######################################## # # Rules and Targets for building modular policies # all_modules := $(base_mods) $(mod_mods) $(off_mods) all_interfaces := $(all_modules:.te=.if) base_pkg := $(builddir)base.pp base_fc := $(builddir)base.fc base_conf := $(builddir)base.conf base_mod := $(tmpdir)/base.mod users_extra := $(tmpdir)/users_extra base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs base_te_files := $(base_mods) base_post_te_files := $(user_files) $(poldir)/constraints base_fc_files := $(base_mods:.te=.fc) mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp))) # policy packages to install instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs)) # search layer dirs for source files vpath %.te $(all_layers) vpath %.if $(all_layers) vpath %.fc $(all_layers) # broken in make 3.81: #.SECONDARY: ######################################## # # default action: create all module packages # default: policy all policy: base modules base: $(base_pkg) modules: $(mod_pkgs) install: $(instpkg) $(appfiles) ######################################## # # Load all configured modules # load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @mkdir -p $(policypath) $(dir $(fcpath)) @echo "Loading configured modules." $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## # # Install policy packages # $(modpkgdir)/%.pp: $(builddir)%.pp @mkdir -p $(modpkgdir) @echo "Installing $(NAME) $(@F) policy package." $(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir) ######################################## # # Build module packages # $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @test -d $(tmpdir) || mkdir -p $(tmpdir) $(call perrole-expansion,$(basename $(@F)),$@.role) $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ $(tmpdir)/%.mod.fc: $(m4support) %.fc @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc @echo "Creating $(NAME) $(@F) policy package" @test -d $(builddir) || mkdir -p $(builddir) $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc ######################################## # # Create a base module package # $(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers @echo "Creating $(NAME) base module package" @test -d $(builddir) || mkdir -p $(builddir) $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers $(base_mod): $(base_conf) @echo "Compiling $(NAME) base module" $(verbose) $(CHECKMODULE) $^ -o $@ $(tmpdir)/seusers: $(seusers) @mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@ $(users_extra): $(m4support) $(user_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@ ######################################## # # Construct a base.conf # $(base_conf): $(base_sections) @echo "Creating $(NAME) base module $(@F)" @test -d $(@D) || mkdir -p $(@D) $(verbose) cat $^ > $@ $(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/pre_te_files.conf: $(base_pre_te_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $^ > $@ $(tmpdir)/generated_definitions.conf: $(base_te_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) # define all available object classes $(verbose) $(genperm) $(avs) $(secclass) > $@ $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun) $(verbose) $(M4) $(M4PARAM) $^ > $@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) @test -d $(tmpdir) || mkdir -p $(tmpdir) @echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4 @echo "divert(-1)" > $@ $(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@ @echo "divert" >> $@ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy $(tmpdir)/rolemap.conf: $(rolemap) $(verbose) echo "" > $@ $(call parse-rolemap,base,$@) $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf ifeq "$(strip $(base_te_files))" "" $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") endif @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) -s $^ > $@ $(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $^ > $@ # extract attributes and put them first. extract post te stuff # like genfscon and put last. $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf # these have to run individually because order matters: $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf ######################################## # # Construct a base.fc # $(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort) $(verbose) $(fcsort) $< $@ $(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files) ifeq ($(base_fc_files),) $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") endif @echo "Creating $(NAME) base module file contexts." @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) $^ > $@ ######################################## # # Remove the dontaudit rules from the base.conf # enableaudit: $(base_conf) @test -d $(tmpdir) || mkdir -p $(tmpdir) @echo "Removing dontaudit rules from $(^F)" $(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit $(verbose) mv $(tmpdir)/base.audit $(base_conf) ######################################## # # Appconfig files # $(appdir)/customizable_types: $(base_conf) @mkdir -p $(appdir) $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ ######################################## # # Validate linking and expanding of modules # validate: $(base_pkg) $(mod_pkgs) @echo "Validating policy linking." $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin @echo "Success." ######################################## # # Clean the sources # clean: rm -f $(base_conf) rm -f $(base_fc) rm -f $(builddir)*.pp rm -f $(net_contexts) rm -fR $(tmpdir) .PHONY: default all policy base modules install load clean validate