Pushing 2.20120215 (current version)

1 files changed, 256 insertions, 0 deletions

diff --git a/Rules.monolithic b/Rules.monolithic
new file mode 100644
index 00000000..7c4d0355
--- /dev/null
+++ b/Rules.monolithic
@@ -0,0 +1,256 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+# determine the policy version and current kernel version if possible
+pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+kv := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq "$(kv)" ""
+	kv := $(pv)
+endif
+
+policy_conf = $(builddir)policy.conf
+fc = $(builddir)file_contexts
+polver = $(builddir)policy.$(pv)
+homedir_template = $(builddir)homedir_template
+
+M4PARAM += -D self_contained_policy
+
+# install paths
+loadpath = $(policypath)/$(notdir $(polver))
+
+appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
+
+# for monolithic policy use all base and module to create policy
+all_modules := $(strip $(base_mods) $(mod_mods))
+# off module interfaces included to make sure all interfaces are expanded.
+all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
+all_te_files := $(all_modules)
+all_fc_files := $(all_modules:.te=.fc)
+
+pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
+post_te_files := $(user_files) $(poldir)/constraints
+
+policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
+
+# search layer dirs for source files
+vpath %.te $(all_layers)
+vpath %.if $(all_layers)
+vpath %.fc $(all_layers)
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(polver)
+
+install: $(loadpath) $(fcpath) $(appfiles)
+
+load: $(tmpdir)/load
+
+checklabels: $(fcpath)
+restorelabels: $(fcpath)
+relabel:  $(fcpath)
+resetlabels:  $(fcpath)
+
+########################################
+#
+# Build a binary policy locally
+#
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(polver): $(policy_conf)
+	@echo "Compiling $(NAME) $(polver)"
+ifneq ($(pv),$(kv))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
+	@echo
+endif
+	$(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(loadpath): $(policy_conf)
+	@echo "Compiling and installing $(NAME) $(loadpath)"
+ifneq ($(pv),$(kv))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
+	@echo
+endif
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
+	@echo "Loading $(NAME) $(loadpath)"
+	$(verbose) $(LOADPOLICY) -q $(loadpath)
+	@touch $(tmpdir)/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+$(policy_conf): $(policy_sections)
+	@echo "Creating $(NAME) $(@F)"
+	@test -d $(@D) || mkdir -p $(@D)
+	$(verbose) cat $^ > $@
+
+$(tmpdir)/pre_te_files.conf: $(pre_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/generated_definitions.conf: $(all_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+# define all available object classes
+	$(verbose) $(genperm) $(avs) $(secclass) > $@
+	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
+	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	@echo "divert(-1)" > $@
+	$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
+	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
+	@echo "divert" >> $@
+
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files)
+ifeq "$(strip $(all_te_files))" ""
+	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
+	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+# these have to run individually because order matters:
+	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: $(policy_conf)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
+	$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
+	$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
+
+########################################
+#
+# Construct file_contexts
+#
+$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
+	$(verbose) $(fcsort) $< $@
+	$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
+	$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
+
+$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
+ifeq ($(all_fc_files),)
+	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+	@echo "Creating $(NAME) file_contexts."
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(homedir_template): $(fc)
+
+########################################
+#
+# Install file_contexts
+#
+$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
+	@echo "Validating $(NAME) file_contexts."
+	$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
+	@echo "Installing file_contexts."
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath)
+	$(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath)
+	$(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+ifeq "$(DISTRO)" "rhel4"
+# Setfiles in RHEL4 does not look at file_contexts.homedirs.
+	$(verbose) cat $@.homedirs >> $@
+# Delete the file_contexts.homedirs in case the toolchain has
+# been updated, to prevent duplicate match errors.
+	$(verbose) rm -f $@.homedirs
+endif
+
+########################################
+#
+# Intall netfilter_contexts
+#
+$(ncpath): $(net_contexts)
+	@echo "Installing $(NAME) netfilter_contexts."
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $^ $@
+
+########################################
+#
+# Run policy source checks
+#
+check: $(builddir)check.res
+$(builddir)check.res: $(policy_conf) $(fc)
+	$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+longcheck: $(builddir)longcheck.res
+$(builddir)longcheck.res: $(policy_conf) $(fc)
+	$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+########################################
+#
+# Appconfig files
+#
+$(appdir)/customizable_types: $(policy_conf)
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/customizable_types $@
+
+$(installdir)/seusers: $(seusers)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers
+	@$(INSTALL) -d -m 0755 $(@D)
+	$(verbose) $(INSTALL) -m 0644 $(tmpdir)/seusers $@
+
+########################################
+#
+# Clean the sources
+#
+clean:
+	rm -f $(policy_conf)
+	rm -f $(polver)
+	rm -f $(fc)
+	rm -f $(homedir_template)
+	rm -f $(net_contexts)
+	rm -f *.res
+	rm -fR $(tmpdir)
+
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean