-
Notifications
You must be signed in to change notification settings - Fork 16
/
Rules.monolithic
196 lines (169 loc) · 6.22 KB
/
Rules.monolithic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
########################################
#
# Rules and Targets for building monolithic policies
#
# install paths
POLICYPATH = $(INSTALLDIR)/policy
LOADPATH = $(POLICYPATH)/$(POLVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
# for monolithic policy use all base and module to create policy
ENABLEMOD := $(BASE_MODS) $(MOD_MODS)
ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
ALL_INTERFACES := $(ALL_MODULES:.te=.if)
ALL_TE_FILES := $(ALL_MODULES)
ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
########################################
#
# default action: build policy locally
#
default: policy
policy: $(POLVER)
install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
load: tmp/load
########################################
#
# Build a binary policy locally
#
$(POLVER): policy.conf
@echo "Compiling $(NAME) $(POLVER)"
ifneq ($(PV),$(KV))
@echo
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo
endif
$(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
# Install a binary policy
#
$(LOADPATH): policy.conf
@mkdir -p $(POLICYPATH)
@echo "Compiling and installing $(NAME) $(LOADPATH)"
ifneq ($(PV),$(KV))
@echo
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo
endif
$(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
# Load the binary policy
#
reload tmp/load: $(LOADPATH) $(FCPATH)
@echo "Loading $(NAME) $(LOADPATH)"
$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
@touch tmp/load
########################################
#
# Construct a monolithic policy.conf
#
policy.conf: $(POLICY_SECTIONS)
@echo "Creating $(NAME) policy.conf"
# checkpolicy can use the #line directives provided by -s for error reporting:
$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/[email protected]
$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/[email protected] > $@
tmp/pre_te_files.conf: $(PRE_TE_FILES)
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
# per-userdomain templates:
@test -d tmp || mkdir -p tmp
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\
done
$(QUIET) echo "')" >> $@
# define foo.te
$(QUIET) for i in $(notdir $(ALL_MODULES)); do \
echo "define(\`$$i')" >> $@ ;\
done
# $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
ifeq ($(ALL_INTERFACES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif
@test -d tmp || mkdir -p tmp
$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
tmp/all_te_files.conf: $(ALL_TE_FILES)
ifeq ($(ALL_TE_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
tmp/post_te_files.conf: $(POST_TE_FILES)
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
# extract attributes and put them first. extract post te stuff
# like genfscon and put last. portcon, nodecon, and netifcon
# is delayed since they are generated by m4
tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
< tmp/all_te_files.conf > tmp/only_te_rules.conf
########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: policy.conf
@test -d tmp || mkdir -p tmp
@echo "Removing dontaudit rules from policy.conf"
$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
$(QUIET) mv tmp/policy.audit policy.conf
########################################
#
# Construct file_contexts
#
$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
ifeq ($(ALL_FC_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif
@echo "Creating $(NAME) file_contexts."
@test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/[email protected]
# $(QUIET) grep -e HOME -e ROLE tmp/[email protected] > $(HOMEDIR_TEMPLATE)
# $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/[email protected]
# $(QUIET) $(FCSORT) tmp/[email protected] $@
$(QUIET) touch $(HOMEDIR_TEMPLATE)
$(QUIET) touch $@
########################################
#
# Install file_contexts
#
$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
@echo "Validating $(NAME) file_contexts."
# $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC)
@echo "Installing file_contexts."
@mkdir -p $(CONTEXTPATH)/files
$(QUIET) install -m 644 $(FC) $(FCPATH)
$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
########################################
#
# Run policy source checks
#
check: policy.conf $(FC)
$(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) > [email protected]
longcheck: policy.conf $(FC)
$(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > [email protected]
########################################
#
# Clean the sources
#
clean:
rm -fR tmp
rm -f policy.conf
rm -f policy.$(PV)
rm -f $(FC)
rm -f *.res
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean