diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 5b9a9b7..5d1e365 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,7 @@ +- Changed QUIET build option to a yes or no option. +- Add a Makefile used for compiling loadable modules in a + user's development environment, building against policy headers. +- Add Make target for installing policy headers. - Separate per-userdomain template expansion from the userdomain module and add infrastructure to expand templates in the modules that own the template. diff --git a/refpolicy/Makefile b/refpolicy/Makefile index ae8f7a5..7b22e48 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -74,12 +74,14 @@ BOOLEANS := $(POLDIR)/booleans.conf ROLEMAP := $(POLDIR)/rolemap # install paths -TOPDIR = $(DESTDIR)/etc/selinux -INSTALLDIR = $(TOPDIR)/$(NAME) -SRCPATH = $(INSTALLDIR)/src -USERPATH = $(INSTALLDIR)/users -CONTEXTPATH = $(INSTALLDIR)/contexts -MODPKGDIR = $(DESTDIR)/usr/share/selinux/$(NAME) +TOPDIR := $(DESTDIR)/etc/selinux +INSTALLDIR := $(TOPDIR)/$(NAME) +SRCPATH := $(INSTALLDIR)/src +USERPATH := $(INSTALLDIR)/users +CONTEXTPATH := $(INSTALLDIR)/contexts +SHAREDIR := $(DESTDIR)$(PREFIX)/share/selinux +MODPKGDIR := $(SHAREDIR)/$(NAME) +HEADERDIR := $(SHAREDIR)/refpolicy/include # compile strict policy if requested. ifneq ($(findstring strict,$(TYPE)),) @@ -126,6 +128,10 @@ ifeq ($(DIRECT_INITRC),y) M4PARAM += -D direct_sysadm_daemon endif +ifeq ($(QUIET),y) + verbose = @ +endif + M4PARAM += -D hide_broken_symptoms # we need exuberant ctags; unfortunately it is named @@ -189,15 +195,15 @@ OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == # parse-rolemap modulename,outputfile define parse-rolemap - $(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \ + $(verbose) m4 $(M4PARAM) $(ROLEMAP) | \ awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 endef # peruser-expansion modulename,outputfile define peruser-expansion - $(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2 + $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2 $(call parse-rolemap,$1,$2) - $(QUIET) echo "')" >> $2 + $(verbose) echo "')" >> $2 endef ######################################## @@ -220,8 +226,8 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke @echo "# This is a generated file! Instead of modifying this file, the" >> $@ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "#" >> $@ - $(QUIET) cat $(MODDIR)/kernel/corenetwork.if.in >> $@ - $(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \ + $(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@ + $(verbose) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \ | m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ @@ -230,7 +236,7 @@ $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/ke @echo "# This is a generated file! Instead of modifying this file, the" >> $@ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "#" >> $@ - $(QUIET) m4 -D self_contained_policy $(M4PARAM) $^ \ + $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ \ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ ######################################## @@ -241,7 +247,7 @@ conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC) $(MOD_CONF) $(BOOLEANS): $(POLXML) @echo "Updating $(MOD_CONF) and $(BOOLEANS)" - $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML) + $(verbose) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML) ######################################## # @@ -255,18 +261,18 @@ $(MOD_CONF) $(BOOLEANS): $(POLXML) $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXML)) @echo "Creating $@" @mkdir -p tmp - $(QUIET) echo '' > $@ - $(QUIET) echo '' >> $@ - $(QUIET) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) $(ALL_LAYERS) >> $@ - $(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \ + $(verbose) echo '' > $@ + $(verbose) echo '' >> $@ + $(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) $(ALL_LAYERS) >> $@ + $(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \ $(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\ fi html: $(POLXML) @echo "Building html interface reference documentation in $(HTMLDIR)" @mkdir -p $(HTMLDIR) - $(QUIET) cd $(DOCS) && ../$(GENDOC) -d ../$(HTMLDIR) -T ../$(DOCTEMPLATE) -x ../$(POLXML) - $(QUIET) cp $(DOCTEMPLATE)/*.css $(HTMLDIR) + $(verbose) cd $(DOCS) && ../$(GENDOC) -d ../$(HTMLDIR) -T ../$(DOCTEMPLATE) -x ../$(POLXML) + $(verbose) cp $(DOCTEMPLATE)/*.css $(HTMLDIR) ######################################## # @@ -280,14 +286,14 @@ $(USERPATH)/system.users: $(M4SUPPORT) tmp/generated_definitions.conf $(USER_FIL @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users @echo "# Please edit local.users to make local changes." >> tmp/system.users @echo "#" >> tmp/system.users - $(QUIET) m4 -D self_contained_policy $(M4PARAM) $^ | sed -r -e 's/^[[:blank:]]+//' \ + $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ | sed -r -e 's/^[[:blank:]]+//' \ -e '/^[[:blank:]]*($$|#)/d' >> tmp/system.users - $(QUIET) install -m 644 tmp/system.users $@ + $(verbose) install -m 644 tmp/system.users $@ $(USERPATH)/local.users: config/local.users @mkdir -p $(USERPATH) @echo "Installing local.users" - $(QUIET) install -b -m 644 $< $@ + $(verbose) install -b -m 644 $< $@ ######################################## # @@ -297,45 +303,54 @@ install-appconfig: $(APPFILES) $(INSTALLDIR)/booleans: $(BOOLEANS) @mkdir -p $(INSTALLDIR) - $(QUIET) sed -r -e 's/false/0/g' -e 's/true/1/g' \ + $(verbose) sed -r -e 's/false/0/g' -e 's/true/1/g' \ -e '/^[[:blank:]]*($$|#)/d' $(BOOLEANS) | sort > tmp/booleans - $(QUIET) install -m 644 tmp/booleans $@ + $(verbose) install -m 644 tmp/booleans $@ $(CONTEXTPATH)/files/media: $(APPCONF)/media @mkdir -p $(CONTEXTPATH)/files/ - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/default_contexts: $(APPCONF)/default_contexts @mkdir -p $(APPDIR) - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/removable_context: $(APPCONF)/removable_context @mkdir -p $(APPDIR) - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/default_type: $(APPCONF)/default_type @mkdir -p $(APPDIR) - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context @mkdir -p $(APPDIR) - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/initrc_context: $(APPCONF)/initrc_context @mkdir -p $(APPDIR) - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context @mkdir -p $(APPDIR) - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts @mkdir -p $(APPDIR) - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ $(APPDIR)/users/root: $(APPCONF)/root_default_contexts @mkdir -p $(APPDIR)/users - $(QUIET) install -m 644 $< $@ + $(verbose) install -m 644 $< $@ + +######################################## +# +# Install policy headers +# +install-headers: $(DETECTED_MODS:.te=.if) $(ROLEMAP) $(M4SUPPORT) $(SUPPORT)/Makefile.devel build.conf + mkdir -p $(HEADERDIR) + $(verbose) install -m 644 $^ $(HEADERDIR) + $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/all_perms.spt ######################################## # diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index f4bb9b0..b2e2ee9 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -47,7 +47,7 @@ install: $(INSTPKG) $(APPFILES) # load: $(INSTPKG) $(APPFILES) @echo "Loading configured modules." - $(QUIET) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(BASE_PKG) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod)) + $(verbose) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(BASE_PKG) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod)) ######################################## # @@ -56,7 +56,7 @@ load: $(INSTPKG) $(APPFILES) $(MODPKGDIR)/%.pp: %.pp @mkdir -p $(MODPKGDIR) @echo "Installing $(NAME) $(@F) policy package." - $(QUIET) install -m 0644 $^ $(MODPKGDIR) + $(verbose) install -m 0644 $^ $(MODPKGDIR) ######################################## # @@ -65,15 +65,15 @@ $(MODPKGDIR)/%.pp: %.pp tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" $(call peruser-expansion,$(basename $(@F)),$@.role) - $(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) - $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + $(verbose) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ tmp/%.mod.fc: $(M4SUPPORT) %.fc - $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@ + $(verbose) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@ %.pp: tmp/%.mod tmp/%.mod.fc @echo "Creating $(NAME) $(@F) policy package" - $(QUIET) $(SEMOD_PKG) -o $@ -m $< -f $<.fc + $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc ######################################## # @@ -81,11 +81,11 @@ tmp/%.mod.fc: $(M4SUPPORT) %.fc # $(BASE_PKG): tmp/base.mod $(BASE_FC) @echo "Creating $(NAME) base module package" - $(QUIET) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC) + $(verbose) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC) tmp/base.mod: base.conf @echo "Compiling $(NAME) base module" - $(QUIET) $(CHECKMODULE) $^ -o $@ + $(verbose) $(CHECKMODULE) $^ -o $@ ######################################## # @@ -94,64 +94,64 @@ tmp/base.mod: base.conf base.conf: $(BASE_SECTIONS) @echo "Creating $(NAME) base module base.conf" # checkpolicy can use the #line directives provided by -s for error reporting: - $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp - $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ + $(verbose) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp + $(verbose) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ # the ordering of these ocontexts matters: - $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true - $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true - $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true + $(verbose) grep ^portcon tmp/$@.tmp >> $@ || true + $(verbose) grep ^netifcon tmp/$@.tmp >> $@ || true + $(verbose) grep ^nodecon tmp/$@.tmp >> $@ || true tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES) @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ + $(verbose) cat $^ > $@ tmp/generated_definitions.conf: $(BASE_TE_FILES) @test -d tmp || mkdir -p tmp # define all available object classes - $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@ + $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $@ # per-userdomain templates - $(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@ - $(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \ + $(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@ + $(verbose) for i in $(patsubst %.te,%,$(BASE_MODS)); do \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ >> $@ ;\ done - $(QUIET) echo "')" >> $@ + $(verbose) echo "')" >> $@ # define foo.te - $(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \ + $(verbose) for i in $(notdir $(BASE_TE_FILES)); do \ echo "define(\`$$i')" >> $@ ;\ done - $(QUIET) $(SETTUN) $(BOOLEANS) >> $@ + $(verbose) $(SETTUN) $(BOOLEANS) >> $@ tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) ifeq ($(ALL_INTERFACES),) $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") endif @test -d tmp || mkdir -p tmp - $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ + $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ tmp/all_te_files.conf: $(BASE_TE_FILES) ifeq ($(BASE_TE_FILES),) $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") endif @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ + $(verbose) cat $^ > $@ $(call parse-rolemap,base,$@) tmp/post_te_files.conf: $(BASE_POST_TE_FILES) @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ + $(verbose) cat $^ > $@ # extract attributes and put them first. extract post te stuff # like genfscon and put last. portcon, nodecon, and netifcon # is delayed since they are generated by m4 tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf - $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true - $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf - $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf - $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ + $(verbose) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true + $(verbose) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf + $(verbose) cat tmp/post_te_files.conf > tmp/all_post.conf + $(verbose) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(verbose) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(verbose) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true + $(verbose) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ < tmp/all_te_files.conf > tmp/only_te_rules.conf @@ -160,7 +160,7 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi # Construct a base.fc # $(BASE_FC): tmp/$(BASE_FC).tmp $(FCSORT) - $(QUIET) $(FCSORT) $< $@ + $(verbose) $(FCSORT) $< $@ tmp/$(BASE_FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) ifeq ($(BASE_FC_FILES),) @@ -168,7 +168,7 @@ ifeq ($(BASE_FC_FILES),) endif @echo "Creating $(NAME) base module file contexts." @test -d tmp || mkdir -p tmp - $(QUIET) m4 $(M4PARAM) $^ > $@ + $(verbose) m4 $(M4PARAM) $^ > $@ ######################################## # @@ -177,8 +177,8 @@ endif enableaudit: base.conf @test -d tmp || mkdir -p tmp @echo "Removing dontaudit rules from base.conf" - $(QUIET) grep -v dontaudit base.conf > tmp/base.audit - $(QUIET) mv tmp/base.audit base.conf + $(verbose) grep -v dontaudit base.conf > tmp/base.audit + $(verbose) mv tmp/base.audit base.conf ######################################## # @@ -186,8 +186,8 @@ enableaudit: base.conf # $(APPDIR)/customizable_types: base.conf @mkdir -p $(APPDIR) - $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types - $(QUIET) install -m 644 tmp/customizable_types $@ + $(verbose) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types + $(verbose) install -m 644 tmp/customizable_types $@ ######################################## # diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index 7051ec0..cf2436c 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -56,7 +56,7 @@ ifneq ($(PV),$(KV)) @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" @echo endif - $(QUIET) $(CHECKPOLICY) $^ -o $@ + $(verbose) $(CHECKPOLICY) $^ -o $@ ######################################## # @@ -70,7 +70,7 @@ ifneq ($(PV),$(KV)) @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" @echo endif - $(QUIET) $(CHECKPOLICY) $^ -o $@ + $(verbose) $(CHECKPOLICY) $^ -o $@ ######################################## # @@ -78,7 +78,7 @@ endif # reload tmp/load: $(LOADPATH) $(FCPATH) $(APPFILES) @echo "Loading $(NAME) $(LOADPATH)" - $(QUIET) $(LOADPOLICY) -q $(LOADPATH) + $(verbose) $(LOADPOLICY) -q $(LOADPATH) @touch tmp/load ######################################## @@ -88,62 +88,62 @@ reload tmp/load: $(LOADPATH) $(FCPATH) $(APPFILES) policy.conf: $(POLICY_SECTIONS) @echo "Creating $(NAME) policy.conf" # checkpolicy can use the #line directives provided by -s for error reporting: - $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp - $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ + $(verbose) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp + $(verbose) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ # the ordering of these ocontexts matters: - $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true - $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true - $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true + $(verbose) grep ^portcon tmp/$@.tmp >> $@ || true + $(verbose) grep ^netifcon tmp/$@.tmp >> $@ || true + $(verbose) grep ^nodecon tmp/$@.tmp >> $@ || true tmp/pre_te_files.conf: $(PRE_TE_FILES) @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ + $(verbose) cat $^ > $@ tmp/generated_definitions.conf: $(ALL_TE_FILES) # per-userdomain templates: @test -d tmp || mkdir -p tmp - $(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@ - $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ + $(verbose) echo "define(\`base_per_userdomain_template',\`" > $@ + $(verbose) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ >> $@ ;\ done - $(QUIET) echo "')" >> $@ + $(verbose) echo "')" >> $@ # define foo.te - $(QUIET) for i in $(notdir $(ALL_MODULES)); do \ + $(verbose) for i in $(notdir $(ALL_MODULES)); do \ echo "define(\`$$i')" >> $@ ;\ done - $(QUIET) $(SETTUN) $(BOOLEANS) >> $@ + $(verbose) $(SETTUN) $(BOOLEANS) >> $@ tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) ifeq ($(ALL_INTERFACES),) $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") endif @test -d tmp || mkdir -p tmp - $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ + $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ tmp/all_te_files.conf: $(ALL_TE_FILES) ifeq ($(ALL_TE_FILES),) $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") endif @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ + $(verbose) cat $^ > $@ $(call parse-rolemap,base,$@) tmp/post_te_files.conf: $(POST_TE_FILES) @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ + $(verbose) cat $^ > $@ # extract attributes and put them first. extract post te stuff # like genfscon and put last. portcon, nodecon, and netifcon # is delayed since they are generated by m4 tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf - $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true - $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf - $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf - $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ + $(verbose) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true + $(verbose) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf + $(verbose) cat tmp/post_te_files.conf > tmp/all_post.conf + $(verbose) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(verbose) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(verbose) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true + $(verbose) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ < tmp/all_te_files.conf > tmp/only_te_rules.conf @@ -154,17 +154,17 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi enableaudit: policy.conf @test -d tmp || mkdir -p tmp @echo "Removing dontaudit rules from policy.conf" - $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit - $(QUIET) mv tmp/policy.audit policy.conf + $(verbose) grep -v dontaudit policy.conf > tmp/policy.audit + $(verbose) mv tmp/policy.audit policy.conf ######################################## # # Construct file_contexts # $(FC): tmp/$(FC).tmp $(FCSORT) - $(QUIET) $(FCSORT) $< $@ - $(QUIET) grep -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE) - $(QUIET) sed -i -e /HOME/d -e /ROLE/d $@ + $(verbose) $(FCSORT) $< $@ + $(verbose) grep -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE) + $(verbose) sed -i -e /HOME/d -e /ROLE/d $@ tmp/$(FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) ifeq ($(ALL_FC_FILES),) @@ -172,7 +172,7 @@ ifeq ($(ALL_FC_FILES),) endif @echo "Creating $(NAME) file_contexts." @test -d tmp || mkdir -p tmp - $(QUIET) m4 $(M4PARAM) $^ > $@ + $(verbose) m4 $(M4PARAM) $^ > $@ ######################################## # @@ -180,12 +180,12 @@ endif # $(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users @echo "Validating $(NAME) file_contexts." - $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC) + $(verbose) $(SETFILES) -q -c $(LOADPATH) $(FC) @echo "Installing file_contexts." @mkdir -p $(CONTEXTPATH)/files - $(QUIET) install -m 644 $(FC) $(FCPATH) - $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) - $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD) + $(verbose) install -m 644 $(FC) $(FCPATH) + $(verbose) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) + $(verbose) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD) ######################################## # @@ -199,7 +199,7 @@ checklabels: $(FCPATH) $(SETFILES) echo "No filesystems with extended attributes found!" ;\ false ;\ fi - $(QUIET) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS) + $(verbose) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS) restorelabels: $(FCPATH) $(SETFILES) @echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs" @@ -207,7 +207,7 @@ restorelabels: $(FCPATH) $(SETFILES) echo "No filesystems with extended attributes found!" ;\ false ;\ fi - $(QUIET) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS) + $(verbose) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS) relabel: $(FCPATH) $(SETFILES) @echo "Relabeling filesystem types: ext2 ext3 xfs jfs" @@ -215,7 +215,7 @@ relabel: $(FCPATH) $(SETFILES) echo "No filesystems with extended attributes found!" ;\ false ;\ fi - $(QUIET) $(SETFILES) $(FCPATH) $(FILESYSTEMS) + $(verbose) $(SETFILES) $(FCPATH) $(FILESYSTEMS) ######################################## # @@ -233,8 +233,8 @@ longcheck: policy.conf $(FC) # $(APPDIR)/customizable_types: policy.conf @mkdir -p $(APPDIR) - $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types - $(QUIET) install -m 644 tmp/customizable_types $@ + $(verbose) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types + $(verbose) install -m 644 tmp/customizable_types $@ ######################################## # diff --git a/refpolicy/build.conf b/refpolicy/build.conf index e5e56f6..a5d3a92 100644 --- a/refpolicy/build.conf +++ b/refpolicy/build.conf @@ -46,5 +46,6 @@ MONOLITHIC=y # Enable polyinstantiated directory support. POLY=n -# Uncomment this to disable command echoing -#QUIET:=@ +# Set this to y to only display status messages +# during build. +QUIET=n diff --git a/refpolicy/support/Makefile.devel b/refpolicy/support/Makefile.devel new file mode 100644 index 0000000..f236d7d --- /dev/null +++ b/refpolicy/support/Makefile.devel @@ -0,0 +1,140 @@ + +-include build.conf + +# executables +PREFIX := /usr +BINDIR := $(PREFIX)/bin +SBINDIR := $(PREFIX)/sbin +CHECKMODULE := $(BINDIR)/checkmodule +SEMODULE := $(SBINDIR)/semodule +SEMOD_PKG := $(BINDIR)/semodule_package + +# helper tools +AWK ?= gawk +INSTALL ?= install +M4 ?= m4 +SED ?= sed +EINFO ?= echo + +# installation paths +SHAREDIR := $(PREFIX)/share/selinux +MODPKGDIR := $(SHAREDIR)/$(NAME) +HEADERDIR := $(SHAREDIR)/refpolicy/include + +# set default build options +TYPE ?= strict +NAME ?= $(TYPE) +DIRECT_INITRC ?= n +POLY ?= n + +# compile strict policy if requested. +ifneq ($(findstring strict,$(TYPE)),) + M4PARAM += -D strict_policy +endif + +# compile targeted policy if requested. +ifneq ($(findstring targeted,$(TYPE)),) + M4PARAM += -D targeted_policy +endif + +# enable MLS if requested. +ifneq ($(findstring -mls,$(TYPE)),) + M4PARAM += -D enable_mls + CHECKPOLICY += -M + CHECKMODULE += -M +endif + +# enable MLS if MCS requested. +ifneq ($(findstring -mcs,$(TYPE)),) + M4PARAM += -D enable_mcs + CHECKPOLICY += -M + CHECKMODULE += -M +endif + +# enable distribution-specific policy +ifneq ($(DISTRO),) + M4PARAM += -D distro_$(DISTRO) +endif + +# enable polyinstantiation +ifeq ($(POLY),y) + M4PARAM += -D enable_polyinstantiation +endif + +ifeq ($(DIRECT_INITRC),y) + M4PARAM += -D direct_sysadm_daemon +endif + +ifneq ($(VERBOSE),y) + quiet := @ +endif + +M4PARAM += -D hide_broken_symptoms + +# policy headers +m4support := $(wildcard $(HEADERDIR)/*.spt) +all_interfaces := $(wildcard $(HEADERDIR)/*.if) +rolemap := $(HEADERDIR)/rolemap + +detected_mods := $(wildcard *.te) +detected_ifs := $(detected_mods:.te=.if) +all_packages := $(detected_mods:.te=.pp) +install_mods := $(MODPKGDIR)/$(all_packages) + +######################################## +# +# Functions +# + +# parse-rolemap modulename,outputfile +define parse-rolemap + $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ + $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 +endef + +# peruser-expansion modulename,outputfile +define peruser-expansion + $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2 + $(call parse-rolemap,$1,$2) + $(verbose) echo "')" >> $2 +endef + +######################################## +# +# Main targets +# + +all: $(all_packages) + +######################################## +# +# Build module packages +# +tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te + @$(EINFO) "Compliling $(NAME) $(basename $(@F)) module" + @test -d tmp || mkdir -p tmp + $(call peruser-expansion,$(basename $(@F)),$@.role) + $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + +tmp/%.mod.fc: $(m4support) %.fc + $(verbose) $(M4) $(M4PARAM) $^ > $@ + +%.pp: tmp/%.mod tmp/%.mod.fc + @echo "Creating $(NAME) $(@F) policy package" + $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc + +tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs) + @test -d tmp || mkdir -p tmp + $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ + +######################################## +# +# Clean the environment +# + +clean: + rm -fR tmp + rm -f *.pp + +.PHONY: clean install all default