|
Chris PeBenito |
fedd3c |
1) Reference Policy make targets:
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
General Make targets:
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
install-src Install the policy sources into
|
|
Chris PeBenito |
fedd3c |
/etc/selinux/NAME/src/policy, where NAME is defined in
|
|
Chris PeBenito |
fedd3c |
the Makefile. If not defined, the TYPE, as defined in
|
|
Chris PeBenito |
fedd3c |
the Makefile, is used. The default NAME is refpolicy.
|
|
Chris PeBenito |
fedd3c |
A pre-existing source policy will be moved to
|
|
Chris PeBenito |
fedd3c |
/etc/selinux/NAME/src/policy.bak.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
conf Regenerate policy.xml, and update/create modules.conf
|
|
Chris PeBenito |
fedd3c |
and booleans.conf. This should be done after adding
|
|
Chris PeBenito |
fedd3c |
or removing modules, or after running the bare target.
|
|
Chris PeBenito |
fedd3c |
If the configuration files exist, their settings will
|
|
Chris PeBenito |
fedd3c |
be preserved. This must be ran on policy sources that
|
|
Chris PeBenito |
fedd3c |
are checked out from the CVS repository before they can
|
|
Chris PeBenito |
fedd3c |
be used.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
clean Delete all temporary files, compiled policies,
|
|
Chris PeBenito |
fedd3c |
and file_contexts. Configuration files are left intact.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
bare Do the clean make target and also delete configuration
|
|
Chris PeBenito |
fedd3c |
files, web page documentation, and policy.xml.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
html Regenerate policy.xml and create web page documentation
|
|
Chris PeBenito |
fedd3c |
in the doc/html directory.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
Make targets specific to modular (loadable modules) policies:
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
base Compile and package the base module. This is the
|
|
Chris PeBenito |
fedd3c |
default target for modular policies.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
modules Compile and package all Reference Policy modules
|
|
Chris PeBenito |
fedd3c |
configured to be built as loadable modules.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
MODULENAME.pp Compile and package the MODULENAME Reference Policy
|
|
Chris PeBenito |
fedd3c |
module.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
c767b1 |
all Compile and package the base module and all Reference
|
|
Chris PeBenito |
c767b1 |
Policy modules configured to be built as loadable
|
|
Chris PeBenito |
c767b1 |
modules.
|
|
Chris PeBenito |
c767b1 |
|
|
Chris PeBenito |
c767b1 |
install Compile, package, and install the base module and
|
|
Chris PeBenito |
c767b1 |
Reference Policy modules configured to be built as
|
|
Chris PeBenito |
c767b1 |
loadable modules.
|
|
Chris PeBenito |
c767b1 |
|
|
Chris PeBenito |
c767b1 |
load Compile, package, and install the base module and
|
|
Chris PeBenito |
c767b1 |
Reference Policy modules configured to be built as
|
|
Chris PeBenito |
c767b1 |
loadable modules, then insert them into the module
|
|
Chris PeBenito |
c767b1 |
store.
|
|
Chris PeBenito |
c767b1 |
|
|
Chris PeBenito |
ea5333 |
validate Validate if the configured modules can successfully
|
|
Chris PeBenito |
ea5333 |
link and expand.
|
|
Chris PeBenito |
ea5333 |
|
|
Chris PeBenito |
f65ca5 |
install-headers Install the policy headers into /usr/share/selinux/NAME.
|
|
Chris PeBenito |
f65ca5 |
The headers are sufficient for building a policy
|
|
Chris PeBenito |
f65ca5 |
module locally, without requiring the complete
|
|
Chris PeBenito |
f65ca5 |
Reference Policy sources. The build.conf settings
|
|
Chris PeBenito |
f65ca5 |
for this policy configuration should be set before
|
|
Chris PeBenito |
f65ca5 |
using this target.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
fedd3c |
Make targets specific to monolithic policies:
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
policy Compile a policy locally for development and testing.
|
|
Chris PeBenito |
fedd3c |
This is the default target for monolithic policies.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
install Compile and install the policy and file contexts.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
load Compile and install the policy and file contexts, then
|
|
Chris PeBenito |
fedd3c |
load the policy.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
enableaudit Remove all dontaudit rules from policy.conf.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
relabel Relabel the filesystem.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
checklabels Check the labels on the filesystem, and report when
|
|
Chris PeBenito |
fedd3c |
a file would be relabeled, but do not change its label.
|
|
Chris PeBenito |
fedd3c |
|
|
Chris PeBenito |
fedd3c |
restorelabels Relabel the filesystem and report each file that is
|
|
Chris PeBenito |
fedd3c |
relabeled.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
2) Reference Policy Build Options (build.conf)
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
TYPE String. Available options are strict, targeted,
|
|
Chris PeBenito |
75c1c2 |
strict-mls, targeted-mls, strict-mcs, and targeted-mcs.
|
|
Chris PeBenito |
75c1c2 |
This sets the policy type as strict or targeted, and
|
|
Chris PeBenito |
75c1c2 |
optionally enables multi-leve security (MLS) or
|
|
Chris PeBenito |
75c1c2 |
multi-category security (MCS) features. This option
|
|
Chris PeBenito |
75c1c2 |
controls strict_policy, targeted_policy, enable_mls,
|
|
Chris PeBenito |
75c1c2 |
and enable_mcs policy blocks.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
NAME String (optional). Sets the name of the policy; the
|
|
Chris PeBenito |
75c1c2 |
NAME is used when installing files to e.g.,
|
|
Chris PeBenito |
75c1c2 |
/etc/selinux/NAME and /usr/share/selinux/NAME. If not
|
|
Chris PeBenito |
75c1c2 |
set, the policy type (TYPE) is used.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
DISTRO String (optional). Enable distribution-specific policy.
|
|
Chris PeBenito |
75c1c2 |
Available options are redhat, rhel4, gentoo, debian,
|
|
Chris PeBenito |
75c1c2 |
and suse. This option controls distro_redhat,
|
|
Chris PeBenito |
75c1c2 |
distro_rhel4, distro_gentoo, distro_debian, and
|
|
Chris PeBenito |
75c1c2 |
distro_suse policy blocks.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
MONOLITHIC Boolean. If set, a monolithic policy is built,
|
|
Chris PeBenito |
75c1c2 |
otherwise a modular policy is built.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
|
|
Chris PeBenito |
75c1c2 |
run init scripts, instead of requiring the run_init
|
|
Chris PeBenito |
75c1c2 |
tool. This is a build option instead of a tunable since
|
|
Chris PeBenito |
75c1c2 |
role transitions do not work in conditional policy.
|
|
Chris PeBenito |
75c1c2 |
This option controls direct_sysadm_daemon policy
|
|
Chris PeBenito |
75c1c2 |
blocks.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
POLY Boolean. If set, policy for polyinstantiated
|
|
Chris PeBenito |
75c1c2 |
directories will be enabled. This option controls
|
|
Chris PeBenito |
75c1c2 |
enable_polyinstantiation policy blocks.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
OUTPUT_POLICY Integer. Set the version of the policy created when
|
|
Chris PeBenito |
75c1c2 |
building a monolithic policy. This option has no effect
|
|
Chris PeBenito |
75c1c2 |
on modular policy.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
QUIET Boolean. If set, the build system will only display
|
|
Chris PeBenito |
75c1c2 |
status messages and error messages. This option has no
|
|
Chris PeBenito |
75c1c2 |
effect on policy.
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
|
|
Chris PeBenito |
75c1c2 |
3) Reference Policy Files and Directories
|
|
Chris PeBenito |
97749e |
All directories relative to the root of the Reference Policy sources directory.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
8e0ef1 |
Makefile General rules for building the policy.
|
|
Chris PeBenito |
8e0ef1 |
|
|
Chris PeBenito |
35bb02 |
Rules.modular Makefile rules specific to building loadable module
|
|
Chris PeBenito |
35bb02 |
policies.
|
|
Chris PeBenito |
8e0ef1 |
|
|
Chris PeBenito |
35bb02 |
Rules.monolithic Makefile rules specific to building monolithic policies.
|
|
Chris PeBenito |
8e0ef1 |
|
|
Chris PeBenito |
8e0ef1 |
build.conf Options which influence the building of the policy,
|
|
Chris PeBenito |
8e0ef1 |
such as the policy type (strict, targeted, etc.)
|
|
Chris PeBenito |
8e0ef1 |
and distribution.
|
|
Chris PeBenito |
8e0ef1 |
|
|
Chris PeBenito |
97749e |
config/appconfig-* Application configuration files for all configurations
|
|
Chris PeBenito |
97749e |
of the Reference Policy (targeted/strict with or without
|
|
Chris PeBenito |
97749e |
MLS or MCS). These are used by SELinux-aware programs.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
config/local.users The file read by load policy for adding SELinux users
|
|
Chris PeBenito |
97749e |
to the policy on the fly.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
doc/html/* This contains the contents of the in-policy XML
|
|
Chris PeBenito |
97749e |
documentation, presented in web page form.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
doc/policy.dtd The doc/policy.xml file is validated against this DTD.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
doc/policy.xml This file is generated/updated by the conf and html make
|
|
Chris PeBenito |
97749e |
targets. It contains the complete XML documentation
|
|
Chris PeBenito |
97749e |
included in the policy.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
doc/templates/* Templates used for documentation web pages.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/booleans.conf This file is generated/updated by the conf make target.
|
|
Chris PeBenito |
97749e |
It contains the booleans in the policy, and their
|
|
Chris PeBenito |
97749e |
default values. If tunables are implemented as
|
|
Chris PeBenito |
97749e |
booleans, tunables will also be included. This file
|
|
Chris PeBenito |
97749e |
will be installed as the /etc/selinux/NAME/booleans
|
|
Chris PeBenito |
97749e |
file.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/constraints This file defines additional constraints on permissions
|
|
Chris PeBenito |
97749e |
in the form of boolean expressions that must be
|
|
Chris PeBenito |
97749e |
satisfied in order for specified permissions to be
|
|
Chris PeBenito |
97749e |
granted. These constraints are used to further refine
|
|
Chris PeBenito |
97749e |
the type enforcement rules and the role allow rules.
|
|
Chris PeBenito |
97749e |
Typically, these constraints are used to restrict
|
|
Chris PeBenito |
97749e |
changes in user identity or role to certain domains.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/global_booleans This file defines all booleans that have a global scope,
|
|
Chris PeBenito |
97749e |
their default value, and documentation.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/global_tunables This file defines all tunables that have a global scope,
|
|
Chris PeBenito |
97749e |
their default value, and documentation.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/flask/initial_sids This file has declarations for each initial SID.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/flask/security_classes This file has declarations for each security class.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/flask/access_vectors This file defines the access vectors. Common
|
|
Chris PeBenito |
97749e |
prefixes for access vectors may be defined at the
|
|
Chris PeBenito |
97749e |
beginning of the file. After the common prefixes are
|
|
Chris PeBenito |
97749e |
defined, an access vector may be defined for each
|
|
Chris PeBenito |
97749e |
security class.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
35bb02 |
policy/mcs The multi-category security (MCS) configuration.
|
|
Chris PeBenito |
35bb02 |
|
|
Chris PeBenito |
35bb02 |
policy/mls The multi-level security (MLS) configuration.
|
|
Chris PeBenito |
35bb02 |
|
|
Chris PeBenito |
97749e |
policy/modules/* Each directory represents a layer in Reference Policy
|
|
Chris PeBenito |
97749e |
all of the modules are contained in one of these layers.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
97749e |
policy/modules.conf This file contains a listing of available modules, and
|
|
Chris PeBenito |
97749e |
how they will be used when building Reference Policy. To
|
|
Chris PeBenito |
97749e |
prevent a module from being used, set the module to
|
|
Chris PeBenito |
97749e |
"off". For monolithic policies, modules set to "base"
|
|
Chris PeBenito |
97749e |
and "module" will be included in the policy. For
|
|
Chris PeBenito |
97749e |
modular policies, modules set to "base" will be included
|
|
Chris PeBenito |
97749e |
in the base module; those set to "module" will be
|
|
Chris PeBenito |
97749e |
compiled as individual loadable modules.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
6259d8 |
policy/rolemap This file contains prefix and user domain type that
|
|
Chris PeBenito |
6259d8 |
corresponds to each user role. The contents of this
|
|
Chris PeBenito |
6259d8 |
file will be used to expand the per-user domain
|
|
Chris PeBenito |
6259d8 |
templates for each module.
|
|
Chris PeBenito |
6259d8 |
|
|
Chris PeBenito |
97749e |
policy/support/* Support macros.
|
|
Chris PeBenito |
97749e |
|
|
Chris PeBenito |
35bb02 |
policy/users This file defines the users included in the policy.
|
|
Chris PeBenito |
35bb02 |
|
|
Chris PeBenito |
75c1c2 |
support/* Tools used in the build process.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
4) Building policy modules using Reference Policy headers:
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
The system must first have the Reference Policy headers installed, typically
|
|
Chris PeBenito |
f65ca5 |
by the distribution. Otherwise, the headers can be installed using the
|
|
Chris PeBenito |
f65ca5 |
install-headers target from the full Reference Policy sources.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
To set up a directory to build a local module, one must simply place a .te
|
|
Chris PeBenito |
f65ca5 |
file in a directory. A sample Makefile to use in the directory is the
|
|
Chris PeBenito |
f65ca5 |
Makefile.example in the doc directory. This may be installed in
|
|
Chris PeBenito |
f65ca5 |
/usr/share/doc, under the directory for the distribution's policy.
|
|
Chris PeBenito |
f65ca5 |
Alternatively, the primary Makefile in the headers directory (typically
|
|
Chris PeBenito |
f65ca5 |
/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
|
|
Chris PeBenito |
f65ca5 |
option.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
Larger projects can set up a structure of layers, just as in Reference
|
|
Chris PeBenito |
f65ca5 |
Policy, by creating policy/modules/LAYERNAME directories. Each layer also
|
|
Chris PeBenito |
f65ca5 |
must have a metadata.xml file which is an XML file with a summary tag and
|
|
Chris PeBenito |
f65ca5 |
optional desc (long description) tag. This should describe the purpose of
|
|
Chris PeBenito |
f65ca5 |
the layer.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
Metadata.xml example:
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
<summary>ABC modules for the XYZ components.</summary>
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
Make targets for modules built from headers:
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
MODULENAME.pp Compile and package the MODULENAME local module.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
all Compile and package the modules in the current
|
|
Chris PeBenito |
f65ca5 |
directory.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
load Compile and package the modules in the current
|
|
Chris PeBenito |
f65ca5 |
directory, then insert them into the module store.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
refresh Attempts to reinsert all modules that are currently
|
|
Chris PeBenito |
f65ca5 |
in the module store from the local and system module
|
|
Chris PeBenito |
f65ca5 |
packages.
|
|
Chris PeBenito |
f65ca5 |
|
|
Chris PeBenito |
f65ca5 |
xml Build a policy.xml from the XML included with the
|
|
Chris PeBenito |
f65ca5 |
base policy headers and any XML in the modules in
|
|
Chris PeBenito |
f65ca5 |
the current directory.
|