########################################

#

# Rules and Targets for building modular policies

#

all_modules := $(base_mods) $(mod_mods) $(off_mods)

all_interfaces := $(all_modules:.te=.if)

base_pkg := $(builddir)base.pp

base_fc := $(builddir)base.fc

base_conf := $(builddir)base.conf

base_mod := $(tmpdir)/base.mod

users_extra := $(tmpdir)/users_extra

base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf

base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)

base_te_files := $(base_mods)

base_post_te_files := $(user_files) $(poldir)/constraints

base_fc_files := $(base_mods:.te=.fc)

mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))

# policy packages to install

instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))

# search layer dirs for source files

vpath %.te $(all_layers)

vpath %.if $(all_layers)

vpath %.fc $(all_layers)

.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))

########################################

#

# default action: create all module packages

#

default: policy

all policy: base modules

base: $(base_pkg)

modules: $(mod_pkgs)

install: $(instpkg) $(appfiles)

########################################

#

# Load all configured modules

#

load: $(instpkg) $(appfiles)

# make sure two directories exist since they are not

# created by semanage

	@mkdir -p $(policypath) $(dir $(fcpath))

	@echo "Loading configured modules."

	$(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))

########################################

#

# Install policy packages

#

$(modpkgdir)/%.pp: $(builddir)%.pp

	@mkdir -p $(modpkgdir)

	@echo "Installing $(NAME) $(@F) policy package."

	$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)

########################################

#

# Build module packages

#

$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te

	@echo "Compliling $(NAME) $(@F) module"

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(call perrole-expansion,$(basename $(@F)),$@.role)

	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)

	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@

$(tmpdir)/%.mod.fc: $(m4support) %.fc

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@

$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc

	@echo "Creating $(NAME) $(@F) policy package"

	@test -d $(builddir) || mkdir -p $(builddir)

	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc

########################################

#

# Create a base module package

#

$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers

	@echo "Creating $(NAME) base module package"

	@test -d $(builddir) || mkdir -p $(builddir)

	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers

ifneq "$(UNK_PERMS)" ""

$(base_mod): CHECKMODULE += -U $(UNK_PERMS)

endif

$(base_mod): $(base_conf)

	@echo "Compiling $(NAME) base module"

	$(verbose) $(CHECKMODULE) $^ -o $@

$(tmpdir)/seusers: $(seusers)

	@mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@

$(users_extra): $(m4support) $(user_files)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \

		$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@

########################################

#

# Construct a base.conf

#

$(base_conf): $(base_sections)

	@echo "Creating $(NAME) base module $(@F)"

	@test -d $(@D) || mkdir -p $(@D)

	$(verbose) cat $^ > $@

$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy

$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(tmpdir)/generated_definitions.conf: $(base_te_files)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

# define all available object classes

	$(verbose) $(genperm) $(avs) $(secclass) > $@

	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)

	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true

$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy

$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	@echo "divert(-1)" > $@

	$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp

	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@

	@echo "divert" >> $@

$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy

$(tmpdir)/rolemap.conf: $(rolemap)

	$(verbose) echo "" > $@

	$(call parse-rolemap,base,$@)

$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy

$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf

ifeq "$(strip $(base_te_files))" ""

	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")

endif

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) -s $^ > $@

$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy

$(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

# extract attributes and put them first. extract post te stuff

# like genfscon and put last.

$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf

	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf

	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf

# these have to run individually because order matters:

	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf

########################################

#

# Construct a base.fc

#

$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)

	$(verbose) $(fcsort) $< $@

$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)

ifeq ($(base_fc_files),)

	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")

endif

	@echo "Creating $(NAME) base module file contexts."

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

########################################

#

# Remove the dontaudit rules from the base.conf

#

enableaudit: $(base_conf)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	@echo "Removing dontaudit rules from $(^F)"

	$(verbose) $(GREP) -v dontaudit $(base_conf) > $(tmpdir)/base.audit

	$(verbose) mv $(tmpdir)/base.audit $(base_conf)

########################################

#

# Appconfig files

#

$(appdir)/customizable_types: $(base_conf)

	@mkdir -p $(appdir)

	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types

	$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ 

########################################

#

# Validate linking and expanding of modules

#

validate: $(base_pkg) $(mod_pkgs)

	@echo "Validating policy linking."

	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^

	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin

	@echo "Success."

########################################

#

# Clean the sources

#

clean:

	rm -f $(base_conf)

	rm -f $(base_fc)

	rm -f $(builddir)*.pp

	rm -f $(net_contexts)

	rm -fR $(tmpdir)

.PHONY: default all policy base modules install load clean validate