rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

merge makefile changes from branch

This commit is contained in:
Chris PeBenito 2005-11-22 22:07:12 +00:00
parent 31b7c0551d
commit c767b14c94
6 changed files with 138 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
refpolicy/Changelog
View File

@ -1,3 +1,10 @@
- Fix labeling targets to use installed file_contexts rather
than partial file_contexts in the policy source directory.
- Fix build process to use make's internal vpath functions
to detect modules rather than using subshells and find.
- Add install target for modular policy.
- Add load target for modular policy.
- Add appconfig dependency to the load target.
- Miscellaneous fixes from Dan Walsh. - Miscellaneous fixes from Dan Walsh.
- Fix corenetwork gen_context()'s to expand during the policy - Fix corenetwork gen_context()'s to expand during the policy
build phase instead of during the generation phase. build phase instead of during the generation phase.

7
refpolicy/INSTALL
View File

@ -5,7 +5,12 @@ To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
This will back up a pre-existing source policy to the This will back up a pre-existing source policy to the
/etc/selinux/refpolicy/src/policy.bak directory. /etc/selinux/refpolicy/src/policy.bak directory.
After installing the policy sources, the old Make targets have been maintained: If you do not have a modules.conf, one can be generated:
make conf
This will create a default modules.conf. After installing the policy sources,
the old Make targets have been maintained for the monolithic policy:
Local policy development: Local policy development:

65
refpolicy/Makefile
View File

@ -23,7 +23,8 @@
# Policy version # Policy version
# By default, checkpolicy will create the highest # By default, checkpolicy will create the highest
# version policy it supports. Setting this will # version policy it supports. Setting this will
# override the version. # override the version. This only affects
# monolithic policies.
#OUTPUT_POLICY = 18 #OUTPUT_POLICY = 18
# Policy Type # Policy Type
@ -73,6 +74,7 @@ BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy CHECKPOLICY := $(BINDIR)/checkpolicy
CHECKMODULE := $(BINDIR)/checkmodule CHECKMODULE := $(BINDIR)/checkmodule
SEMODULE := $(SBINDIR)/semodule
SEMOD_PKG := $(BINDIR)/semodule_package SEMOD_PKG := $(BINDIR)/semodule_package
LOADPOLICY := $(SBINDIR)/load_policy LOADPOLICY := $(SBINDIR)/load_policy
SETFILES := $(SBINDIR)/setfiles SETFILES := $(SBINDIR)/setfiles
@ -119,19 +121,11 @@ INSTALLDIR = $(TOPDIR)/$(NAME)
SRCPATH = $(INSTALLDIR)/src SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts CONTEXTPATH = $(INSTALLDIR)/contexts
MODPKGDIR = $(DESTDIR)/usr/share/selinux/$(NAME)
# enable MLS if requested. # compile strict policy if requested.
ifneq ($(findstring -mls,$(TYPE)),) ifneq ($(findstring strict,$(TYPE)),)
override M4PARAM += -D enable_mls override M4PARAM += -D strict_policy
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
ifneq ($(findstring -mcs,$(TYPE)),)
override M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
endif endif
# compile targeted policy if requested. # compile targeted policy if requested.
@ -139,13 +133,27 @@ ifneq ($(findstring targeted,$(TYPE)),)
override M4PARAM += -D targeted_policy override M4PARAM += -D targeted_policy
endif endif
# enable MLS if requested.
ifneq ($(findstring -mls,$(TYPE)),)
override M4PARAM += -D enable_mls
override CHECKPOLICY += -M
override CHECKMODULE += -M
endif
# enable MLS if MCS requested.
ifneq ($(findstring -mcs,$(TYPE)),)
override M4PARAM += -D enable_mcs
override CHECKPOLICY += -M
override CHECKMODULE += -M
endif
# enable distribution-specific policy # enable distribution-specific policy
ifneq ($(DISTRO),) ifneq ($(DISTRO),)
override M4PARAM += -D distro_$(DISTRO) override M4PARAM += -D distro_$(DISTRO)
endif endif
ifneq ($(OUTPUT_POLICY),) ifneq ($(OUTPUT_POLICY),)
CHECKPOLICY += -c $(OUTPUT_POLICY) override CHECKPOLICY += -c $(OUTPUT_POLICY)
endif endif
ifeq ($(NAME),) ifeq ($(NAME),)
@ -168,14 +176,11 @@ ifeq ($(KV),)
KV := $(PV) KV := $(PV)
endif endif
FC := file_contexts
POLVER := policy.$(PV)
M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
APPCONF := config/appconfig-$(TYPE) APPCONF := config/appconfig-$(TYPE)
APPDIR := $(CONTEXTPATH) APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
@ -196,10 +201,8 @@ MODBASE := base
MODMOD := module MODMOD := module
# extract settings from modules.conf # extract settings from modules.conf
BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) BASE_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null))
MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null))
HOMEDIR_TEMPLATE = tmp/homedir_template
######################################## ########################################
# #
@ -364,14 +367,14 @@ bare: clean
rm -f $(MOD_CONF) rm -f $(MOD_CONF)
rm -f $(BOOLEANS) rm -f $(BOOLEANS)
rm -fR $(HTMLDIR) rm -fR $(HTMLDIR)
#ifneq ($(GENERATED_TE),) ifneq ($(GENERATED_TE),)
# rm -f $(GENERATED_TE) rm -f $(GENERATED_TE)
#endif endif
#ifneq ($(GENERATED_IF),) ifneq ($(GENERATED_IF),)
# rm -f $(GENERATED_IF) rm -f $(GENERATED_IF)
#endif endif
#ifneq ($(GENERATED_FC),) ifneq ($(GENERATED_FC),)
# rm -f $(GENERATED_FC) rm -f $(GENERATED_FC)
#endif endif
.PHONY: install-src install-appconfig conf html bare .PHONY: install-src install-appconfig conf html bare

13
refpolicy/README
View File

@ -37,6 +37,19 @@ modules Compile and package all Reference Policy modules
MODULENAME.pp Compile and package the MODULENAME Reference Policy MODULENAME.pp Compile and package the MODULENAME Reference Policy
module. module.
all Compile and package the base module and all Reference
Policy modules configured to be built as loadable
modules.
install Compile, package, and install the base module and
Reference Policy modules configured to be built as
loadable modules.
load Compile, package, and install the base module and
Reference Policy modules configured to be built as
loadable modules, then insert them into the module
store.
Make targets specific to monolithic policies: Make targets specific to monolithic policies:
policy Compile a policy locally for development and testing. policy Compile a policy locally for development and testing.

82
refpolicy/Rules.modular
View File

@ -3,7 +3,7 @@
# Rules and Targets for building modular policies # Rules and Targets for building modular policies
# #
ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS)) ALL_MODULES := $(BASE_MODS) $(MOD_MODS)
ALL_INTERFACES := $(ALL_MODULES:.te=.if) ALL_INTERFACES := $(ALL_MODULES:.te=.if)
BASE_PKG := base.pp BASE_PKG := base.pp
@ -19,6 +19,9 @@ BASE_FC_FILES := $(BASE_MODS:.te=.fc)
MOD_MODULES := $(MOD_MODS:.te=.mod) MOD_MODULES := $(MOD_MODS:.te=.mod)
MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp)) MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
# policy packages to install
INSTPKG := $(addprefix $(MODPKGDIR)/,$(BASE_PKG) $(MOD_PKGS))
# search layer dirs for source files # search layer dirs for source files
vpath %.te $(ALL_LAYERS) vpath %.te $(ALL_LAYERS)
vpath %.if $(ALL_LAYERS) vpath %.if $(ALL_LAYERS)
@ -36,9 +39,40 @@ base: $(BASE_PKG)
modules: $(MOD_PKGS) modules: $(MOD_PKGS)
#policy: $(POLVER) install: $(INSTPKG) $(APPFILES)
#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
#load: tmp/load ########################################
#
# Load all configured modules
#
load: $(INSTPKG) $(APPFILES)
@echo "Loading configured modules."
$(QUIET) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(BASE_PKG) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod))
########################################
#
# Install policy packages
#
$(MODPKGDIR)/%.pp: %.pp
@mkdir -p $(MODPKGDIR)
@echo "Installing $(@F) policy package."
$(QUIET) install -m 0644 $^ $(MODPKGDIR)
########################################
#
# Build module packages
#
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(M4SUPPORT) %.fc
$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@
%.pp: tmp/%.mod tmp/%.mod.fc
@echo "Creating $(NAME) $(@F) policy package"
$(QUIET) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
######################################## ########################################
# #
@ -48,17 +82,13 @@ $(BASE_PKG): tmp/base.mod $(BASE_FC)
@echo "Creating $(NAME) base module package" @echo "Creating $(NAME) base module package"
$(QUIET) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC) $(QUIET) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC)
########################################
#
# Compile a base module
#
tmp/base.mod: base.conf tmp/base.mod: base.conf
@echo "Compiling $(NAME) base module" @echo "Compiling $(NAME) base module"
$(QUIET) $(CHECKMODULE) $^ -o $@ $(QUIET) $(CHECKMODULE) $^ -o $@
######################################## ########################################
# #
# Construct a base module policy.conf # Construct a base.conf
# #
base.conf: $(BASE_SECTIONS) base.conf: $(BASE_SECTIONS)
@echo "Creating $(NAME) base module policy.conf" @echo "Creating $(NAME) base module policy.conf"
@ -125,45 +155,27 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
######################################## ########################################
# #
# Construct base module file contexts # Construct a base.fc
# #
$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT) $(BASE_FC): tmp/$(BASE_FC).tmp $(FCSORT)
$(QUIET) $(FCSORT) $< $@
tmp/$(BASE_FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES)
ifeq ($(BASE_FC_FILES),) ifeq ($(BASE_FC_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif endif
@echo "Creating $(NAME) base module file contexts." @echo "Creating $(NAME) base module file contexts."
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp $(QUIET) m4 $(M4PARAM) $^ > $@
$(QUIET) $(FCSORT) tmp/$@.tmp $@
########################################
#
# Build module packages
#
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@if test -z "$(filter $^,$(MOD_MODS))"; then \
echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\
false ;\
fi
@echo "Compliling $(NAME) $(@F) module"
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(M4SUPPORT) %.fc
$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@
%.pp: tmp/%.mod tmp/%.mod.fc
@echo "Creating $(NAME) $(@F) policy package"
$(QUIET) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
######################################## ########################################
# #
# Clean the sources # Clean the sources
# #
clean: clean:
rm -fR tmp
rm -f base.conf rm -f base.conf
rm -f *.pp rm -f *.pp
rm -f $(BASE_FC) rm -f $(BASE_FC)
rm -fR tmp
.PHONY: default base modules clean .PHONY: default all base modules install load clean

49
refpolicy/Rules.monolithic
View File

@ -9,13 +9,13 @@ LOADPATH = $(POLICYPATH)/$(POLVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
# Monolithic still uses booleans file FC := file_contexts
APPFILES += $(INSTALLDIR)/booleans POLVER := policy.$(PV)
APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
# for monolithic policy use all base and module to create policy # for monolithic policy use all base and module to create policy
ENABLEMOD := $(BASE_MODS) $(MOD_MODS) ALL_MODULES := $(BASE_MODS) $(MOD_MODS)
ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
ALL_INTERFACES := $(ALL_MODULES:.te=.if) ALL_INTERFACES := $(ALL_MODULES:.te=.if)
ALL_TE_FILES := $(ALL_MODULES) ALL_TE_FILES := $(ALL_MODULES)
@ -26,6 +26,13 @@ POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
HOMEDIR_TEMPLATE = homedir_template
# search layer dirs for source files
vpath %.te $(ALL_LAYERS)
vpath %.if $(ALL_LAYERS)
vpath %.fc $(ALL_LAYERS)
######################################## ########################################
# #
# default action: build policy locally # default action: build policy locally
@ -69,7 +76,7 @@ endif
# #
# Load the binary policy # Load the binary policy
# #
reload tmp/load: $(LOADPATH) $(FCPATH) reload tmp/load: $(LOADPATH) $(FCPATH) $(APPFILES)
@echo "Loading $(NAME) $(LOADPATH)" @echo "Loading $(NAME) $(LOADPATH)"
$(QUIET) $(LOADPOLICY) -q $(LOADPATH) $(QUIET) $(LOADPOLICY) -q $(LOADPATH)
@touch tmp/load @touch tmp/load
@ -153,16 +160,18 @@ enableaudit: policy.conf
# #
# Construct file_contexts # Construct file_contexts
# #
$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) $(FCSORT) $(FC): tmp/$(FC).tmp $(FCSORT)
$(QUIET) $(FCSORT) $< $@
$(QUIET) grep -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE)
$(QUIET) sed -i -e /HOME/d -e /ROLE/d $@
tmp/$(FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
ifeq ($(ALL_FC_FILES),) ifeq ($(ALL_FC_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif endif
@echo "Creating $(NAME) file_contexts." @echo "Creating $(NAME) file_contexts."
@test -d tmp || mkdir -p tmp @test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp $(QUIET) m4 $(M4PARAM) $^ > $@
$(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
$(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
$(QUIET) $(FCSORT) tmp/$@.tmp $@
######################################## ########################################
# #
@ -183,26 +192,29 @@ $(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
# #
FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
checklabels: $(FC) $(SETFILES) checklabels: $(FCPATH) $(SETFILES)
@echo "Checking labels on filesystem types: ext2 ext3 xfs jfs"
@if test -z "$(FILESYSTEMS)"; then \ @if test -z "$(FILESYSTEMS)"; then \
echo "No filesystems with extended attributes found!" ;\ echo "No filesystems with extended attributes found!" ;\
false ;\ false ;\
fi fi
$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) $(QUIET) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS)
restorelabels: $(FC) $(SETFILES) restorelabels: $(FCPATH) $(SETFILES)
@echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs"
@if test -z "$(FILESYSTEMS)"; then \ @if test -z "$(FILESYSTEMS)"; then \
echo "No filesystems with extended attributes found!" ;\ echo "No filesystems with extended attributes found!" ;\
false ;\ false ;\
fi fi
$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) $(QUIET) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS)
relabel: $(FC) $(SETFILES) relabel: $(FCPATH) $(SETFILES)
@echo "Relabeling filesystem types: ext2 ext3 xfs jfs"
@if test -z "$(FILESYSTEMS)"; then \ @if test -z "$(FILESYSTEMS)"; then \
echo "No filesystems with extended attributes found!" ;\ echo "No filesystems with extended attributes found!" ;\
false ;\ false ;\
fi fi
$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) $(QUIET) $(SETFILES) $(FCPATH) $(FILESYSTEMS)
######################################## ########################################
# #
@ -219,10 +231,11 @@ longcheck: policy.conf $(FC)
# Clean the sources # Clean the sources
# #
clean: clean:
rm -fR tmp
rm -f policy.conf rm -f policy.conf
rm -f policy.$(PV) rm -f policy.$(PV)
rm -f $(FC) rm -f $(FC)
rm -f $(HOMEDIR_TEMPLATE)
rm -f *.res rm -f *.res
rm -fR tmp
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean .PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean