-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathRules.modular
166 lines (142 loc) · 5.47 KB
/
Rules.modular
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
########################################
#
# Rules and Targets for building modular policies
#
ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
ALL_INTERFACES := $(ALL_MODULES:.te=.if)
BASE_PKG := base.pp
BASE_FC := base.fc
BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
BASE_TE_FILES := $(BASE_MODS)
BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
BASE_FC_FILES := $(BASE_MODS:.te=.fc)
MOD_MODULES := $(MOD_MODS:.te=.mod)
MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
# search layer dirs for source files
vpath %.te $(ALL_LAYERS)
vpath %.if $(ALL_LAYERS)
vpath %.fc $(ALL_LAYERS)
########################################
#
# default action: create all module packages
#
default: base
base: $(BASE_PKG)
modules: $(MOD_PKGS)
#policy: $(POLVER)
#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
#load: tmp/load
########################################
#
# Create a base module package
#
$(BASE_PKG): tmp/base.mod $(BASE_FC)
@echo "Creating $(NAME) base module package"
$(QUIET) $(SEMOD_PKG) $@ $^
########################################
#
# Compile a base module
#
tmp/base.mod: base.conf
@echo "Compiling $(NAME) base module"
$(QUIET) $(CHECKMODULE) $^ -o $@
########################################
#
# Construct a base module policy.conf
#
base.conf: $(BASE_SECTIONS)
@echo "Creating $(NAME) base module policy.conf"
# checkpolicy can use the #line directives provided by -s for error reporting:
$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
# the ordering of these ocontexts matters:
$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
@test -d tmp || mkdir -p tmp
# define all available object classes
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
# per-userdomain templates
$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\
done
$(QUIET) echo "')" >> $@
# define foo.te
$(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
echo "define(\`$$i')" >> $@ ;\
done
$(QUIET) $(SETTUN) $(BOOLEANS) >> $@
tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
ifeq ($(ALL_INTERFACES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif
@test -d tmp || mkdir -p tmp
$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
tmp/all_te_files.conf: $(BASE_TE_FILES)
ifeq ($(BASE_TE_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
# extract attributes and put them first. extract post te stuff
# like genfscon and put last. portcon, nodecon, and netifcon
# is delayed since they are generated by m4
tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
< tmp/all_te_files.conf > tmp/only_te_rules.conf
########################################
#
# Construct base module file contexts
#
$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
ifeq ($(BASE_FC_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif
@echo "Creating $(NAME) base module file contexts."
@test -d tmp || mkdir -p tmp
$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp
$(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
$(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
$(QUIET) $(FCSORT) tmp/$@.tmp $@
########################################
#
# Build module packages
#
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@if test -z "$(filter $^,$(MOD_MODS))"; then \
echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\
false ;\
fi
@echo "Compliling $(NAME) $(@F) module"
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
%.pp: tmp/%.mod %.fc
@echo "Creating $(NAME) $(@F) policy package"
$(QUIET) $(SEMOD_PKG) $@ $^
########################################
#
# Clean the sources
#
clean:
rm -fR tmp
rm -f base.conf
rm -f *.pp
rm -f $(BASE_FC)
.PHONY: default base modules clean