|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# helper tools
|
|
Chris PeBenito |
17de1b |
AWK ?= gawk
|
|
Chris PeBenito |
17de1b |
INSTALL ?= install
|
|
Chris PeBenito |
17de1b |
M4 ?= m4
|
|
Chris PeBenito |
17de1b |
SED ?= sed
|
|
Chris PeBenito |
17de1b |
EINFO ?= echo
|
|
Chris PeBenito |
17de1b |
PYTHON ?= python
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
|
|
Chris PeBenito |
17de1b |
SHAREDIR ?= /usr/share/selinux
|
|
Chris PeBenito |
17de1b |
HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
include $(HEADERDIR)/build.conf
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# executables
|
|
Chris PeBenito |
17de1b |
PREFIX := /usr
|
|
Chris PeBenito |
17de1b |
BINDIR := $(PREFIX)/bin
|
|
Chris PeBenito |
17de1b |
SBINDIR := $(PREFIX)/sbin
|
|
Chris PeBenito |
17de1b |
CHECKMODULE := $(BINDIR)/checkmodule
|
|
Chris PeBenito |
17de1b |
SEMODULE := $(SBINDIR)/semodule
|
|
Chris PeBenito |
17de1b |
SEMOD_PKG := $(BINDIR)/semodule_package
|
|
Chris PeBenito |
17de1b |
XMLLINT := $(BINDIR)/xmllint
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# set default build options if missing
|
|
Chris PeBenito |
17de1b |
TYPE ?= strict
|
|
Chris PeBenito |
17de1b |
DIRECT_INITRC ?= n
|
|
Chris PeBenito |
17de1b |
POLY ?= n
|
|
Chris PeBenito |
17de1b |
QUIET ?= y
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
docs = doc
|
|
Chris PeBenito |
17de1b |
polxml = $(docs)/policy.xml
|
|
Chris PeBenito |
17de1b |
xmldtd = $(HEADERDIR)/support/policy.dtd
|
|
Chris PeBenito |
17de1b |
layerxml = metadata.xml
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
globaltun = $(HEADERDIR)/global_tunables.xml
|
|
Chris PeBenito |
17de1b |
globalbool = $(HEADERDIR)/global_booleans.xml
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# compile strict policy if requested.
|
|
Chris PeBenito |
17de1b |
ifneq ($(findstring strict,$(TYPE)),)
|
|
Chris PeBenito |
17de1b |
M4PARAM += -D strict_policy
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# compile targeted policy if requested.
|
|
Chris PeBenito |
17de1b |
ifneq ($(findstring targeted,$(TYPE)),)
|
|
Chris PeBenito |
17de1b |
M4PARAM += -D targeted_policy
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# enable MLS if requested.
|
|
Chris PeBenito |
17de1b |
ifneq ($(findstring -mls,$(TYPE)),)
|
|
Chris PeBenito |
17de1b |
M4PARAM += -D enable_mls
|
|
Chris PeBenito |
17de1b |
CHECKPOLICY += -M
|
|
Chris PeBenito |
17de1b |
CHECKMODULE += -M
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# enable MLS if MCS requested.
|
|
Chris PeBenito |
17de1b |
ifneq ($(findstring -mcs,$(TYPE)),)
|
|
Chris PeBenito |
17de1b |
M4PARAM += -D enable_mcs
|
|
Chris PeBenito |
17de1b |
CHECKPOLICY += -M
|
|
Chris PeBenito |
17de1b |
CHECKMODULE += -M
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# enable distribution-specific policy
|
|
Chris PeBenito |
17de1b |
ifneq ($(DISTRO),)
|
|
Chris PeBenito |
17de1b |
M4PARAM += -D distro_$(DISTRO)
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
ifeq ($(DIRECT_INITRC),y)
|
|
Chris PeBenito |
17de1b |
M4PARAM += -D direct_sysadm_daemon
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
e070dd |
# default MLS/MCS sensitivity and category settings.
|
|
Chris PeBenito |
e070dd |
MLS_SENS ?= 16
|
|
Chris PeBenito |
e070dd |
MLS_CATS ?= 256
|
|
Chris PeBenito |
e070dd |
MCS_CATS ?= 256
|
|
Chris PeBenito |
e070dd |
|
|
Chris PeBenito |
17de1b |
ifeq ($(QUIET),y)
|
|
Chris PeBenito |
17de1b |
verbose := @
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
e070dd |
M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# policy headers
|
|
Chris PeBenito |
17de1b |
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
|
|
Chris PeBenito |
17de1b |
all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
|
|
Chris PeBenito |
17de1b |
all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
|
|
Chris PeBenito |
17de1b |
rolemap = $(HEADERDIR)/rolemap
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
|
|
Chris PeBenito |
17de1b |
3rd_party_mods = $(wildcard *.te)
|
|
Chris PeBenito |
17de1b |
detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
|
|
Chris PeBenito |
17de1b |
detected_ifs = $(detected_mods:.te=.if)
|
|
Chris PeBenito |
17de1b |
detected_fcs = $(detected_mods:.te=.fc)
|
|
Chris PeBenito |
17de1b |
all_packages = $(notdir $(detected_mods:.te=.pp))
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
vpath %.te $(detected_layers)
|
|
Chris PeBenito |
17de1b |
vpath %.if $(detected_layers)
|
|
Chris PeBenito |
17de1b |
vpath %.fc $(detected_layers)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# if there are modules in the current directory, add them into the third party layer
|
|
Chris PeBenito |
17de1b |
ifneq "$(3rd_party_mods)" ""
|
|
Chris PeBenito |
17de1b |
genxml += -3 .
|
|
Chris PeBenito |
17de1b |
endif
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Functions
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
bbcd3c |
# parse-rolemap-compat modulename,outputfile
|
|
Chris PeBenito |
bbcd3c |
define parse-rolemap-compat
|
|
Chris PeBenito |
bbcd3c |
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
|
Chris PeBenito |
bbcd3c |
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
|
Chris PeBenito |
bbcd3c |
endef
|
|
Chris PeBenito |
bbcd3c |
|
|
Chris PeBenito |
17de1b |
# parse-rolemap modulename,outputfile
|
|
Chris PeBenito |
17de1b |
define parse-rolemap
|
|
Chris PeBenito |
17de1b |
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
|
Chris PeBenito |
bbcd3c |
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
|
Chris PeBenito |
17de1b |
endef
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# peruser-expansion modulename,outputfile
|
|
Chris PeBenito |
17de1b |
define peruser-expansion
|
|
Chris PeBenito |
bbcd3c |
$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
|
Chris PeBenito |
17de1b |
$(call parse-rolemap,$1,$2)
|
|
Chris PeBenito |
17de1b |
$(verbose) echo "')" >> $2
|
|
Chris PeBenito |
bbcd3c |
|
|
Chris PeBenito |
bbcd3c |
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
|
Chris PeBenito |
bbcd3c |
$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
|
Chris PeBenito |
bbcd3c |
$(call parse-rolemap-compat,$1,$2)
|
|
Chris PeBenito |
bbcd3c |
$(verbose) echo "')" >> $2
|
|
Chris PeBenito |
17de1b |
endef
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
59f853 |
.PHONY: clean all xml load reload
|
|
Chris PeBenito |
17de1b |
.SUFFIXES:
|
|
Chris PeBenito |
17de1b |
.SUFFIXES: .pp
|
|
Chris PeBenito |
17de1b |
# broken in make 3.81:
|
|
Chris PeBenito |
17de1b |
#.SECONDARY:
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Main targets
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
all: $(all_packages)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
xml: $(polxml)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
d50847 |
# Load module packages
|
|
Chris PeBenito |
d50847 |
#
|
|
Chris PeBenito |
76bac8 |
|
|
Chris PeBenito |
76bac8 |
load: tmp/loaded
|
|
Chris PeBenito |
59f853 |
tmp/loaded: $(all_packages)
|
|
Chris PeBenito |
59f853 |
@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $?))"
|
|
Chris PeBenito |
59f853 |
$(verbose) $(SEMODULE) $(foreach mod,$?,-i $(mod))
|
|
Chris PeBenito |
59f853 |
@mkdir -p tmp
|
|
Chris PeBenito |
59f853 |
@touch tmp/loaded
|
|
Chris PeBenito |
76bac8 |
|
|
Chris PeBenito |
59f853 |
reload: $(all_packages)
|
|
Chris PeBenito |
59f853 |
@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $^))"
|
|
Chris PeBenito |
d50847 |
$(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
|
|
Chris PeBenito |
76bac8 |
@mkdir -p tmp
|
|
Chris PeBenito |
76bac8 |
@touch tmp/loaded
|
|
Chris PeBenito |
d50847 |
|
|
Chris PeBenito |
d50847 |
########################################
|
|
Chris PeBenito |
d50847 |
#
|
|
Chris PeBenito |
17de1b |
# Build module packages
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
|
|
Chris PeBenito |
17de1b |
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
|
|
Chris PeBenito |
17de1b |
@test -d tmp || mkdir -p tmp
|
|
Chris PeBenito |
17de1b |
$(call peruser-expansion,$(basename $(@F)),$@.role)
|
|
Chris PeBenito |
17de1b |
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
|
Chris PeBenito |
17de1b |
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
tmp/%.mod.fc: $(m4support) %.fc
|
|
Chris PeBenito |
17de1b |
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
%.pp: tmp/%.mod tmp/%.mod.fc
|
|
Chris PeBenito |
17de1b |
@echo "Creating $(NAME) $(@F) policy package"
|
|
Chris PeBenito |
17de1b |
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
|
|
Chris PeBenito |
17de1b |
@test -d tmp || mkdir -p tmp
|
|
Chris PeBenito |
17de1b |
$(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# so users dont have to make empty .fc and .if files
|
|
Chris PeBenito |
17de1b |
$(detected_ifs) $(detected_fcs):
|
|
Chris PeBenito |
17de1b |
@touch $@
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Documentation generation
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# minimal dependencies here, because we don't want to rebuild
|
|
Chris PeBenito |
17de1b |
# this and its dependents every time the dependencies
|
|
Chris PeBenito |
17de1b |
# change. Also use all .if files here, rather then just the
|
|
Chris PeBenito |
17de1b |
# enabled modules.
|
|
Chris PeBenito |
17de1b |
$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
|
|
Chris PeBenito |
17de1b |
@echo "Creating $@"
|
|
Chris PeBenito |
17de1b |
@mkdir -p doc
|
|
Chris PeBenito |
17de1b |
$(verbose) echo '' > $@
|
|
Chris PeBenito |
17de1b |
$(verbose) echo '' >> $@
|
|
Chris PeBenito |
17de1b |
$(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
|
|
Chris PeBenito |
17de1b |
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
|
|
Chris PeBenito |
17de1b |
$(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
|
|
Chris PeBenito |
17de1b |
fi
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
########################################
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Clean the environment
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
clean:
|
|
Chris PeBenito |
17de1b |
rm -fR tmp
|
|
Chris PeBenito |
17de1b |
rm -f *.pp
|