From cca59cee5a02cafa3bcb36489736fa0988b3c688 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 17 2007 03:20:10 +0000 Subject: - Allow rpm to chat with networkmanager --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 5b9a984..d4c96ea 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1300,7 +1300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-10-03 11:10:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-10-15 13:34:30.000000000 -0400 @@ -152,6 +152,24 @@ ######################################## @@ -1382,7 +1382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -289,3 +346,84 @@ +@@ -289,3 +346,111 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1467,21 +1467,68 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + + dontaudit $1 rpm_t:shm rw_shm_perms; +') ++ ++######################################## ++## ++## Read/write rpm tmpfs files. ++## ++## ++##

++## Read/write rpm tmpfs files. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_rw_tmpfs_files',` ++ gen_require(` ++ type rpm_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ allow $1 rpm_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t) ++ read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-08-22 07:14:14.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-10-10 15:20:46.000000000 -0400 -@@ -184,6 +184,10 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-10-16 22:35:42.000000000 -0400 +@@ -139,6 +139,7 @@ + auth_relabel_all_files_except_shadow(rpm_t) + auth_manage_all_files_except_shadow(rpm_t) + auth_dontaudit_read_shadow(rpm_t) ++auth_use_nsswith(rpm_t) + + # transition to rpm script: + rpm_domtrans_script(rpm_t) +@@ -180,11 +181,18 @@ ') optional_policy(` -+ dbus_system_domain(rpm_t,rpm_exec_t) -+') +- hal_dbus_chat(rpm_t) +-') ++ optional_policy(` ++ hal_dbus_chat(rpm_t) ++ ') + -+optional_policy(` - nis_use_ypbind(rpm_t) ++ optional_policy(` ++ networkmanager_dbus_chat(rpm_t) ++ ') ++ ++ optional_policy(` ++ dbus_system_domain(rpm_t,rpm_exec_t) ++ ') + +-optional_policy(` +- nis_use_ypbind(rpm_t) ') -@@ -321,6 +325,7 @@ + optional_policy(` +@@ -321,6 +329,7 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -6599,7 +6646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-10 15:50:21.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-15 13:07:49.000000000 -0400 @@ -0,0 +1,157 @@ +## Exim service + @@ -7547,8 +7594,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-03 11:10:24.000000000 -0400 -@@ -226,6 +226,15 @@ ++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-15 13:10:26.000000000 -0400 +@@ -142,6 +142,12 @@ + sendmail_create_log($1_mail_t) + ') + ++ optional_policy(` ++ exim_read_logs($1_mail_t) ++ exim_manage_spool($1_mail_t) ++ ') ++ ++ + ') + + ####################################### +@@ -226,6 +232,15 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_mail_t) fs_manage_cifs_symlinks($1_mail_t) @@ -7564,7 +7624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -314,6 +323,24 @@ +@@ -314,6 +329,24 @@ ######################################## ## @@ -7589,7 +7649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Modified mailserver interface for ## sendmail daemon use. ## -@@ -392,6 +419,7 @@ +@@ -392,6 +425,7 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) @@ -7597,7 +7657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) -@@ -447,20 +475,18 @@ +@@ -447,20 +481,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -7624,7 +7684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -595,6 +621,25 @@ +@@ -595,6 +627,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') @@ -7652,7 +7712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-06 08:52:41.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-15 13:11:26.000000000 -0400 @@ -6,6 +6,7 @@ # Declarations # @@ -9675,7 +9735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-09 11:56:37.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-16 21:18:19.000000000 -0400 @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -11291,7 +11351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-11 10:50:27.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-15 13:34:37.000000000 -0400 @@ -16,6 +16,13 @@ ## @@ -11434,13 +11494,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +464,24 @@ +@@ -434,47 +464,25 @@ ') optional_policy(` - unconfined_domain_noaudit(xdm_xserver_t) - unconfined_domtrans(xdm_xserver_t) + rpm_dontaudit_rw_shm(xdm_xserver_t) ++ rpm_rw_tmpfs_files(xdm_xserver_t) +') - ifndef(`distro_redhat',` @@ -12638,16 +12699,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-10-03 11:10:25.000000000 -0400 -@@ -56,7 +56,6 @@ ++++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-10-15 12:10:49.000000000 -0400 +@@ -55,11 +55,11 @@ + allow ipsec_t self:capability { net_admin dac_override dac_read_search }; dontaudit ipsec_t self:capability sys_tty_config; - allow ipsec_t self:process signal; +-allow ipsec_t self:process signal; -allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; ++allow ipsec_t self:process { signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:key_socket { create write read setopt }; allow ipsec_t self:fifo_file { read getattr }; -@@ -84,6 +83,8 @@ ++allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; + + allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; + read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) +@@ -69,7 +69,7 @@ + read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) + read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) + +-allow ipsec_t ipsec_var_run_t:file manage_file_perms; ++manage_files_pattern(ipsec_t,ipsec_var_run_t, ipsec_var_run_t) + allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms; + files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file }) + +@@ -84,6 +84,8 @@ allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_t:process sigchld; @@ -12656,7 +12732,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. kernel_read_kernel_sysctls(ipsec_t) kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) -@@ -134,16 +135,10 @@ +@@ -104,6 +106,11 @@ + corenet_tcp_bind_all_nodes(ipsec_t) + corenet_tcp_bind_reserved_port(ipsec_t) + corenet_tcp_bind_isakmp_port(ipsec_t) ++ ++corenet_udp_bind_all_nodes(ipsec_t) ++corenet_udp_bind_isakmp_port(ipsec_t) ++corenet_udp_bind_ipsecnat_port(ipsec_t) ++ + corenet_sendrecv_generic_server_packets(ipsec_t) + corenet_sendrecv_isakmp_server_packets(ipsec_t) + +@@ -134,16 +141,10 @@ miscfiles_read_localization(ipsec_t) @@ -12673,7 +12761,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. seutil_sigchld_newrole(ipsec_t) ') -@@ -278,11 +273,11 @@ +@@ -170,6 +171,8 @@ + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; + files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) + ++logging_send_syslog_msg(ipsec_mgmt_t) ++ + manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) + manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) + +@@ -225,6 +228,7 @@ + # the ipsec wrapper wants to run /usr/bin/logger (should we put + # it in its own domain?) + corecmd_exec_bin(ipsec_mgmt_t) ++corecmd_exec_shell(ipsec_mgmt_t) + + domain_use_interactive_fds(ipsec_mgmt_t) + # denials when ps tries to search /proc. Do not audit these denials. +@@ -278,11 +282,11 @@ # allow racoon_t self:capability { net_admin net_bind_service }; @@ -12686,7 +12791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # manage pid file manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -299,11 +294,15 @@ +@@ -299,11 +303,15 @@ allow racoon_t ipsec_spd_t:association setcontext; @@ -14225,7 +14330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-09 15:59:34.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-16 22:49:31.000000000 -0400 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -14245,7 +14350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type semanage_store_t; files_type(semanage_store_t) -@@ -194,10 +197,15 @@ +@@ -194,10 +197,19 @@ # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; optional_policy(` @@ -14255,6 +14360,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') +optional_policy(` ++ rpm_dontaudit_rw_pipes(load_policy_t) ++') ++ ++optional_policy(` + usermanage_dontaudit_useradd_use_fds(load_policy_t) +') + @@ -14262,7 +14371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Newrole local policy -@@ -215,7 +223,7 @@ +@@ -215,7 +227,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -14271,7 +14380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t,selinux_config_t,selinux_config_t) read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t) -@@ -252,8 +260,11 @@ +@@ -252,8 +264,11 @@ term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -14283,7 +14392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu corecmd_list_bin(newrole_t) corecmd_read_bin_symlinks(newrole_t) -@@ -273,6 +284,7 @@ +@@ -273,6 +288,7 @@ libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -14291,7 +14400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -@@ -294,14 +306,6 @@ +@@ -294,14 +310,6 @@ files_polyinstantiate_all(newrole_t) ') @@ -14306,7 +14415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Restorecond local policy -@@ -309,11 +313,12 @@ +@@ -309,11 +317,12 @@ allow restorecond_t self:capability { dac_override dac_read_search fowner }; allow restorecond_t self:fifo_file rw_fifo_file_perms; @@ -14320,7 +14429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) -@@ -343,15 +348,12 @@ +@@ -343,15 +352,12 @@ miscfiles_read_localization(restorecond_t) @@ -14338,7 +14447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ################################# # -@@ -361,7 +363,7 @@ +@@ -361,7 +367,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -14347,7 +14456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -375,6 +377,7 @@ +@@ -375,6 +381,7 @@ term_dontaudit_list_ptys(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -14355,7 +14464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t) -@@ -423,77 +426,52 @@ +@@ -423,77 +430,52 @@ nscd_socket_use(run_init_t) ') @@ -14381,19 +14490,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) -- --dev_read_urand(semanage_t) +init_dontaudit_use_fds(setsebool_t) --domain_use_interactive_fds(semanage_t) +-corecmd_exec_bin(semanage_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_selinux_config(setsebool_t) +-dev_read_urand(semanage_t) +- +-domain_use_interactive_fds(semanage_t) +- -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -14459,7 +14568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -521,6 +499,8 @@ +@@ -521,6 +503,8 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; @@ -14468,7 +14577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) -@@ -537,6 +517,7 @@ +@@ -537,6 +521,7 @@ fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) @@ -14476,7 +14585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) -@@ -590,8 +571,16 @@ +@@ -590,8 +575,16 @@ fs_relabel_tmpfs_chr_file(setfiles_t) ') @@ -14626,7 +14735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-09 16:07:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-15 13:54:06.000000000 -0400 @@ -132,6 +132,7 @@ init_read_utmp(udev_t) @@ -14659,7 +14768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-11 14:50:56.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-15 13:33:52.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -17206,3 +17315,182 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy $(call parse-rolemap,base,$@) $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf +diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.8/support/Makefile.devel +--- nsaserefpolicy/support/Makefile.devel 2007-05-29 13:53:56.000000000 -0400 ++++ serefpolicy-3.0.8/support/Makefile.devel 2007-10-15 16:12:34.000000000 -0400 +@@ -31,10 +31,10 @@ + + genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py + +-docs = doc +-polxml = $(docs)/policy.xml +-xmldtd = $(HEADERDIR)/support/policy.dtd +-metaxml = metadata.xml ++docs := doc ++polxml := $(docs)/policy.xml ++xmldtd := $(HEADERDIR)/support/policy.dtd ++metaxml := metadata.xml + + globaltun = $(HEADERDIR)/global_tunables.xml + globalbool = $(HEADERDIR)/global_booleans.xml +@@ -76,35 +76,23 @@ + # policy headers + m4support = $(wildcard $(HEADERDIR)/support/*.spt) + +-all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d)) +-all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if)) +-rolemap = $(HEADERDIR)/rolemap +- +-detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d)) +- +-clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers)))) +-all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers)))) +-detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers)))) +- +-3rd_party_mods = $(wildcard *.te) +-detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te)) +-detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te)) +- +-detected_ifs = $(detected_mods:.te=.if) +-detected_fcs = $(detected_mods:.te=.fc) +-all_packages = $(notdir $(detected_mods:.te=.pp)) +- +-modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml)) +-layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR)))) +- +-hmodxml = $(all_interfaces:.if=.xml) +-hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset)))) +-hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml)) +- +-cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te)) +-cmodxml = $(cmods:.te=.xml) +-clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers)))) +-cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml)) ++header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d)) ++header_xml := $(addsuffix .xml,$(header_layers)) ++header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if)) ++ ++rolemap := $(HEADERDIR)/rolemap ++ ++local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d)) ++local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers))) ++ ++all_layer_names := $(sort $(notdir $(header_layers) $(local_layers))) ++ ++3rd_party_mods := $(wildcard *.te) ++detected_mods := $(3rd_party_mods) $(foreach layer,$(local_layers),$(wildcard $(layer)/*.te)) ++ ++detected_ifs := $(detected_mods:.te=.if) ++detected_fcs := $(detected_mods:.te=.fc) ++all_packages := $(notdir $(detected_mods:.te=.pp)) + + # figure out what modules we may want to reload + loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1)) +@@ -112,9 +100,9 @@ + match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods)) + match_loc = $(filter $(all_packages),$(loaded_mods)) + +-vpath %.te $(detected_layers) +-vpath %.if $(detected_layers) +-vpath %.fc $(detected_layers) ++vpath %.te $(local_layers) ++vpath %.if $(local_layers) ++vpath %.fc $(local_layers) + + ######################################## + # +@@ -192,7 +180,7 @@ + # + tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te + @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" +- @test -d tmp || mkdir -p tmp ++ @test -d $(@D) || mkdir -p $(@D) + $(call peruser-expansion,$(basename $(@F)),$@.role) + $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ +@@ -204,55 +192,50 @@ + @echo "Creating $(NAME) $(@F) policy package" + $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc + +-tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs) +- @test -d tmp || mkdir -p tmp +- $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ ++tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs) ++ @test -d $(@D) || mkdir -p $(@D) ++ @echo "ifdef(\`__if_error',\`m4exit(1)')" > tmp/iferror.m4 ++ @echo "divert(-1)" > $@ ++ $(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@ ++ @echo "divert" >> $@ + + # so users dont have to make empty .fc and .if files +-$(detected_ifs) $(detected_fcs): ++$(detected_fcs): + @touch $@ ++ ++$(detected_ifs): ++ @echo "## $(basename $(@D))" > $@ + + ######################################## + # + # Documentation generation + # ++tmp/%.xml: %/*.te %/*.if ++ @test -d $(@D) || mkdir -p $(@D) ++ $(verbose) test -f $(HEADERDIR)/$*.xml || cat $*/$(metaxml) > $@ ++ $(verbose) $(genxml) -w -m $(sort $(basename $^)) >> $@ + +-$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml) +- @test -d tmp || mkdir -p tmp +- $(verbose) echo '' > $@ +- $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@; +- $(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@ +- $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@ +- $(verbose) echo '' >> $@ +- +-$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml) +- @test -d tmp || mkdir -p tmp +- $(verbose) echo '' > $@ +- $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@; +- $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@ +- $(verbose) echo '' >> $@ +- +-$(cmodxml) $(modxml): %.xml: %.if %.te +- $(verbose) $(genxml) -w -m $* > $@ +- +-$(layerxml): %.xml: $(modxml) +- @test -d tmp || mkdir -p tmp +- $(verbose) echo '' > $@ +- $(verbose) if test -f '$(metaxml)'; then \ +- cat $(metaxml) >> $@; \ +- else \ +- echo 'This is all third-party generated modules.' >> $@; \ +- fi +- $(verbose) cat $(filter-out %/$(metaxml), $^) >> $@ +- $(verbose) echo '' >> $@ ++vars: $(local_xml) + +-$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool) ++$(polxml): $(header_xml) $(local_xml) $(globaltun) $(globalbool) $(detected_mods) $(detected_ifs) + @echo "Creating $(@F)" +- @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml)) ++ @test -d $(@D) || mkdir -p $(@D) + $(verbose) echo '' > $@ + $(verbose) echo '' >> $@ + $(verbose) echo '' >> $@ +- $(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@ ++ $(verbose) for i in $(all_layer_names); do \ ++ echo "" >> $@ ;\ ++ test -f $(HEADERDIR)/$$i.xml && cat $(HEADERDIR)/$$i.xml >> $@ ;\ ++ test -f tmp/$$i.xml && cat tmp/$$i.xml >> $@ ;\ ++ echo "" >> $@ ;\ ++ done ++ifneq "$(strip $(3rd_party_mods))" "" ++ $(verbose) echo "" >> $@ ++ $(verbose) echo "These are all third-party modules." >> $@ ++ $(verbose) $(genxml) -w -m $(addprefix ./,$(basename $(3rd_party_mods))) >> $@ ++ $(verbose) echo "" >> $@ ++endif ++ $(verbose) cat $(globaltun) $(globalbool) >> $@ + $(verbose) echo '' >> $@ + $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ + $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\