Rules.monolithic

Revision 2870, 8.4 kB (checked in by cpebenito, 1 week ago)
trunk: fix monolithic building to correctly put USER lines in homedir_template.

Line
1	########################################
2	#
3	# Rules and Targets for building monolithic policies
4	#
5
6	# determine the policy version and current kernel version if possible
7	pv := $(shell $(CHECKPOLICY) -V \|cut -f 1 -d ' ')
8	kv := $(shell cat /selinux/policyvers)
9
10	# dont print version warnings if we are unable to determine
11	# the currently running kernel's policy version
12	ifeq "$(kv)" ""
13	kv := $(pv)
14	endif
15
16	policy_conf = $(builddir)policy.conf
17	fc = $(builddir)file_contexts
18	polver = $(builddir)policy.$(pv)
19	homedir_template = $(builddir)homedir_template
20
21	M4PARAM += -D self_contained_policy
22
23	# install paths
24	loadpath = $(policypath)/$(notdir $(polver))
25
26	appfiles += $(installdir)/booleans $(userpath)/local.users
27
28	# for monolithic policy use all base and module to create policy
29	all_modules := $(strip $(base_mods) $(mod_mods))
30	# off module interfaces included to make sure all interfaces are expanded.
31	all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
32	all_te_files := $(all_modules)
33	all_fc_files := $(all_modules:.te=.fc)
34
35	pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
36	post_te_files := $(user_files) $(poldir)/constraints
37
38	policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
39
40	# search layer dirs for source files
41	vpath %.te $(all_layers)
42	vpath %.if $(all_layers)
43	vpath %.fc $(all_layers)
44
45	########################################
46	#
47	# default action: build policy locally
48	#
49	default: policy
50
51	policy: $(polver)
52
53	install: $(loadpath) $(fcpath) $(appfiles)
54
55	load: $(tmpdir)/load
56
57	checklabels: $(fcpath)
58	restorelabels: $(fcpath)
59	relabel: $(fcpath)
60	resetlabels: $(fcpath)
61
62	########################################
63	#
64	# Build a binary policy locally
65	#
66	ifneq "$(UNK_PERMS)" ""
67	$(polver): CHECKPOLICY += -U $(UNK_PERMS)
68	endif
69	$(polver): $(policy_conf)
70	@echo "Compiling $(NAME) $(polver)"
71	ifneq ($(pv),$(kv))
72	@echo
73	@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
74	@echo
75	endif
76	$(verbose) $(CHECKPOLICY) $^ -o $@
77
78	########################################
79	#
80	# Install a binary policy
81	#
82	ifneq "$(UNK_PERMS)" ""
83	$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
84	endif
85	$(loadpath): $(policy_conf)
86	@mkdir -p $(policypath)
87	@echo "Compiling and installing $(NAME) $(loadpath)"
88	ifneq ($(pv),$(kv))
89	@echo
90	@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
91	@echo
92	endif
93	$(verbose) $(CHECKPOLICY) $^ -o $@
94
95	########################################
96	#
97	# Load the binary policy
98	#
99	reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
100	@echo "Loading $(NAME) $(loadpath)"
101	$(verbose) $(LOADPOLICY) -q $(loadpath)
102	@touch $(tmpdir)/load
103
104	########################################
105	#
106	# Construct a monolithic policy.conf
107	#
108	$(policy_conf): $(policy_sections)
109	@echo "Creating $(NAME) $(@F)"
110	@test -d $(@D) \|\| mkdir -p $(@D)
111	$(verbose) cat $^ > $@
112
113	$(tmpdir)/pre_te_files.conf: $(pre_te_files)
114	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
115	$(verbose) $(M4) $(M4PARAM) $^ > $@
116
117	$(tmpdir)/generated_definitions.conf: $(all_te_files)
118	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
119	# define all available object classes
120	$(verbose) $(genperm) $(avs) $(secclass) > $@
121	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
122	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ \|\| true
123
124	$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
125	$(verbose) $(M4) $(M4PARAM) $^ > $@
126
127	$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
128	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
129	@echo "divert(-1)" > $@
130	$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
131	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
132	@echo "divert" >> $@
133
134	$(tmpdir)/rolemap.conf: $(rolemap)
135	$(verbose) echo "" > $@
136	$(call parse-rolemap,base,$@)
137
138	$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
139	ifeq "$(strip $(all_te_files))" ""
140	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
141	endif
142	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
143	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
144
145	$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
146	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
147	$(verbose) $(M4) $(M4PARAM) $^ > $@
148
149	# extract attributes and put them first. extract post te stuff
150	# like genfscon and put last.
151	$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
152	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf \| $(SORT) > $(tmpdir)/all_attrs_types.conf
153	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
154	# these have to run individually because order matters:
155	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
156	$(verbose) $(GREP) '^fs_use_(xattr\|task\|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
157	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
158	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
159	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
160	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf \|\| true
161	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
162
163	########################################
164	#
165	# Remove the dontaudit rules from the policy.conf
166	#
167	enableaudit: $(policy_conf)
168	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
169	@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
170	$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
171	$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
172
173	########################################
174	#
175	# Construct file_contexts
176	#
177	$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
178	$(verbose) $(fcsort) $< $@
179	$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
180	$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
181
182	$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
183	ifeq ($(all_fc_files),)
184	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
185	endif
186	@echo "Creating $(NAME) file_contexts."
187	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
188	$(verbose) $(M4) $(M4PARAM) $^ > $@
189
190	$(homedir_template): $(fc)
191
192	########################################
193	#
194	# Install file_contexts
195	#
196	$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
197	@echo "Validating $(NAME) file_contexts."
198	$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
199	@echo "Installing file_contexts."
200	@mkdir -p $(contextpath)/files
201	$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
202	$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
203	$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
204	ifeq "$(DISTRO)" "rhel4"
205	# Setfiles in RHEL4 does not look at file_contexts.homedirs.
206	$(verbose) cat $@.homedirs >> $@
207	# Delete the file_contexts.homedirs in case the toolchain has
208	# been updated, to prevent duplicate match errors.
209	$(verbose) rm -f $@.homedirs
210	endif
211
212	########################################
213	#
214	# Intall netfilter_contexts
215	#
216	$(ncpath): $(net_contexts)
217	@echo "Installing $(NAME) netfilter_contexts."
218	$(verbose) $(INSTALL) -m 0644 $^ $@
219
220	########################################
221	#
222	# Run policy source checks
223	#
224	check: $(builddir)check.res
225	$(builddir)check.res: $(policy_conf) $(fc)
226	$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
227
228	longcheck: $(builddir)longcheck.res
229	$(builddir)longcheck.res: $(policy_conf) $(fc)
230	$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
231
232	########################################
233	#
234	# Appconfig files
235	#
236	$(appdir)/customizable_types: $(policy_conf)
237	@mkdir -p $(appdir)
238	$(verbose) $(GREP) '^[[:blank:]]type .customizable' $< \| cut -d';' -f1 \| cut -d',' -f1 \| cut -d' ' -f2 \| $(SORT) -u > $(tmpdir)/customizable_types
239	$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
240
241	########################################
242	#
243	# Clean the sources
244	#
245	clean:
246	rm -f $(policy_conf)
247	rm -f $(polver)
248	rm -f $(fc)
249	rm -f $(homedir_template)
250	rm -f $(net_contexts)
251	rm -f *.res
252	rm -fR $(tmpdir)
253
254	.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format

* Generating other formats may take time.