########################################

#

# Rules and Targets for building monolithic policies

#

# determine the policy version and current kernel version if possible

pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')

kv := $(shell cat /selinux/policyvers)

# dont print version warnings if we are unable to determine

# the currently running kernel's policy version

ifeq "$(kv)" ""

	kv := $(pv)

endif

policy_conf = $(builddir)policy.conf

fc = $(builddir)file_contexts

polver = $(builddir)policy.$(pv)

homedir_template = $(builddir)homedir_template

M4PARAM += -D self_contained_policy

# install paths

loadpath = $(policypath)/$(notdir $(polver))

appfiles += $(installdir)/booleans $(userpath)/local.users

# for monolithic policy use all base and module to create policy

all_modules := $(strip $(base_mods) $(mod_mods))

# off module interfaces included to make sure all interfaces are expanded.

all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)

all_te_files := $(all_modules)

all_fc_files := $(all_modules:.te=.fc)

pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs

post_te_files := $(user_files) $(poldir)/constraints

policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf

# search layer dirs for source files

vpath %.te $(all_layers)

vpath %.if $(all_layers)

vpath %.fc $(all_layers)

########################################

#

# default action: build policy locally

#

default: policy

policy: $(polver)

install: $(loadpath) $(fcpath) $(appfiles)

load: $(tmpdir)/load

checklabels: $(fcpath)

restorelabels: $(fcpath)

relabel:  $(fcpath)

resetlabels:  $(fcpath)

########################################

#

# Build a binary policy locally

#

ifneq "$(UNK_PERMS)" ""

$(polver): CHECKPOLICY += -U $(UNK_PERMS)

endif

$(polver): $(policy_conf)

	@echo "Compiling $(NAME) $(polver)"

ifneq ($(pv),$(kv))

	@echo

	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"

	@echo

endif

	$(verbose) $(CHECKPOLICY) $^ -o $@

########################################

#

# Install a binary policy

#

ifneq "$(UNK_PERMS)" ""

$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)

endif

$(loadpath): $(policy_conf)

	@mkdir -p $(policypath)

	@echo "Compiling and installing $(NAME) $(loadpath)"

ifneq ($(pv),$(kv))

	@echo

	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"

	@echo

endif

	$(verbose) $(CHECKPOLICY) $^ -o $@

########################################

#

# Load the binary policy

#

reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)

	@echo "Loading $(NAME) $(loadpath)"

	$(verbose) $(LOADPOLICY) -q $(loadpath)

	@touch $(tmpdir)/load

########################################

#

# Construct a monolithic policy.conf

#

$(policy_conf): $(policy_sections)

	@echo "Creating $(NAME) $(@F)"

	@test -d $(@D) || mkdir -p $(@D)

	$(verbose) cat $^ > $@

$(tmpdir)/pre_te_files.conf: $(pre_te_files)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(tmpdir)/generated_definitions.conf: $(all_te_files)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

# define all available object classes

	$(verbose) $(genperm) $(avs) $(secclass) > $@

	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)

	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true

$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	@echo "ifdef(\`__if_error',\`m4exit(1)')" > $(tmpdir)/iferror.m4

	@echo "divert(-1)" > $@

	$(verbose) $(M4) $^ $(tmpdir)/iferror.m4 >> $(tmpdir)/$(@F).tmp

	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@

	@echo "divert" >> $@

$(tmpdir)/rolemap.conf: $(rolemap)

	$(verbose) echo "" > $@

	$(call parse-rolemap,base,$@)

$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf

ifeq "$(strip $(all_te_files))" ""

	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")

endif

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) -s $^ > $@

$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

# extract attributes and put them first. extract post te stuff

# like genfscon and put last.

$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf

	$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf

	$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf

# these have to run individually because order matters:

	$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true

	$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf

########################################

#

# Remove the dontaudit rules from the policy.conf

#

enableaudit: $(policy_conf)

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	@echo "Removing dontaudit rules from $(notdir $(policy_conf))"

	$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit

	$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)

########################################

#

# Construct file_contexts

#

$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)

	$(verbose) $(fcsort) $< $@

	$(verbose) $(GREP) -e HOME -e ROLE $@ > $(homedir_template)

	$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d $@

$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)

ifeq ($(all_fc_files),)

	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")

endif

	@echo "Creating $(NAME) file_contexts."

	@test -d $(tmpdir) || mkdir -p $(tmpdir)

	$(verbose) $(M4) $(M4PARAM) $^ > $@

$(homedir_template): $(fc)

########################################

#

# Install file_contexts

#

$(fcpath): $(fc) $(loadpath) $(userpath)/system.users

	@echo "Validating $(NAME) file_contexts."

	$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)

	@echo "Installing file_contexts."

	@mkdir -p $(contextpath)/files

	$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)

	$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)

	$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)

ifeq "$(DISTRO)" "rhel4"

# Setfiles in RHEL4 does not look at file_contexts.homedirs.

	$(verbose) cat $@.homedirs >> $@

# Delete the file_contexts.homedirs in case the toolchain has

# been updated, to prevent duplicate match errors.

	$(verbose) rm -f $@.homedirs

endif

########################################

#

# Intall netfilter_contexts

#

$(ncpath): $(net_contexts)

	@echo "Installing $(NAME) netfilter_contexts."

	$(verbose) $(INSTALL) -m 0644 $^ $@

########################################

#

# Run policy source checks

#

check: $(builddir)check.res

$(builddir)check.res: $(policy_conf) $(fc)

	$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@

longcheck: $(builddir)longcheck.res

$(builddir)longcheck.res: $(policy_conf) $(fc)

	$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@

########################################

#

# Appconfig files

#

$(appdir)/customizable_types: $(policy_conf)

	@mkdir -p $(appdir)

	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types

	$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ 

########################################

#

# Clean the sources

#

clean:

	rm -f $(policy_conf)

	rm -f $(polver)

	rm -f $(fc)

	rm -f $(homedir_template)

	rm -f $(net_contexts)

	rm -f *.res

	rm -fR $(tmpdir)

.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean