts."
@mkdir -p $(CONTEXTPATH)/files @mkdir -p $(CONTEXTPATH)/files
$(QUIET) install -m 644 $(FC) $(FCPATH) $(verbose) install -m 644 $(FC) $(FCPATH)
$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) $(verbose) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
$(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD) $(verbose) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
######################################## ########################################
# #
@ -199,7 +199,7 @@ checklabels: $(FCPATH) $(SETFILES)
echo "No filesystems with extended attributes found!" ;\ echo "No filesystems with extended attributes found!" ;\
false ;\ false ;\
fi fi
$(QUIET) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS) $(verbose) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS)
restorelabels: $(FCPATH) $(SETFILES) restorelabels: $(FCPATH) $(SETFILES)
@echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs" @echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs"
@ -207,7 +207,7 @@ restorelabels: $(FCPATH) $(SETFILES)
echo "No filesystems with extended attributes found!" ;\ echo "No filesystems with extended attributes found!" ;\
false ;\ false ;\
fi fi
$(QUIET) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS) $(verbose) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS)
relabel: $(FCPATH) $(SETFILES) relabel: $(FCPATH) $(SETFILES)
@echo "Relabeling filesystem types: ext2 ext3 xfs jfs" @echo "Relabeling filesystem types: ext2 ext3 xfs jfs"
@ -215,7 +215,7 @@ relabel: $(FCPATH) $(SETFILES)
echo "No filesystems with extended attributes found!" ;\ echo "No filesystems with extended attributes found!" ;\
false ;\ false ;\
fi fi
$(QUIET) $(SETFILES) $(FCPATH) $(FILESYSTEMS) $(verbose) $(SETFILES) $(FCPATH) $(FILESYSTEMS)
######################################## ########################################
# #
@ -233,8 +233,8 @@ longcheck: policy.conf $(FC)
# #
$(APPDIR)/customizable_types: policy.conf $(APPDIR)/customizable_types: policy.conf
@mkdir -p $(APPDIR) @mkdir -p $(APPDIR)
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types $(verbose) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
$(QUIET) install -m 644 tmp/customizable_types $@ $(verbose) install -m 644 tmp/customizable_types $@
######################################## ########################################
# #

View File

@ -46,5 +46,6 @@ MONOLITHIC=y
# Enable polyinstantiated directory support. # Enable polyinstantiated directory support.
POLY=n POLY=n
# Uncomment this to disable command echoing # Set this to y to only display status messages
#QUIET:=@ # during build.
QUIET=n

View File

@ -0,0 +1,140 @@
-include build.conf
# executables
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
CHECKMODULE := $(BINDIR)/checkmodule
SEMODULE := $(SBINDIR)/semodule
SEMOD_PKG := $(BINDIR)/semodule_package
# helper tools
AWK ?= gawk
INSTALL ?= install
M4 ?= m4
SED ?= sed
EINFO ?= echo
# installation paths
SHAREDIR := $(PREFIX)/share/selinux
MODPKGDIR := $(SHAREDIR)/$(NAME)
HEADERDIR := $(SHAREDIR)/refpolicy/include
# set default build options
TYPE ?= strict
NAME ?= $(TYPE)
DIRECT_INITRC ?= n
POLY ?= n
# compile strict policy if requested.
ifneq ($(findstring strict,$(TYPE)),)
M4PARAM += -D strict_policy
endif
# compile targeted policy if requested.
ifneq ($(findstring targeted,$(TYPE)),)
M4PARAM += -D targeted_policy
endif
# enable MLS if requested.
ifneq ($(findstring -mls,$(TYPE)),)
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
ifneq ($(findstring -mcs,$(TYPE)),)
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable distribution-specific policy
ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
endif
# enable polyinstantiation
ifeq ($(POLY),y)
M4PARAM += -D enable_polyinstantiation
endif
ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
ifneq ($(VERBOSE),y)
quiet := @
endif
M4PARAM += -D hide_broken_symptoms
# policy headers
m4support := $(wildcard $(HEADERDIR)/*.spt)
all_interfaces := $(wildcard $(HEADERDIR)/*.if)
rolemap := $(HEADERDIR)/rolemap
detected_mods := $(wildcard *.te)
detected_ifs := $(detected_mods:.te=.if)
all_packages := $(detected_mods:.te=.pp)
install_mods := $(MODPKGDIR)/$(all_packages)
########################################
#
# Functions
#
# parse-rolemap modulename,outputfile
define parse-rolemap
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# peruser-expansion modulename,outputfile
define peruser-expansion
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(verbose) echo "')" >> $2
endef
########################################
#
# Main targets
#
all: $(all_packages)
########################################
#
# Build module packages
#
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compliling $(NAME) $(basename $(@F)) module"
@test -d tmp || mkdir -p tmp
$(call peruser-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(m4support) %.fc
$(verbose) $(M4) $(M4PARAM) $^ > $@
%.pp: tmp/%.mod tmp/%.mod.fc
@echo "Creating $(NAME) $(@F) policy package"
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
@test -d tmp || mkdir -p tmp
$(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
########################################
#
# Clean the environment
#
clean:
rm -fR tmp
rm -f *.pp
.PHONY: clean install all default