# # Makefile for the security policy. # # Targets: # # install - compile and install the policy configuration, and context files. # load - compile, install, and load the policy configuration. # reload - compile, install, and load/reload the policy configuration. # relabel - relabel filesystems based on the file contexts configuration. # policy - compile the policy configuration locally for testing/development. # # The default target is 'install'. # # Set to y if MLS is enabled in the policy. MLS=n FLASKDIR = flask/ PREFIX = /usr BINDIR = $(PREFIX)/bin SBINDIR = $(PREFIX)/sbin LOADPOLICY = $(SBINDIR)/load_policy CHECKPOLICY = $(BINDIR)/checkpolicy GENHOMEDIRCON = $(SBINDIR)/genhomedircon SETFILES = $(SBINDIR)/setfiles VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') KERNVERS := $(shell cat /selinux/policyvers) POLICYVER := policy.$(VERS) TOPDIR = $(DESTDIR)/etc/selinux ifeq ($(MLS),y) TYPE=mls else TYPE=strict endif INSTALLDIR = $(TOPDIR)/$(TYPE) POLICYPATH = $(INSTALLDIR)/policy SRCPATH = $(INSTALLDIR)/src USERPATH = $(INSTALLDIR)/users CONTEXTPATH = $(INSTALLDIR)/contexts LOADPATH = $(POLICYPATH)/$(POLICYVER) FCPATH = $(CONTEXTPATH)/files/file_contexts HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te) ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te) ALL_TYPES := $(wildcard types/*.te) ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te TE_RBAC_FILES := $(ALLTEFILES) rbac ALL_TUNABLES := $(wildcard tunables/*.tun ) USER_FILES := users POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) ifeq ($(MLS),y) POLICYFILES += mls CHECKPOLMLS += -M endif DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) POLICYFILES += $(USER_FILES) POLICYFILES += constraints POLICYFILES += $(DEFCONTEXTFILES) CONTEXTFILES = $(DEFCONTEXTFILES) POLICY_DIRS = domains/program domains/misc UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) FC = file_contexts/file_contexts HOMEDIR_TEMPLATE = file_contexts/homedir_template FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc) CONTEXTFILES += $(FCFILES) APPDIR=$(CONTEXTPATH) APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media ROOTFILES = $(addprefix $(APPDIR)/users/,root) all: policy tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) @echo "Validating file_contexts ..." $(SETFILES) -q -c $(LOADPATH) $(FCPATH) @touch tmp/valid_fc install: tmp/valid_fc $(USERPATH)/local.users $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf @mkdir -p $(USERPATH) @echo "# " > tmp/system.users @echo "# Do not edit this file. " >> tmp/system.users @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users @echo "# Please edit local.users to make local changes." >> tmp/system.users @echo "#" >> tmp/system.users m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users install -m 644 tmp/system.users $@ $(USERPATH)/local.users: local.users @mkdir -p $(USERPATH) install -C -b -m 644 $< $@ $(CONTEXTPATH)/files/media: appconfig/media mkdir -p $(CONTEXTPATH)/files/ install -m 644 $< $@ $(APPDIR)/default_contexts: appconfig/default_contexts mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/removable_context: appconfig/removable_context mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/customizable_types: policy.conf mkdir -p $(APPDIR) @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types install -m 644 tmp/customizable_types $@ $(APPDIR)/default_type: appconfig/default_type mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/userhelper_context: appconfig/userhelper_context mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/initrc_context: appconfig/initrc_context mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/failsafe_context: appconfig/failsafe_context mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/dbus_contexts: appconfig/dbus_contexts mkdir -p $(APPDIR) install -m 644 $< $@ $(APPDIR)/users/root: appconfig/root_default_contexts mkdir -p $(APPDIR)/users install -m 644 $< $@ $(LOADPATH): policy.conf $(CHECKPOLICY) mkdir -p $(POLICYPATH) $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf ifneq ($(MLS),y) ifneq ($(VERS),18) $(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf endif endif # Note: Can't use install, so not sure how to deal with mode, user, and group # other than by default. policy: $(POLICYVER) $(POLICYVER): policy.conf $(FC) $(CHECKPOLICY) $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf ifneq ($(MLS),y) ifneq ($(VERS),18) $(CHECKPOLICY) -c 18 -o policy.18 policy.conf endif endif @echo "Validating file_contexts ..." $(SETFILES) -q -c $(POLICYVER) $(FC) reload tmp/load: $(FCPATH) $(LOADPATH) ifeq ($(VERS), $(KERNVERS)) $(LOADPOLICY) $(LOADPATH) else $(LOADPOLICY) $(POLICYPATH)/policy.18 endif touch tmp/load load: tmp/load enableaudit: policy.conf grep -v dontaudit policy.conf > policy.audit mv policy.audit policy.conf policy.conf: $(POLICYFILES) $(POLICY_DIRS) mkdir -p tmp m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp mv $@.tmp $@ install-src: rm -rf $(SRCPATH)/policy.old -mv $(SRCPATH)/policy $(SRCPATH)/policy.old mkdir -p $(SRCPATH)/policy cp -R . $(SRCPATH)/policy tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program mkdir -p tmp ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp mv $@.tmp $@ FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` checklabels: $(SETFILES) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) restorelabels: $(SETFILES) $(SETFILES) -v $(FC) $(FILESYSTEMS) relabel: $(FC) $(SETFILES) $(SETFILES) $(FC) $(FILESYSTEMS) file_contexts/misc: mkdir -p file_contexts/misc $(FCPATH): $(FC) $(USERPATH)/system.users @mkdir -p $(CONTEXTPATH)/files install -m 644 $(FC) $(FCPATH) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd @echo "Building file_contexts ..." @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp @grep -v -e HOME -e ROLE $@.tmp > $@ @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE) @-rm $@.tmp # Create a tags-file for the policy: # we need exuberant ctags; unfortunately it is named differently on different distros, sigh... pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme ifeq ($(strip $(CTAGS)),) CTAGS := $(call pathsearch,ctags) # suse naming scheme endif tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te) @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1) @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \ --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \ --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \ --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^ clean: rm -f policy.conf $(POLICYVER) policy.18 rm -f tags rm -f tmp/* rm -f $(FC) rm -f flask/*.h # for the policy regression tester find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \ # Policy regression tester. # Written by Colin Walters <walters@debian.org> cur_te = $(filter-out %/,$(subst /,/ ,$@)) TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES)) define compute_depends export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //') endef ifeq ($(TE_DEPENDS_DEFINED),) ifeq ($(MAKECMDGOALS),check-all) GENRULES := $(TESTED_TE_FILES) export TE_DEPENDS_DEFINED := yes else # Handle the case where checkunused/blah.te is run directly. ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),) GENRULES := $(TESTED_TE_FILES) export TE_DEPENDS_DEFINED := yes endif endif endif # Test for a new enough version of GNU Make. $(eval have_eval := yes) ifneq ($(GENRULES),) ifeq ($(have_eval),) $(error Need GNU Make 3.80 or better!) Need GNU Make 3.80 or better endif endif $(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f)))) PHONIES := define compute_presymlinks PHONIES += presymlink/$(1) presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1))) @if ! test -L domains/program/$(1); then \ cd domains/program && ln -s unused/$(1) .; \ fi endef # Compute dependencies. $(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f)))) PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : @$(MAKE) -s clean $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/% @if test -n "$(TE_DEPENDS_$(cur_te))"; then \ echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \ fi @echo "Testing $(cur_te)..."; @if ! make -s policy 1>/dev/null; then \ echo "Testing $(cur_te)...FAILED"; \ exit 1; \ fi; @echo "Testing $(cur_te)...success."; \ check-all: @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \ $(MAKE) --no-print-directory $$goal; \ done .PHONY: clean $(PHONIES) mlsconvert: @for file in $(CONTEXTFILES); do \ echo "Converting $$file"; \ sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \ mv $$file.new $$file; \ done @for file in $(USER_FILES); do \ echo "Converting $$file"; \ sed -e 's/;/ level s0 range s0 - s9 : c0 . c127;/' $$file > $$file.new && \ mv $$file.new $$file; \ done @sed -e '/sid kernel/s/s0/s0 - s9 : c0 . c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts @echo "Done"