diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
commit | 3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch) | |
tree | cae07463edd5b609a97513e00d63e1bd410cc8bb /Rules.monolithic | |
parent | Initial commit (diff) | |
download | hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2 hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip |
Pushing 2.20120215 (current version)
Diffstat (limited to 'Rules.monolithic')
-rw-r--r-- | Rules.monolithic | 256 |
1 files changed, 256 insertions, 0 deletions
diff --git a/Rules.monolithic b/Rules.monolithic new file mode 100644 index 000000000..7c4d03555 --- /dev/null +++ b/Rules.monolithic @@ -0,0 +1,256 @@ +######################################## +# +# Rules and Targets for building monolithic policies +# + +# determine the policy version and current kernel version if possible +pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') +kv := $(shell cat /selinux/policyvers) + +# dont print version warnings if we are unable to determine +# the currently running kernel's policy version +ifeq "$(kv)" "" + kv := $(pv) +endif + +policy_conf = $(builddir)policy.conf +fc = $(builddir)file_contexts +polver = $(builddir)policy.$(pv) +homedir_template = $(builddir)homedir_template + +M4PARAM += -D self_contained_policy + +# install paths +loadpath = $(policypath)/$(notdir $(polver)) + +appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users + +# for monolithic policy use all base and module to create policy +all_modules := $(strip $(base_mods) $(mod_mods)) +# off module interfaces included to make sure all interfaces are expanded. +all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if) +all_te_files := $(all_modules) +all_fc_files := $(all_modules:.te=.fc) + +pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps) +post_te_files := $(user_files) $(poldir)/constraints + +policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf + +# search layer dirs for source files +vpath %.te $(all_layers) +vpath %.if $(all_layers) +vpath %.fc $(all_layers) + +######################################## +# +# default action: build policy locally +# +default: policy + +policy: $(polver) + +install: $(loadpath) $(fcpath) $(appfiles) + +load: $(tmpdir)/load + +checklabels: $(fcpath) +restorelabels: $(fcpath) +relabel: $(fcpath) +resetlabels: $(fcpath) + +######################################## +# +# Build a binary policy locally +# +ifneq "$(UNK_PERMS)" "" +$(polver): CHECKPOLICY += -U $(UNK_PERMS) +endif +$(polver): $(policy_conf) + @echo "Compiling $(NAME) $(polver)" +ifneq ($(pv),$(kv)) + @echo + @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" + @echo +endif + $(verbose) $(CHECKPOLICY) $^ -o $@ + +######################################## +# +# Install a binary policy +# +ifneq "$(UNK_PERMS)" "" +$(loadpath): CHECKPOLICY += -U $(UNK_PERMS) +endif +$(loadpath): $(policy_conf) + @echo "Compiling and installing $(NAME) $(loadpath)" +ifneq ($(pv),$(kv)) + @echo + @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" + @echo +endif + @$(INSTALL) -d -m 0755 $(@D) + $(verbose) $(CHECKPOLICY) $^ -o $@ + +######################################## +# +# Load the binary policy +# +reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) + @echo "Loading $(NAME) $(loadpath)" + $(verbose) $(LOADPOLICY) -q $(loadpath) + @touch $(tmpdir)/load + +######################################## +# +# Construct a monolithic policy.conf +# +$(policy_conf): $(policy_sections) + @echo "Creating $(NAME) $(@F)" + @test -d $(@D) || mkdir -p $(@D) + $(verbose) cat $^ > $@ + +$(tmpdir)/pre_te_files.conf: $(pre_te_files) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) $(M4) $(M4PARAM) $^ > $@ + +$(tmpdir)/generated_definitions.conf: $(all_te_files) + @test -d $(tmpdir) || mkdir -p $(tmpdir) +# define all available object classes + $(verbose) $(genperm) $(avs) $(secclass) > $@ + $(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@) + $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true + +$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun) + $(verbose) $(M4) $(M4PARAM) $^ > $@ + +$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + @echo "divert(-1)" > $@ + $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp + $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@ + @echo "divert" >> $@ + +$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) +ifeq "$(strip $(all_te_files))" "" + $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") +endif + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) $(M4) $(M4PARAM) -s $^ > $@ + +$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) $(M4) $(M4PARAM) $^ > $@ + +# extract attributes and put them first. extract post te stuff +# like genfscon and put last. +$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf + $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf + $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf +# these have to run individually because order matters: + $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf + +######################################## +# +# Remove the dontaudit rules from the policy.conf +# +enableaudit: $(policy_conf) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + @echo "Removing dontaudit rules from $(notdir $(policy_conf))" + $(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit + $(verbose) mv $(tmpdir)/policy.audit $(policy_conf) + +######################################## +# +# Construct file_contexts +# +$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort) + $(verbose) $(fcsort) $< $@ + $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template) + $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@ + +$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files) +ifeq ($(all_fc_files),) + $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") +endif + @echo "Creating $(NAME) file_contexts." + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) $(M4) $(M4PARAM) $^ > $@ + +$(homedir_template): $(fc) + +######################################## +# +# Install file_contexts +# +$(fcpath): $(fc) $(loadpath) $(userpath)/system.users + @echo "Validating $(NAME) file_contexts." + $(verbose) $(SETFILES) -q -c $(loadpath) $(fc) + @echo "Installing file_contexts." + @$(INSTALL) -d -m 0755 $(@D) + $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath) + $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath) + $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) +ifeq "$(DISTRO)" "rhel4" +# Setfiles in RHEL4 does not look at file_contexts.homedirs. + $(verbose) cat $@.homedirs >> $@ +# Delete the file_contexts.homedirs in case the toolchain has +# been updated, to prevent duplicate match errors. + $(verbose) rm -f $@.homedirs +endif + +######################################## +# +# Intall netfilter_contexts +# +$(ncpath): $(net_contexts) + @echo "Installing $(NAME) netfilter_contexts." + @$(INSTALL) -d -m 0755 $(@D) + $(verbose) $(INSTALL) -m 0644 $^ $@ + +######################################## +# +# Run policy source checks +# +check: $(builddir)check.res +$(builddir)check.res: $(policy_conf) $(fc) + $(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@ + +longcheck: $(builddir)longcheck.res +$(builddir)longcheck.res: $(policy_conf) $(fc) + $(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@ + +######################################## +# +# Appconfig files +# +$(appdir)/customizable_types: $(policy_conf) + $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types + @$(INSTALL) -d -m 0755 $(@D) + $(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@ + +$(installdir)/seusers: $(seusers) + $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers + @$(INSTALL) -d -m 0755 $(@D) + $(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@ + +######################################## +# +# Clean the sources +# +clean: + rm -f $(policy_conf) + rm -f $(polver) + rm -f $(fc) + rm -f $(homedir_template) + rm -f $(net_contexts) + rm -f *.res + rm -fR $(tmpdir) + +.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean |