README

Revision 354, 9.4 kB (checked in by rhaggerty, 1 year ago)
new refpolicy

Line
1	1) Reference Policy make targets:
2
3	General Make targets:
4
5	install-src Install the policy sources into
6	/etc/selinux/NAME/src/policy, where NAME is defined in
7	the Makefile. If not defined, the TYPE, as defined in
8	the Makefile, is used. The default NAME is refpolicy.
9	A pre-existing source policy will be moved to
10	/etc/selinux/NAME/src/policy.bak.
11
12	conf Regenerate policy.xml, and update/create modules.conf
13	and booleans.conf. This should be done after adding
14	or removing modules, or after running the bare target.
15	If the configuration files exist, their settings will
16	be preserved. This must be ran on policy sources that
17	are checked out from the CVS repository before they can
18	be used.
19
20	clean Delete all temporary files, compiled policies,
21	and file_contexts. Configuration files are left intact.
22
23	bare Do the clean make target and also delete configuration
24	files, web page documentation, and policy.xml.
25
26	html Regenerate policy.xml and create web page documentation
27	in the doc/html directory.
28
29	Make targets specific to modular (loadable modules) policies:
30
31	base Compile and package the base module. This is the
32	default target for modular policies.
33
34	modules Compile and package all Reference Policy modules
35	configured to be built as loadable modules.
36
37	MODULENAME.pp Compile and package the MODULENAME Reference Policy
38	module.
39
40	all Compile and package the base module and all Reference
41	Policy modules configured to be built as loadable
42	modules.
43
44	install Compile, package, and install the base module and
45	Reference Policy modules configured to be built as
46	loadable modules.
47
48	load Compile, package, and install the base module and
49	Reference Policy modules configured to be built as
50	loadable modules, then insert them into the module
51	store.
52
53	validate Validate if the configured modules can successfully
54	link and expand.
55
56	install-headers Install the policy headers into /usr/share/selinux/NAME.
57	The headers are sufficient for building a policy
58	module locally, without requiring the complete
59	Reference Policy sources. The build.conf settings
60	for this policy configuration should be set before
61	using this target.
62
63	Make targets specific to monolithic policies:
64
65	policy Compile a policy locally for development and testing.
66	This is the default target for monolithic policies.
67
68	install Compile and install the policy and file contexts.
69
70	load Compile and install the policy and file contexts, then
71	load the policy.
72
73	enableaudit Remove all dontaudit rules from policy.conf.
74
75	relabel Relabel the filesystem.
76
77	checklabels Check the labels on the filesystem, and report when
78	a file would be relabeled, but do not change its label.
79
80	restorelabels Relabel the filesystem and report each file that is
81	relabeled.
82
83
84	2) Reference Policy Build Options (build.conf)
85
86	TYPE String. Available options are standard, mls, and mcs.
87	This optionally enables multi-level security (MLS) or
88	multi-category security (MCS) features. This option
89	controls enable_mls, and enable_mcs policy blocks.
90
91	NAME String (optional). Sets the name of the policy; the
92	NAME is used when installing files to e.g.,
93	/etc/selinux/NAME and /usr/share/selinux/NAME. If not
94	set, the policy type (TYPE) is used.
95
96	DISTRO String (optional). Enable distribution-specific policy.
97	Available options are redhat, rhel4, gentoo, debian,
98	and suse. This option controls distro_redhat,
99	distro_rhel4, distro_gentoo, distro_debian, and
100	distro_suse policy blocks.
101
102	MONOLITHIC Boolean. If set, a monolithic policy is built,
103	otherwise a modular policy is built.
104
105	DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
106	run init scripts, instead of requiring the run_init
107	tool. This is a build option instead of a tunable since
108	role transitions do not work in conditional policy.
109	This option controls direct_sysadm_daemon policy
110	blocks.
111
112	POLY Boolean. If set, policy for polyinstantiated
113	directories will be enabled. This option controls
114	enable_polyinstantiation policy blocks.
115
116	OUTPUT_POLICY Integer. Set the version of the policy created when
117	building a monolithic policy. This option has no effect
118	on modular policy.
119
120	QUIET Boolean. If set, the build system will only display
121	status messages and error messages. This option has no
122	effect on policy.
123
124
125	3) Reference Policy Files and Directories
126	All directories relative to the root of the Reference Policy sources directory.
127
128	Makefile General rules for building the policy.
129
130	Rules.modular Makefile rules specific to building loadable module
131	policies.
132
133	Rules.monolithic Makefile rules specific to building monolithic policies.
134
135	build.conf Options which influence the building of the policy,
136	such as the policy type and distribution.
137
138	config/appconfig-* Application configuration files for all configurations
139	of the Reference Policy (targeted/strict with or without
140	MLS or MCS). These are used by SELinux-aware programs.
141
142	config/local.users The file read by load policy for adding SELinux users
143	to the policy on the fly.
144
145	doc/html/* This contains the contents of the in-policy XML
146	documentation, presented in web page form.
147
148	doc/policy.dtd The doc/policy.xml file is validated against this DTD.
149
150	doc/policy.xml This file is generated/updated by the conf and html make
151	targets. It contains the complete XML documentation
152	included in the policy.
153
154	doc/templates/* Templates used for documentation web pages.
155
156	policy/booleans.conf This file is generated/updated by the conf make target.
157	It contains the booleans in the policy, and their
158	default values. If tunables are implemented as
159	booleans, tunables will also be included. This file
160	will be installed as the /etc/selinux/NAME/booleans
161	file.
162
163	policy/constraints This file defines additional constraints on permissions
164	in the form of boolean expressions that must be
165	satisfied in order for specified permissions to be
166	granted. These constraints are used to further refine
167	the type enforcement rules and the role allow rules.
168	Typically, these constraints are used to restrict
169	changes in user identity or role to certain domains.
170
171	policy/global_booleans This file defines all booleans that have a global scope,
172	their default value, and documentation.
173
174	policy/global_tunables This file defines all tunables that have a global scope,
175	their default value, and documentation.
176
177	policy/flask/initial_sids This file has declarations for each initial SID.
178
179	policy/flask/security_classes This file has declarations for each security class.
180
181	policy/flask/access_vectors This file defines the access vectors. Common
182	prefixes for access vectors may be defined at the
183	beginning of the file. After the common prefixes are
184	defined, an access vector may be defined for each
185	security class.
186
187	policy/mcs The multi-category security (MCS) configuration.
188
189	policy/mls The multi-level security (MLS) configuration.
190
191	policy/modules/* Each directory represents a layer in Reference Policy
192	all of the modules are contained in one of these layers.
193
194	policy/modules.conf This file contains a listing of available modules, and
195	how they will be used when building Reference Policy. To
196	prevent a module from being used, set the module to
197	"off". For monolithic policies, modules set to "base"
198	and "module" will be included in the policy. For
199	modular policies, modules set to "base" will be included
200	in the base module; those set to "module" will be
201	compiled as individual loadable modules.
202
203	policy/rolemap This file contains prefix and user domain type that
204	corresponds to each user role. The contents of this
205	file will be used to expand the per-user domain
206	templates for each module.
207
208	policy/support/* Support macros.
209
210	policy/users This file defines the users included in the policy.
211
212	support/* Tools used in the build process.
213
214
215	4) Building policy modules using Reference Policy headers:
216
217	The system must first have the Reference Policy headers installed, typically
218	by the distribution. Otherwise, the headers can be installed using the
219	install-headers target from the full Reference Policy sources.
220
221	To set up a directory to build a local module, one must simply place a .te
222	file in a directory. A sample Makefile to use in the directory is the
223	Makefile.example in the doc directory. This may be installed in
224	/usr/share/doc, under the directory for the distribution's policy.
225	Alternatively, the primary Makefile in the headers directory (typically
226	/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
227	option.
228
229	Larger projects can set up a structure of layers, just as in Reference
230	Policy, by creating policy/modules/LAYERNAME directories. Each layer also
231	must have a metadata.xml file which is an XML file with a summary tag and
232	optional desc (long description) tag. This should describe the purpose of
233	the layer.
234
235	Metadata.xml example:
236
237	<summary>ABC modules for the XYZ components.</summary>
238
239	Make targets for modules built from headers:
240
241	MODULENAME.pp Compile and package the MODULENAME local module.
242
243	all Compile and package the modules in the current
244	directory.
245
246	load Compile and package the modules in the current
247	directory, then insert them into the module store.
248
249	refresh Attempts to reinsert all modules that are currently
250	in the module store from the local and system module
251	packages.
252
253	xml Build a policy.xml from the XML included with the
254	base policy headers and any XML in the modules in
255	the current directory.

Note: See TracBrowser for help on using the browser.

Download in other formats:

* Generating other formats may take time.