root/archive/mls/Makefile

Revision 1056, 11.5 kB (checked in by cpebenito, 3 years ago)

add fc mls policy

Line 
1 #
2 # Makefile for the security policy.
3 #
4 # Targets:
5 #
6 # install - compile and install the policy configuration, and context files.
7 # load    - compile, install, and load the policy configuration.
8 # reload  - compile, install, and load/reload the policy configuration.
9 # relabel - relabel filesystems based on the file contexts configuration.
10 # policy  - compile the policy configuration locally for testing/development.
11 #
12 # The default target is 'install'.
13 #
14
15 # Set to y if MLS is enabled in the policy.
16 MLS=y
17
18 # Set to y if MCS is enabled in the policy
19 MCS=n
20
21 FLASKDIR = flask/
22 PREFIX = /usr
23 BINDIR = $(PREFIX)/bin
24 SBINDIR = $(PREFIX)/sbin
25 LOADPOLICY  = $(SBINDIR)/load_policy
26 CHECKPOLICY = $(BINDIR)/checkpolicy
27 GENHOMEDIRCON = $(SBINDIR)/genhomedircon
28 SETFILES = $(SBINDIR)/setfiles
29 VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
30 PREVERS := 20
31 KERNVERS := $(shell cat /selinux/policyvers)
32 MLSENABLED := $(shell cat /selinux/mls)
33 POLICYVER := policy.$(VERS)
34 TOPDIR = $(DESTDIR)/etc/selinux
35 TYPE=mls
36
37 INSTALLDIR = $(TOPDIR)/$(TYPE)
38 POLICYPATH = $(INSTALLDIR)/policy
39 SRCPATH = $(INSTALLDIR)/src
40 USERPATH = $(INSTALLDIR)/users
41 CONTEXTPATH = $(INSTALLDIR)/contexts
42 LOADPATH = $(POLICYPATH)/$(POLICYVER)
43 FCPATH = $(CONTEXTPATH)/files/file_contexts
44 HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
45
46 ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
47 ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
48 ALL_TYPES := $(wildcard types/*.te)
49 ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
50 ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
51 TE_RBAC_FILES := $(ALLTEFILES) rbac
52 ALL_TUNABLES := $(wildcard tunables/*.tun )
53 USER_FILES := users
54 POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
55 ifeq ($(MLS),y)
56 POLICYFILES += mls
57 CHECKPOLMLS += -M
58 endif
59 ifeq ($(MCS), y)
60 POLICYFILES += mcs
61 CHECKPOLMLS += -M
62 endif
63 DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
64 POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
65 POLICYFILES += $(USER_FILES)
66 POLICYFILES += constraints
67 POLICYFILES += $(DEFCONTEXTFILES)
68 CONTEXTFILES = $(DEFCONTEXTFILES)
69 POLICY_DIRS = domains domains/program domains/misc macros macros/program
70
71 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
72
73 FC = file_contexts/file_contexts
74 HOMEDIR_TEMPLATE = file_contexts/homedir_template
75 FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
76 CONTEXTFILES += $(FCFILES)
77
78 APPDIR=$(CONTEXTPATH)
79 APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
80 CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
81
82 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
83
84 all:  policy
85
86 tmp/valid_fc: $(LOADPATH) $(FC)
87         @echo "Validating file contexts files ..."     
88         $(SETFILES) -q -c $(LOADPATH) $(FC)
89         @touch tmp/valid_fc
90
91 install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
92
93 $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
94         @mkdir -p $(USERPATH)
95         @echo "# " > tmp/system.users
96         @echo "# Do not edit this file. " >> tmp/system.users
97         @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
98         @echo "# Please edit local.users to make local changes." >> tmp/system.users
99         @echo "#" >> tmp/system.users
100         @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
101         install -m 644 tmp/system.users $@
102
103 $(USERPATH)/local.users: local.users
104         @mkdir -p $(USERPATH)
105         install -b -m 644 $< $@
106
107 $(CONTEXTPATH)/files/media: appconfig/media
108         @mkdir -p $(CONTEXTPATH)/files/
109         install -m 644 $< $@
110
111 $(APPDIR)/default_contexts: appconfig/default_contexts
112         @mkdir -p $(APPDIR)
113         install -m 644 $< $@
114
115 $(APPDIR)/removable_context: appconfig/removable_context
116         @mkdir -p $(APPDIR)
117         install -m 644 $< $@
118
119 $(APPDIR)/customizable_types: policy.conf
120         @mkdir -p $(APPDIR)
121         @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
122         install -m 644 tmp/customizable_types $@
123
124 $(APPDIR)/port_types: policy.conf
125         @mkdir -p $(APPDIR)
126         @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
127         install -m 644 tmp/port_types $@
128
129 $(APPDIR)/default_type: appconfig/default_type
130         @mkdir -p $(APPDIR)
131         install -m 644 $< $@
132
133 $(APPDIR)/userhelper_context: appconfig/userhelper_context
134         @mkdir -p $(APPDIR)
135         install -m 644 $< $@
136
137 $(APPDIR)/initrc_context: appconfig/initrc_context
138         @mkdir -p $(APPDIR)
139         install -m 644 $< $@
140
141 $(APPDIR)/failsafe_context: appconfig/failsafe_context
142         @mkdir -p $(APPDIR)
143         install -m 644 $< $@
144
145 $(APPDIR)/dbus_contexts: appconfig/dbus_contexts
146         @mkdir -p $(APPDIR)
147         install -m 644 $< $@
148
149 $(APPDIR)/users/root: appconfig/root_default_contexts
150         @mkdir -p $(APPDIR)/users
151         install -m 644 $< $@
152
153 $(LOADPATH): policy.conf $(CHECKPOLICY)
154         @echo "Compiling policy ..."
155         @mkdir -p $(POLICYPATH)
156         $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
157 ifneq ($(VERS),$(PREVERS))
158         $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
159 endif
160
161 # Note: Can't use install, so not sure how to deal with mode, user, and group
162 #       other than by default.
163
164 policy: $(POLICYVER)
165
166 $(POLICYVER):  policy.conf $(FC) $(CHECKPOLICY)
167         $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
168         @echo "Validating file contexts files ..."
169         $(SETFILES) -q -c $(POLICYVER) $(FC)
170
171 reload tmp/load: $(LOADPATH)
172         @echo "Loading Policy ..."
173         $(LOADPOLICY)
174         touch tmp/load
175
176 load: tmp/load $(FCPATH)
177
178 enableaudit: policy.conf
179         grep -v dontaudit policy.conf > policy.audit
180         mv policy.audit policy.conf
181
182 policy.conf: $(POLICYFILES) $(POLICY_DIRS)
183         @echo "Building policy.conf ..."
184         @mkdir -p tmp
185         m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
186         @mv $@.tmp $@
187
188 install-src:
189         rm -rf $(SRCPATH)/policy.old
190         -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
191         @mkdir -p $(SRCPATH)/policy
192         cp -R . $(SRCPATH)/policy
193
194 tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
195         @mkdir -p tmp
196         ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
197         ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
198         mv $@.tmp $@
199
200 FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
201
202 checklabels: $(SETFILES)
203         $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
204
205 restorelabels: $(SETFILES)
206         $(SETFILES) -v $(FC) $(FILESYSTEMS)
207
208 relabel:  $(FC) $(SETFILES)
209         $(SETFILES) $(FC) $(FILESYSTEMS)
210
211 file_contexts/misc:
212         @mkdir -p file_contexts/misc
213
214 $(FCPATH): tmp/valid_fc $(USERPATH)/system.users  $(APPDIR)/customizable_types $(APPDIR)/port_types
215         @echo "Installing file contexts files..."
216         @mkdir -p $(CONTEXTPATH)/files
217         install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
218         install -m 644 $(FC) $(FCPATH)
219         @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
220
221 $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
222         @echo "Building file contexts files..."
223         @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
224         @grep -v -e HOME -e ROLE -e USER $@.tmp > $@
225         @grep -e HOME -e ROLE -e USER $@.tmp  > $(HOMEDIR_TEMPLATE)
226         @-rm $@.tmp
227
228 # Create a tags-file for the policy:
229 # we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
230 pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
231 CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
232 ifeq ($(strip $(CTAGS)),)
233 CTAGS := $(call pathsearch,ctags) # suse naming scheme
234 endif
235
236 tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
237         @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
238         @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
239           --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
240           --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
241           --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
242           --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
243           --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
244  
245 clean:
246         rm -f policy.conf $(POLICYVER)
247         rm -f tags
248         rm -f tmp/*
249         rm -f $(FC)
250         rm -f flask/*.h
251 # for the policy regression tester
252         find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
253
254 # Policy regression tester.
255 # Written by Colin Walters <walters@debian.org>
256 cur_te = $(filter-out %/,$(subst /,/ ,$@))
257
258 TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
259
260 define compute_depends
261   export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
262 endef
263
264
265 ifeq ($(TE_DEPENDS_DEFINED),)
266 ifeq ($(MAKECMDGOALS),check-all)
267   GENRULES := $(TESTED_TE_FILES)
268   export TE_DEPENDS_DEFINED := yes
269 else
270   # Handle the case where checkunused/blah.te is run directly.
271   ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
272     GENRULES := $(TESTED_TE_FILES)
273     export TE_DEPENDS_DEFINED := yes
274   endif
275 endif
276 endif
277
278 # Test for a new enough version of GNU Make.
279 $(eval have_eval := yes)
280 ifneq ($(GENRULES),)
281   ifeq ($(have_eval),)
282 $(error Need GNU Make 3.80 or better!)
283 Need GNU Make 3.80 or better
284   endif
285 endif
286 $(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
287
288 PHONIES :=
289
290 define compute_presymlinks
291 PHONIES += presymlink/$(1)
292 presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
293         @if ! test -L domains/program/$(1); then \
294           cd domains/program && ln -s unused/$(1) .; \
295         fi
296 endef
297
298 # Compute dependencies.
299 $(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
300
301 PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
302 $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
303         @$(MAKE) -s clean
304
305 $(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
306         @if test -n "$(TE_DEPENDS_$(cur_te))"; then \
307           echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
308         fi
309         @echo "Testing $(cur_te)...";
310         @if ! make -s policy 1>/dev/null; then \
311           echo "Testing $(cur_te)...FAILED"; \
312           exit 1; \
313         fi;
314         @echo "Testing $(cur_te)...success."; \
315
316 check-all:
317         @for goal in  $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
318           $(MAKE) --no-print-directory $$goal; \
319         done
320
321 .PHONY: clean $(PHONIES)
322
323 mlsconvert:
324         @for file in $(CONTEXTFILES); do \
325                 echo "Converting $$file"; \
326                 sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
327                 mv $$file.new $$file; \
328         done
329         @for file in $(USER_FILES); do \
330                 echo "Converting $$file"; \
331                 sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
332                 mv $$file.new $$file; \
333         done
334         @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
335         @echo "Enabling MLS in the Makefile"
336         @sed "s/MLS=y/MLS=y/" Makefile > Makefile.new
337         @mv Makefile.new Makefile
338         @echo "Done"
339
340 mcsconvert:
341         @for file in $(CONTEXTFILES); do \
342                 echo "Converting $$file"; \
343                 sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
344                 mv $$file.new $$file; \
345         done
346         @for file in $(USER_FILES); do \
347                 echo "Converting $$file"; \
348                 sed -r -e 's/\;/ level s0 range s0;/' $$file | \
349                 sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
350                 mv $$file.new $$file; \
351         done
352         @echo "Enabling MCS in the Makefile"
353         @sed "s/MCS=n/MCS=y/" Makefile > Makefile.new
354         @mv Makefile.new Makefile
355         @echo "Done"
356
Note: See TracBrowser for help on using the browser.