Contents of /selinux/base-policy/Makefile

#
# Makefile for the security policy.
#
# Targets:
# 
# install - compile and install the policy configuration.
# load    - compile, install, and load the policy configuration.
# reload  - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# policy  - compile the policy configuration locally for testing/development.
#
# The default target is 'install'.
#

# Set to y if MLS is enabled in the module.
MLS=n

# Uncomment if you want to generate policy file compatible with older
# kernels.
#POLICYCOMPAT = -c 15

FLASKDIR = flask/
PREFIX = /usr
BINDIR = $(PREFIX)/bin
SBINDIR = $(PREFIX)/sbin
LOADPOLICY  = $(SBINDIR)/load_policy
CHECKPOLICY = $(BINDIR)/checkpolicy
SETFILES = $(SBINDIR)/setfiles

PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
KV := $(shell policyvers)
POLICYVER := policy.$(PV)
INSTALLDIR = $(DESTDIR)/etc/security/selinux
LOADPATH = $(INSTALLDIR)/$(POLICYVER)
FCPATH = $(INSTALLDIR)/file_contexts
SRCINSTALLDIR = $(INSTALLDIR)/src
POLICYCONF = $(SRCINSTALLDIR)/policy.conf

ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
ALL_TYPES := $(wildcard types/*.te)
ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te 
TE_RBAC_FILES := $(ALLTEFILES) rbac

POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ifeq ($(MLS),y)
POLICYFILES += mls
endif
POLICYFILES += tunable.te $(TE_RBAC_FILES)
POLICYFILES += users 
POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts

UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)

FC = file_contexts/file_contexts
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc)

EINFO = echo -e " \e[32;01m*\e[0m"
EWARN = echo -e " \e[33;01m*\e[0m"
EERROR = echo -e " \e[31;01m*\e[0m"

install: $(LOADPATH) $(FCPATH)

$(LOADPATH):  $(POLICYCONF) $(CHECKPOLICY)
        @$(EINFO) "Policy version: $(PV)"
        @$(EINFO) "Kernel version: $(KV)"
ifneq ($(PV),$(KV))
        @$(EWARN) "WARNING: Policy version mismatch.  Is your POLICYCOMPAT set correctly?"
        @$(EWARN) " See http://hardened.gentoo.org/selinux/selinux-x86-handbook.xml?part=4&chap=1#doc_chap6"
        @$(EWARN) " for more information."
endif
        @$(EINFO) "Compiling and installing $(POLICYVER)"
        @mkdir -p $(INSTALLDIR)
        @$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ $(POLICYCONF)
# Note: Can't use install, so not sure how to deal with mode, user, and group
#       other than by default.

policy: $(POLICYVER)

$(POLICYVER):  policy.conf $(CHECKPOLICY)
        @$(EINFO) "Policy version: $(PV)"
        @$(EINFO) "Kernel version: $(KV)"
ifneq ($(PV),$(KV))
        @$(EWARN) "WARNING: Policy version mismatch.  Is your POLICYCOMPAT set correctly?"
        @$(EWARN) " See http://hardened.gentoo.org/selinux/selinux-x86-handbook.xml?part=4&chap=1#doc_chap6"
        @$(EWARN) " for more information."
endif
        @$(EINFO) "Compiling $(POLICYVER)"
        @$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ policy.conf

$(POLICYCONF): policy.conf
        @mkdir -p $(SRCINSTALLDIR)
        @install -m 644 policy.conf $@

reload tmp/load: $(LOADPATH) $(FCPATH)
        @$(EINFO) "Loading $(POLICYVER)"
        @$(LOADPOLICY) -q $(LOADPATH)
        @touch tmp/load

load: tmp/load

enableaudit: policy.conf
        @$(EINFO) "Removing dontaudit rules from policy.conf"
        @sed -i -e '/^dontaudit/d' policy.conf

policy.conf: $(POLICYFILES) 
        @$(EINFO) "Creating policy.conf"
        @m4 $(M4PARAM) -D distro_gentoo -Imacros -s $^ > $@.tmp
        @mv $@.tmp $@
        @for i in `find . -iname '._cfg????_*'`; do \
                $(EWARN) "WARNING: Config protect file: $$i"; done

tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
        @mkdir -p tmp
        @( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
        @( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
        @echo "define(\`arch_`uname -m`')" | sed s/i[3-6]86/x86/ >> $@.tmp
        @mv $@.tmp $@

FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs|jfs).*rw/{print $$3}';`

checklabels:  $(FC) $(SETFILES)
        @$(EINFO) "Checking labels on filesystem types: ext2 ext3 xfs jfs"
        @if [ -z "$(FILESYSTEMS)" ]; then \
                $(EERROR) "No appropriate xattr filesystems detected!" ;\
                $(EERROR) "Only the above filesystem types are supported in SELinux." ;\
                false ;\
        fi
        @$(SETFILES) -v -n $(FC) $(FILESYSTEMS)

restorelabels:  $(FC) $(SETFILES)
        @$(EINFO) "Restoring labels on filesystem types: ext2 ext3 xfs jfs"
        @if [ -z "$(FILESYSTEMS)" ]; then \
                $(EERROR) "No appropriate xattr filesystems detected!" ;\
                $(EERROR) "Only the above filesystem types are supported in SELinux." ;\
                false ;\
        fi
        @$(SETFILES) -v $(FC) $(FILESYSTEMS)

relabel:  $(FC) $(SETFILES)
        @$(EINFO) "Relabeling filesystem types: ext2 ext3 xfs jfs"
        @if [ -z "$(FILESYSTEMS)" ]; then \
                $(EERROR) "No appropriate xattr filesystems detected!" ;\
                $(EERROR) "Only the above filesystem types are supported in SELinux." ;\
                false ;\
        fi
        @$(SETFILES) $(FC) $(FILESYSTEMS)

# this is a nasty hack since 'make relabel' doesnt work in chroot
chroot_relabel: $(FC) $(SETFILES)
        @echo
        @echo
        @$(EWARN) "THIS SHOULD ONLY BE USED INSIDE A CHROOT!!!"
        @echo
        @$(EWARN) "Otherwise use \"make relabel\""
        @echo
        @echo
        @$(SETFILES) $(FC) -r / /

file_contexts/misc:
        mkdir -p file_contexts/misc

contexts $(FCPATH): $(FC) 
        @$(EINFO) "Installing file_contexts"
        @mkdir -p $(INSTALLDIR)
        @install -m 644 $(FC) $(FCPATH)

$(FC): $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users
        @$(EINFO) "Building file_contexts"
        @m4 -D distro_gentoo $(FCFILES) > $@.tmp
        @grep -v "^/root" $@.tmp > $@.root
        @/usr/sbin/genhomedircon.old . $@.root  > $@
        @grep "^/root" $@.tmp >> $@
        @-rm $@.tmp $@.root
        @$(SETFILES) -q -c $(LOADPATH) $(FC)

clean:
        rm -f policy.conf $(POLICYVER)
        rm -fR tmp
        rm -f $(FC)
        rm -f flask/*.h
1	pebenito	1.1	#
2			# Makefile for the security policy.
3			#
4			# Targets:
5			#
6			# install - compile and install the policy configuration.
7			# load - compile, install, and load the policy configuration.
8			# reload - compile, install, and load/reload the policy configuration.
9			# relabel - relabel filesystems based on the file contexts configuration.
10			# policy - compile the policy configuration locally for testing/development.
11			#
12			# The default target is 'install'.
13			#
14
15			# Set to y if MLS is enabled in the module.
16			MLS=n
17
18	pebenito	1.16	# Uncomment if you want to generate policy file compatible with older
19	pebenito	1.24	# kernels.
20			#POLICYCOMPAT = -c 15
21	pebenito	1.13
22	pebenito	1.1	FLASKDIR = flask/
23			PREFIX = /usr
24			BINDIR = $(PREFIX)/bin
25			SBINDIR = $(PREFIX)/sbin
26			LOADPOLICY = $(SBINDIR)/load_policy
27			CHECKPOLICY = $(BINDIR)/checkpolicy
28			SETFILES = $(SBINDIR)/setfiles
29
30	pebenito	1.22	PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V \|cut -f 1 -d ' ')
31			KV := $(shell policyvers)
32			POLICYVER := policy.$(PV)
33	pebenito	1.12	INSTALLDIR = $(DESTDIR)/etc/security/selinux
34	pebenito	1.1	LOADPATH = $(INSTALLDIR)/$(POLICYVER)
35	pebenito	1.14	FCPATH = $(INSTALLDIR)/file_contexts
36	pebenito	1.1	SRCINSTALLDIR = $(INSTALLDIR)/src
37			POLICYCONF = $(SRCINSTALLDIR)/policy.conf
38
39	pebenito	1.12	ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
40			ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
41			ALL_TYPES := $(wildcard types/*.te)
42			ALL_DOMAINS := $(wildcard domains/.te domains/misc/.te domains/program/*.te)
43			ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
44			TE_RBAC_FILES := $(ALLTEFILES) rbac
45
46	pebenito	1.1	POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
47			ifeq ($(MLS),y)
48			POLICYFILES += mls
49			endif
50	pebenito	1.12	POLICYFILES += tunable.te $(TE_RBAC_FILES)
51	pebenito	1.1	POLICYFILES += users
52	pebenito	1.12	POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts
53
54			UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
55	pebenito	1.1
56			FC = file_contexts/file_contexts
57	pebenito	1.28	FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/.te)) $(wildcard file_contexts/misc/.fc)
58	pebenito	1.1
59	pebenito	1.18	EINFO = echo -e " \e[32;01m*\e[0m"
60			EWARN = echo -e " \e[33;01m*\e[0m"
61			EERROR = echo -e " \e[31;01m*\e[0m"
62
63			install: $(LOADPATH) $(FCPATH)
64	pebenito	1.1
65	pebenito	1.23	$(LOADPATH): $(POLICYCONF) $(CHECKPOLICY)
66			@$(EINFO) "Policy version: $(PV)"
67			@$(EINFO) "Kernel version: $(KV)"
68			ifneq ($(PV),$(KV))
69	pebenito	1.25	@$(EWARN) "WARNING: Policy version mismatch. Is your POLICYCOMPAT set correctly?"
70	pebenito	1.28	@$(EWARN) " See http://hardened.gentoo.org/selinux/selinux-x86-handbook.xml?part=4&chap=1#doc_chap6"
71	pebenito	1.25	@$(EWARN) " for more information."
72	pebenito	1.23	endif
73	pebenito	1.18	@$(EINFO) "Compiling and installing $(POLICYVER)"
74			@mkdir -p $(INSTALLDIR)
75			@$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ $(POLICYCONF)
76	pebenito	1.1	# Note: Can't use install, so not sure how to deal with mode, user, and group
77			# other than by default.
78
79			policy: $(POLICYVER)
80
81	pebenito	1.23	$(POLICYVER): policy.conf $(CHECKPOLICY)
82	pebenito	1.22	@$(EINFO) "Policy version: $(PV)"
83			@$(EINFO) "Kernel version: $(KV)"
84			ifneq ($(PV),$(KV))
85	pebenito	1.25	@$(EWARN) "WARNING: Policy version mismatch. Is your POLICYCOMPAT set correctly?"
86	pebenito	1.28	@$(EWARN) " See http://hardened.gentoo.org/selinux/selinux-x86-handbook.xml?part=4&chap=1#doc_chap6"
87	pebenito	1.25	@$(EWARN) " for more information."
88	pebenito	1.22	endif
89	pebenito	1.23	@$(EINFO) "Compiling $(POLICYVER)"
90			@$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ policy.conf
91	pebenito	1.22
92	pebenito	1.14	$(POLICYCONF): policy.conf
93	pebenito	1.18	@mkdir -p $(SRCINSTALLDIR)
94			@install -m 644 policy.conf $@
95	pebenito	1.1
96	pebenito	1.18	reload tmp/load: $(LOADPATH) $(FCPATH)
97			@$(EINFO) "Loading $(POLICYVER)"
98	pebenito	1.30	@$(LOADPOLICY) -q $(LOADPATH)
99	pebenito	1.18	@touch tmp/load
100	pebenito	1.1
101			load: tmp/load
102	pebenito	1.2
103	pebenito	1.12	enableaudit: policy.conf
104	pebenito	1.22	@$(EINFO) "Removing dontaudit rules from policy.conf"
105			@sed -i -e '/^dontaudit/d' policy.conf
106	pebenito	1.12
107	pebenito	1.1	policy.conf: $(POLICYFILES)
108	pebenito	1.18	@$(EINFO) "Creating policy.conf"
109	pebenito	1.27	@m4 $(M4PARAM) -D distro_gentoo -Imacros -s $^ > $@.tmp
110	pebenito	1.18	@mv $@.tmp $@
111	pebenito	1.15	@for i in `find . -iname '._cfg????_*'`; do \
112	pebenito	1.18	$(EWARN) "WARNING: Config protect file: $$i"; done
113	pebenito	1.1
114			tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
115	pebenito	1.18	@mkdir -p tmp
116			@( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
117			@( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
118	pebenito	1.19	@echo "define(\`arch_`uname -m`')" \| sed s/i[3-6]86/x86/ >> $@.tmp
119	pebenito	1.18	@mv $@.tmp $@
120	pebenito	1.1
121	pebenito	1.31	FILESYSTEMS=`mount \| grep -v "context=" \| egrep -v '\((\|.,)bind(,.\|)\)' \| awk '/(ext[23]\| xfs\|jfs).*rw/{print $$3}';`
122	pebenito	1.28
123	pebenito	1.32	checklabels: $(FC) $(SETFILES)
124			@$(EINFO) "Checking labels on filesystem types: ext2 ext3 xfs jfs"
125			@if [ -z "$(FILESYSTEMS)" ]; then \
126			$(EERROR) "No appropriate xattr filesystems detected!" ;\
127			$(EERROR) "Only the above filesystem types are supported in SELinux." ;\
128			false ;\
129			fi
130	pebenito	1.28	@$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
131	pebenito	1.16
132	pebenito	1.32	restorelabels: $(FC) $(SETFILES)
133			@$(EINFO) "Restoring labels on filesystem types: ext2 ext3 xfs jfs"
134			@if [ -z "$(FILESYSTEMS)" ]; then \
135			$(EERROR) "No appropriate xattr filesystems detected!" ;\
136			$(EERROR) "Only the above filesystem types are supported in SELinux." ;\
137			false ;\
138			fi
139	pebenito	1.28	@$(SETFILES) -v $(FC) $(FILESYSTEMS)
140	pebenito	1.16
141	pebenito	1.1	relabel: $(FC) $(SETFILES)
142	pebenito	1.32	@$(EINFO) "Relabeling filesystem types: ext2 ext3 xfs jfs"
143			@if [ -z "$(FILESYSTEMS)" ]; then \
144			$(EERROR) "No appropriate xattr filesystems detected!" ;\
145			$(EERROR) "Only the above filesystem types are supported in SELinux." ;\
146			false ;\
147			fi
148	pebenito	1.28	@$(SETFILES) $(FC) $(FILESYSTEMS)
149	pebenito	1.1
150			# this is a nasty hack since 'make relabel' doesnt work in chroot
151			chroot_relabel: $(FC) $(SETFILES)
152			@echo
153			@echo
154	pebenito	1.18	@$(EWARN) "THIS SHOULD ONLY BE USED INSIDE A CHROOT!!!"
155	pebenito	1.1	@echo
156	pebenito	1.18	@$(EWARN) "Otherwise use \"make relabel\""
157	pebenito	1.1	@echo
158			@echo
159	pebenito	1.21	@$(SETFILES) $(FC) -r / /
160	pebenito	1.1
161	pebenito	1.12	file_contexts/misc:
162			mkdir -p file_contexts/misc
163
164	pebenito	1.20	contexts $(FCPATH): $(FC)
165	pebenito	1.18	@$(EINFO) "Installing file_contexts"
166			@mkdir -p $(INSTALLDIR)
167			@install -m 644 $(FC) $(FCPATH)
168	pebenito	1.14
169	pebenito	1.12	$(FC): $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users
170	pebenito	1.18	@$(EINFO) "Building file_contexts"
171	pebenito	1.27	@m4 -D distro_gentoo $(FCFILES) > $@.tmp
172	pebenito	1.18	@grep -v "^/root" $@.tmp > $@.root
173	pebenito	1.33	@/usr/sbin/genhomedircon.old . $@.root > $@
174	pebenito	1.18	@grep "^/root" $@.tmp >> $@
175			@-rm $@.tmp $@.root
176	pebenito	1.29	@$(SETFILES) -q -c $(LOADPATH) $(FC)
177	pebenito	1.1
178			clean:
179	pebenito	1.28	rm -f policy.conf $(POLICYVER)
180	pebenito	1.1	rm -fR tmp
181			rm -f $(FC)
182	pebenito	1.28	rm -f flask/*.h