Chris PeBenito 17de1b
Chris PeBenito 17de1b
# helper tools
Chris PeBenito 17de1b
AWK ?= gawk
Chris PeBenito 17de1b
INSTALL ?= install
Chris PeBenito 17de1b
M4 ?= m4
Chris PeBenito 17de1b
SED ?= sed
Chris PeBenito 17de1b
EINFO ?= echo
Chris PeBenito 17de1b
PYTHON ?= python
Chris PeBenito dde00d
CUT ?= cut
Chris PeBenito 17de1b
Chris PeBenito 17de1b
NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
Chris PeBenito 17de1b
SHAREDIR ?= /usr/share/selinux
Chris PeBenito 17de1b
HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
Chris PeBenito 17de1b
Chris PeBenito 17de1b
include $(HEADERDIR)/build.conf
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# executables
Chris PeBenito 17de1b
PREFIX := /usr
Chris PeBenito 17de1b
BINDIR := $(PREFIX)/bin
Chris PeBenito 17de1b
SBINDIR := $(PREFIX)/sbin
Chris PeBenito 17de1b
CHECKMODULE := $(BINDIR)/checkmodule
Chris PeBenito 17de1b
SEMODULE := $(SBINDIR)/semodule
Chris PeBenito 17de1b
SEMOD_PKG := $(BINDIR)/semodule_package
Chris PeBenito 17de1b
XMLLINT := $(BINDIR)/xmllint
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# set default build options if missing
Chris PeBenito 17de1b
TYPE ?= strict
Chris PeBenito 17de1b
DIRECT_INITRC ?= n
Chris PeBenito 17de1b
POLY ?= n
Chris PeBenito 17de1b
QUIET ?= y
Chris PeBenito 17de1b
Chris PeBenito 17de1b
genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
Chris PeBenito 17de1b
Chris PeBenito 17de1b
docs = doc
Chris PeBenito 17de1b
polxml = $(docs)/policy.xml
Chris PeBenito 17de1b
xmldtd = $(HEADERDIR)/support/policy.dtd
Chris PeBenito 56e1b3
metaxml = metadata.xml
Chris PeBenito 17de1b
Chris PeBenito 17de1b
globaltun = $(HEADERDIR)/global_tunables.xml
Chris PeBenito 17de1b
globalbool = $(HEADERDIR)/global_booleans.xml
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# compile strict policy if requested.
Chris PeBenito 17de1b
ifneq ($(findstring strict,$(TYPE)),)
Chris PeBenito 17de1b
	M4PARAM += -D strict_policy
Chris PeBenito 17de1b
endif
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# compile targeted policy if requested.
Chris PeBenito 17de1b
ifneq ($(findstring targeted,$(TYPE)),)
Chris PeBenito 17de1b
	M4PARAM += -D targeted_policy
Chris PeBenito 17de1b
endif
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# enable MLS if requested.
Chris PeBenito 17de1b
ifneq ($(findstring -mls,$(TYPE)),)
Chris PeBenito 17de1b
	M4PARAM += -D enable_mls
Chris PeBenito 17de1b
	CHECKPOLICY += -M
Chris PeBenito 17de1b
	CHECKMODULE += -M
Chris PeBenito 17de1b
endif
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# enable MLS if MCS requested.
Chris PeBenito 17de1b
ifneq ($(findstring -mcs,$(TYPE)),)
Chris PeBenito 17de1b
	M4PARAM += -D enable_mcs
Chris PeBenito 17de1b
	CHECKPOLICY += -M
Chris PeBenito 17de1b
	CHECKMODULE += -M
Chris PeBenito 17de1b
endif
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# enable distribution-specific policy
Chris PeBenito 17de1b
ifneq ($(DISTRO),)
Chris PeBenito 17de1b
	M4PARAM += -D distro_$(DISTRO)
Chris PeBenito 17de1b
endif
Chris PeBenito 17de1b
Chris PeBenito 17de1b
ifeq ($(DIRECT_INITRC),y)
Chris PeBenito 17de1b
	M4PARAM += -D direct_sysadm_daemon
Chris PeBenito 17de1b
endif
Chris PeBenito 17de1b
Chris PeBenito e070dd
# default MLS/MCS sensitivity and category settings.
Chris PeBenito e070dd
MLS_SENS ?= 16
Chris PeBenito e070dd
MLS_CATS ?= 256
Chris PeBenito e070dd
MCS_CATS ?= 256
Chris PeBenito e070dd
Chris PeBenito 17de1b
ifeq ($(QUIET),y)
Chris PeBenito 17de1b
	verbose := @
Chris PeBenito 17de1b
endif
Chris PeBenito 17de1b
Chris PeBenito e070dd
M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# policy headers
Chris PeBenito 17de1b
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
Chris PeBenito 56e1b3
Chris PeBenito 17de1b
all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
Chris PeBenito 17de1b
all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
Chris PeBenito 17de1b
rolemap = $(HEADERDIR)/rolemap
Chris PeBenito 17de1b
Chris PeBenito 17de1b
detected_layers =  $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
Chris PeBenito 56e1b3
Chris PeBenito 56e1b3
clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
Chris PeBenito 56e1b3
all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
Chris PeBenito 56e1b3
detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
Chris PeBenito 56e1b3
Chris PeBenito 17de1b
3rd_party_mods = $(wildcard *.te)
Chris PeBenito 17de1b
detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
Chris PeBenito 56e1b3
detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
Chris PeBenito 56e1b3
Chris PeBenito 17de1b
detected_ifs = $(detected_mods:.te=.if)
Chris PeBenito 17de1b
detected_fcs = $(detected_mods:.te=.fc)
Chris PeBenito 17de1b
all_packages = $(notdir $(detected_mods:.te=.pp))
Chris PeBenito 17de1b
Chris PeBenito 56e1b3
modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
Chris PeBenito 56e1b3
layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
Chris PeBenito 56e1b3
Chris PeBenito 56e1b3
hmodxml = $(all_interfaces:.if=.xml)
Chris PeBenito 56e1b3
hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
Chris PeBenito 56e1b3
hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
Chris PeBenito 56e1b3
Chris PeBenito 56e1b3
cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
Chris PeBenito 56e1b3
cmodxml = $(cmods:.te=.xml)
Chris PeBenito 56e1b3
clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
Chris PeBenito 56e1b3
cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
Chris PeBenito 56e1b3
Chris PeBenito dde00d
# figure out what modules we may want to reload
Chris PeBenito dde00d
loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1))
Chris PeBenito dde00d
sys_mods = $(wildcard $(SHAREDIR)/$(NAME)/*.pp)
Chris PeBenito dde00d
match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods))
Chris PeBenito dde00d
match_loc = $(filter $(all_packages),$(loaded_mods))
Chris PeBenito dde00d
Chris PeBenito 17de1b
vpath %.te $(detected_layers)
Chris PeBenito 17de1b
vpath %.if $(detected_layers)
Chris PeBenito 17de1b
vpath %.fc $(detected_layers)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Functions
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito bbcd3c
# parse-rolemap-compat modulename,outputfile
Chris PeBenito bbcd3c
define parse-rolemap-compat
Chris PeBenito bbcd3c
	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
Chris PeBenito bbcd3c
		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
Chris PeBenito bbcd3c
endef
Chris PeBenito bbcd3c
Chris PeBenito 17de1b
# parse-rolemap modulename,outputfile
Chris PeBenito 17de1b
define parse-rolemap
Chris PeBenito 17de1b
	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
Chris PeBenito bbcd3c
		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
Chris PeBenito 17de1b
endef
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# peruser-expansion modulename,outputfile
Chris PeBenito 17de1b
define peruser-expansion
Chris PeBenito bbcd3c
	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
Chris PeBenito 17de1b
	$(call parse-rolemap,$1,$2)
Chris PeBenito 17de1b
	$(verbose) echo "')" >> $2
Chris PeBenito bbcd3c
Chris PeBenito bbcd3c
	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
Chris PeBenito bbcd3c
	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
Chris PeBenito bbcd3c
	$(call parse-rolemap-compat,$1,$2)
Chris PeBenito bbcd3c
	$(verbose) echo "')" >> $2
Chris PeBenito 17de1b
endef
Chris PeBenito 17de1b
Chris PeBenito 59f853
.PHONY: clean all xml load reload
Chris PeBenito 17de1b
.SUFFIXES:
Chris PeBenito 17de1b
.SUFFIXES: .pp
Chris PeBenito 17de1b
# broken in make 3.81:
Chris PeBenito 17de1b
#.SECONDARY:
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Main targets
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
all: $(all_packages)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
xml: $(polxml)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito dde00d
# Attempt to reinstall all installed packages
Chris PeBenito dde00d
#
Chris PeBenito dde00d
refresh:
Chris PeBenito dde00d
	@$(EINFO) "Refreshing $(NAME) modules"
Chris PeBenito dde00d
	$(verbose) $(SEMODULE) -b $(SHAREDIR)/$(NAME)/base.pp $(foreach mod,$(match_sys) $(match_loc),-i $(mod))
Chris PeBenito dde00d
Chris PeBenito dde00d
########################################
Chris PeBenito dde00d
#
Chris PeBenito d50847
# Load module packages
Chris PeBenito d50847
#
Chris PeBenito 76bac8
Chris PeBenito 76bac8
load: tmp/loaded
Chris PeBenito 59f853
tmp/loaded: $(all_packages)
Chris PeBenito 59f853
	@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $?))"
Chris PeBenito 59f853
	$(verbose) $(SEMODULE) $(foreach mod,$?,-i $(mod))
Chris PeBenito 59f853
	@mkdir -p tmp
Chris PeBenito 59f853
	@touch tmp/loaded
Chris PeBenito 76bac8
Chris PeBenito 59f853
reload: $(all_packages)
Chris PeBenito 59f853
	@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $^))"
Chris PeBenito d50847
	$(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
Chris PeBenito 76bac8
	@mkdir -p tmp
Chris PeBenito 76bac8
	@touch tmp/loaded
Chris PeBenito d50847
Chris PeBenito d50847
########################################
Chris PeBenito d50847
#
Chris PeBenito 17de1b
# Build module packages
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
Chris PeBenito 17de1b
	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
Chris PeBenito 17de1b
	@test -d tmp || mkdir -p tmp
Chris PeBenito 17de1b
	$(call peruser-expansion,$(basename $(@F)),$@.role)
Chris PeBenito 17de1b
	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
Chris PeBenito 17de1b
	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
Chris PeBenito 17de1b
Chris PeBenito 17de1b
tmp/%.mod.fc: $(m4support) %.fc
Chris PeBenito 17de1b
	$(verbose) $(M4) $(M4PARAM) $^ > $@
Chris PeBenito 17de1b
Chris PeBenito 17de1b
%.pp: tmp/%.mod tmp/%.mod.fc
Chris PeBenito 17de1b
	@echo "Creating $(NAME) $(@F) policy package"
Chris PeBenito 17de1b
	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
Chris PeBenito 17de1b
Chris PeBenito 17de1b
tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
Chris PeBenito 17de1b
	@test -d tmp || mkdir -p tmp
Chris PeBenito 17de1b
	$(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
Chris PeBenito 17de1b
Chris PeBenito 17de1b
# so users dont have to make empty .fc and .if files
Chris PeBenito 17de1b
$(detected_ifs) $(detected_fcs):
Chris PeBenito 17de1b
	@touch $@
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Documentation generation
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 56e1b3
$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
Chris PeBenito 56e1b3
	@test -d tmp || mkdir -p tmp
Chris PeBenito 56e1b3
	$(verbose) echo '<layer name="$(*F)">' > $@
Chris PeBenito 56e1b3
	$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
Chris PeBenito 56e1b3
	$(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
Chris PeBenito 56e1b3
	$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
Chris PeBenito 56e1b3
	$(verbose) echo '</layer>' >> $@
Chris PeBenito 56e1b3
Chris PeBenito 56e1b3
$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
Chris PeBenito 56e1b3
	@test -d tmp || mkdir -p tmp
Chris PeBenito 56e1b3
	$(verbose) echo '<layer name="$(*F)">' > $@
Chris PeBenito 56e1b3
	$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
Chris PeBenito 56e1b3
	$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
Chris PeBenito 56e1b3
	$(verbose) echo '</layer>' >> $@
Chris PeBenito 56e1b3
Chris PeBenito 56e1b3
$(cmodxml) $(modxml): %.xml: %.if %.te
Chris PeBenito 56e1b3
	$(verbose) $(genxml) -w -m $* > $@
Chris PeBenito 56e1b3
Chris PeBenito 56e1b3
$(layerxml): %.xml: $(modxml)
Chris PeBenito 56e1b3
	@test -d tmp || mkdir -p tmp
Chris PeBenito 56e1b3
	$(verbose) echo '<layer name="$(*F)">' > $@
Chris PeBenito 56e1b3
	$(verbose) if test -f '$(metaxml)'; then \
Chris PeBenito 56e1b3
		cat $(metaxml) >> $@; \
Chris PeBenito 56e1b3
	else \
Chris PeBenito 56e1b3
		echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
Chris PeBenito 56e1b3
	fi
Chris PeBenito 56e1b3
	$(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
Chris PeBenito 56e1b3
	$(verbose) echo '</layer>' >> $@
Chris PeBenito 56e1b3
Chris PeBenito 56e1b3
$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
Chris PeBenito 56e1b3
	@echo "Creating $(@F)"
Chris PeBenito 56e1b3
	@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
Chris PeBenito 17de1b
	$(verbose) echo '' > $@
Chris PeBenito 56e1b3
	$(verbose) echo '' >> $@
Chris PeBenito 56e1b3
	$(verbose) echo '<policy>' >> $@
Chris PeBenito 56e1b3
	$(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
Chris PeBenito 56e1b3
	$(verbose) echo '</policy>' >> $@
Chris PeBenito 17de1b
	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
Chris PeBenito 56e1b3
		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
Chris PeBenito 17de1b
	fi
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Clean the environment
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
clean:
Chris PeBenito 17de1b
	rm -fR tmp
Chris PeBenito 17de1b
	rm -f *.pp