# # Makefile for the security policy. # # Targets: # # install - compile and install the policy configuration. # load - compile, install, and load the policy configuration. # reload - compile, install, and load/reload the policy configuration. # relabel - relabel filesystems based on the file contexts configuration. # policy - compile the policy configuration locally for testing/development. # # The default target is 'install'. # # Set to y if MLS is enabled in the module. MLS=n # Uncomment if you want to generate policy file compatible with older # kernels. #POLICYCOMPAT = -c 15 FLASKDIR = flask/ PREFIX = /usr BINDIR = $(PREFIX)/bin SBINDIR = $(PREFIX)/sbin LOADPOLICY = $(SBINDIR)/load_policy CHECKPOLICY = $(BINDIR)/checkpolicy SETFILES = $(SBINDIR)/setfiles PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') KV := $(shell policyvers) POLICYVER := policy.$(PV) INSTALLDIR = $(DESTDIR)/etc/security/selinux LOADPATH = $(INSTALLDIR)/$(POLICYVER) FCPATH = $(INSTALLDIR)/file_contexts SRCINSTALLDIR = $(INSTALLDIR)/src POLICYCONF = $(SRCINSTALLDIR)/policy.conf ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te) ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te) ALL_TYPES := $(wildcard types/*.te) ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te TE_RBAC_FILES := $(ALLTEFILES) rbac POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) ifeq ($(MLS),y) POLICYFILES += mls endif POLICYFILES += tunable.te $(TE_RBAC_FILES) POLICYFILES += users POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) FC = file_contexts/file_contexts FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) $(wildcard file_contexts/misc/*.fc) EINFO = echo -e " \e[32;01m*\e[0m" EWARN = echo -e " \e[33;01m*\e[0m" EERROR = echo -e " \e[31;01m*\e[0m" install: $(LOADPATH) $(FCPATH) $(LOADPATH): $(POLICYCONF) $(CHECKPOLICY) @$(EINFO) "Policy version: $(PV)" @$(EINFO) "Kernel version: $(KV)" ifneq ($(PV),$(KV)) @$(EWARN) "WARNING: Policy version mismatch. Is your POLICYCOMPAT set correctly?" @$(EWARN) " See http://hardened.gentoo.org/selinux/selinux-x86-handbook.xml?part=4&chap=1#doc_chap6" @$(EWARN) " for more information." endif @$(EINFO) "Compiling and installing $(POLICYVER)" @mkdir -p $(INSTALLDIR) @$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ $(POLICYCONF) # Note: Can't use install, so not sure how to deal with mode, user, and group # other than by default. policy: $(POLICYVER) $(POLICYVER): policy.conf $(CHECKPOLICY) @$(EINFO) "Policy version: $(PV)" @$(EINFO) "Kernel version: $(KV)" ifneq ($(PV),$(KV)) @$(EWARN) "WARNING: Policy version mismatch. Is your POLICYCOMPAT set correctly?" @$(EWARN) " See http://hardened.gentoo.org/selinux/selinux-x86-handbook.xml?part=4&chap=1#doc_chap6" @$(EWARN) " for more information." endif @$(EINFO) "Compiling $(POLICYVER)" @$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ policy.conf $(POLICYCONF): policy.conf @mkdir -p $(SRCINSTALLDIR) @install -m 644 policy.conf $@ reload tmp/load: $(LOADPATH) $(FCPATH) @$(EINFO) "Loading $(POLICYVER)" @$(LOADPOLICY) -q $(LOADPATH) @touch tmp/load load: tmp/load enableaudit: policy.conf @$(EINFO) "Removing dontaudit rules from policy.conf" @sed -i -e '/^dontaudit/d' policy.conf policy.conf: $(POLICYFILES) @$(EINFO) "Creating policy.conf" @m4 $(M4PARAM) -D distro_gentoo -Imacros -s $^ > $@.tmp @mv $@.tmp $@ @for i in `find . -iname '._cfg????_*'`; do \ $(EWARN) "WARNING: Config protect file: $$i"; done tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program @mkdir -p tmp @( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp @( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp @echo "define(\`arch_`uname -m`')" | sed s/i[3-6]86/x86/ >> $@.tmp @mv $@.tmp $@ FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs|jfs|reiserfs).*rw/{print $$3}';` checklabels: $(FC) $(SETFILES) @$(EINFO) "Checking labels on filesystem types: ext2 ext3 xfs jfs reiserfs" @if [ -z "$(FILESYSTEMS)" ]; then \ $(EERROR) "No appropriate xattr filesystems detected!" ;\ $(EERROR) "Only the above filesystem types are supported in SELinux." ;\ false ;\ fi @$(SETFILES) -v -n $(FC) $(FILESYSTEMS) restorelabels: $(FC) $(SETFILES) @$(EINFO) "Restoring labels on filesystem types: ext2 ext3 xfs jfs reiserfs" @if [ -z "$(FILESYSTEMS)" ]; then \ $(EERROR) "No appropriate xattr filesystems detected!" ;\ $(EERROR) "Only the above filesystem types are supported in SELinux." ;\ false ;\ fi @$(SETFILES) -v $(FC) $(FILESYSTEMS) relabel: $(FC) $(SETFILES) @$(EINFO) "Relabeling filesystem types: ext2 ext3 xfs jfs reiserfs" @if [ -z "$(FILESYSTEMS)" ]; then \ $(EERROR) "No appropriate xattr filesystems detected!" ;\ $(EERROR) "Only the above filesystem types are supported in SELinux." ;\ false ;\ fi @$(SETFILES) $(FC) $(FILESYSTEMS) # this is a nasty hack since 'make relabel' doesnt work in chroot chroot_relabel: $(FC) $(SETFILES) @echo @echo @$(EWARN) "THIS SHOULD ONLY BE USED INSIDE A CHROOT!!!" @echo @$(EWARN) "Otherwise use \"make relabel\"" @echo @echo @$(SETFILES) $(FC) -r / / file_contexts/misc: mkdir -p file_contexts/misc contexts $(FCPATH): $(FC) @$(EINFO) "Installing file_contexts" @mkdir -p $(INSTALLDIR) @install -m 644 $(FC) $(FCPATH) $(FC): $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users @$(EINFO) "Building file_contexts" @m4 -D distro_gentoo $(FCFILES) > $@.tmp @grep -v "^/root" $@.tmp > $@.root @/usr/sbin/genhomedircon.old . $@.root > $@ @grep "^/root" $@.tmp >> $@ @-rm $@.tmp $@.root @$(SETFILES) -q -c $(LOADPATH) $(FC) clean: rm -f policy.conf $(POLICYVER) rm -fR tmp rm -f $(FC) rm -f flask/*.h