diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 17fc6e6..dbf517e 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,10 @@ +- Fix labeling targets to use installed file_contexts rather + than partial file_contexts in the policy source directory. +- Fix build process to use make's internal vpath functions + to detect modules rather than using subshells and find. +- Add install target for modular policy. +- Add load target for modular policy. +- Add appconfig dependency to the load target. - Miscellaneous fixes from Dan Walsh. - Fix corenetwork gen_context()'s to expand during the policy build phase instead of during the generation phase. diff --git a/refpolicy/INSTALL b/refpolicy/INSTALL index ac1f6e8..fa58eca 100644 --- a/refpolicy/INSTALL +++ b/refpolicy/INSTALL @@ -5,7 +5,12 @@ To install Reference Policy sources into /etc/selinux/refpolicy/src/policy: This will back up a pre-existing source policy to the /etc/selinux/refpolicy/src/policy.bak directory. -After installing the policy sources, the old Make targets have been maintained: +If you do not have a modules.conf, one can be generated: + + make conf + +This will create a default modules.conf. After installing the policy sources, +the old Make targets have been maintained for the monolithic policy: Local policy development: diff --git a/refpolicy/Makefile b/refpolicy/Makefile index ec55b76..ce14018 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -23,7 +23,8 @@ # Policy version # By default, checkpolicy will create the highest # version policy it supports. Setting this will -# override the version. +# override the version. This only affects +# monolithic policies. #OUTPUT_POLICY = 18 # Policy Type @@ -73,6 +74,7 @@ BINDIR := $(PREFIX)/bin SBINDIR := $(PREFIX)/sbin CHECKPOLICY := $(BINDIR)/checkpolicy CHECKMODULE := $(BINDIR)/checkmodule +SEMODULE := $(SBINDIR)/semodule SEMOD_PKG := $(BINDIR)/semodule_package LOADPOLICY := $(SBINDIR)/load_policy SETFILES := $(SBINDIR)/setfiles @@ -119,24 +121,30 @@ INSTALLDIR = $(TOPDIR)/$(NAME) SRCPATH = $(INSTALLDIR)/src USERPATH = $(INSTALLDIR)/users CONTEXTPATH = $(INSTALLDIR)/contexts +MODPKGDIR = $(DESTDIR)/usr/share/selinux/$(NAME) + +# compile strict policy if requested. +ifneq ($(findstring strict,$(TYPE)),) + override M4PARAM += -D strict_policy +endif + +# compile targeted policy if requested. +ifneq ($(findstring targeted,$(TYPE)),) + override M4PARAM += -D targeted_policy +endif # enable MLS if requested. ifneq ($(findstring -mls,$(TYPE)),) override M4PARAM += -D enable_mls - CHECKPOLICY += -M - CHECKMODULE += -M + override CHECKPOLICY += -M + override CHECKMODULE += -M endif # enable MLS if MCS requested. ifneq ($(findstring -mcs,$(TYPE)),) override M4PARAM += -D enable_mcs - CHECKPOLICY += -M - CHECKMODULE += -M -endif - -# compile targeted policy if requested. -ifneq ($(findstring targeted,$(TYPE)),) - override M4PARAM += -D targeted_policy + override CHECKPOLICY += -M + override CHECKMODULE += -M endif # enable distribution-specific policy @@ -145,7 +153,7 @@ ifneq ($(DISTRO),) endif ifneq ($(OUTPUT_POLICY),) - CHECKPOLICY += -c $(OUTPUT_POLICY) + override CHECKPOLICY += -c $(OUTPUT_POLICY) endif ifeq ($(NAME),) @@ -168,14 +176,11 @@ ifeq ($(KV),) KV := $(PV) endif -FC := file_contexts -POLVER := policy.$(PV) - M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) APPCONF := config/appconfig-$(TYPE) APPDIR := $(CONTEXTPATH) -APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media +APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users @@ -196,10 +201,8 @@ MODBASE := base MODMOD := module # extract settings from modules.conf -BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) -MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) - -HOMEDIR_TEMPLATE = tmp/homedir_template +BASE_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null)) +MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null)) ######################################## # @@ -364,14 +367,14 @@ bare: clean rm -f $(MOD_CONF) rm -f $(BOOLEANS) rm -fR $(HTMLDIR) -#ifneq ($(GENERATED_TE),) -# rm -f $(GENERATED_TE) -#endif -#ifneq ($(GENERATED_IF),) -# rm -f $(GENERATED_IF) -#endif -#ifneq ($(GENERATED_FC),) -# rm -f $(GENERATED_FC) -#endif +ifneq ($(GENERATED_TE),) + rm -f $(GENERATED_TE) +endif +ifneq ($(GENERATED_IF),) + rm -f $(GENERATED_IF) +endif +ifneq ($(GENERATED_FC),) + rm -f $(GENERATED_FC) +endif .PHONY: install-src install-appconfig conf html bare diff --git a/refpolicy/README b/refpolicy/README index 2bbc966..f64a0b1 100644 --- a/refpolicy/README +++ b/refpolicy/README @@ -37,6 +37,19 @@ modules Compile and package all Reference Policy modules MODULENAME.pp Compile and package the MODULENAME Reference Policy module. +all Compile and package the base module and all Reference + Policy modules configured to be built as loadable + modules. + +install Compile, package, and install the base module and + Reference Policy modules configured to be built as + loadable modules. + +load Compile, package, and install the base module and + Reference Policy modules configured to be built as + loadable modules, then insert them into the module + store. + Make targets specific to monolithic policies: policy Compile a policy locally for development and testing. diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index 49ee334..a152bae 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -3,7 +3,7 @@ # Rules and Targets for building modular policies # -ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS)) +ALL_MODULES := $(BASE_MODS) $(MOD_MODS) ALL_INTERFACES := $(ALL_MODULES:.te=.if) BASE_PKG := base.pp @@ -19,6 +19,9 @@ BASE_FC_FILES := $(BASE_MODS:.te=.fc) MOD_MODULES := $(MOD_MODS:.te=.mod) MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp)) +# policy packages to install +INSTPKG := $(addprefix $(MODPKGDIR)/,$(BASE_PKG) $(MOD_PKGS)) + # search layer dirs for source files vpath %.te $(ALL_LAYERS) vpath %.if $(ALL_LAYERS) @@ -36,9 +39,40 @@ base: $(BASE_PKG) modules: $(MOD_PKGS) -#policy: $(POLVER) -#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users -#load: tmp/load +install: $(INSTPKG) $(APPFILES) + +######################################## +# +# Load all configured modules +# +load: $(INSTPKG) $(APPFILES) + @echo "Loading configured modules." + $(QUIET) $(SEMODULE) -s $(NAME) -b $(MODPKGDIR)/$(BASE_PKG) $(foreach mod,$(MOD_PKGS),-i $(MODPKGDIR)/$(mod)) + +######################################## +# +# Install policy packages +# +$(MODPKGDIR)/%.pp: %.pp + @mkdir -p $(MODPKGDIR) + @echo "Installing $(@F) policy package." + $(QUIET) install -m 0644 $^ $(MODPKGDIR) + +######################################## +# +# Build module packages +# +tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te + @echo "Compliling $(NAME) $(@F) module" + $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + +tmp/%.mod.fc: $(M4SUPPORT) %.fc + $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@ + +%.pp: tmp/%.mod tmp/%.mod.fc + @echo "Creating $(NAME) $(@F) policy package" + $(QUIET) $(SEMOD_PKG) -o $@ -m $< -f $<.fc ######################################## # @@ -48,17 +82,13 @@ $(BASE_PKG): tmp/base.mod $(BASE_FC) @echo "Creating $(NAME) base module package" $(QUIET) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC) -######################################## -# -# Compile a base module -# tmp/base.mod: base.conf @echo "Compiling $(NAME) base module" $(QUIET) $(CHECKMODULE) $^ -o $@ ######################################## # -# Construct a base module policy.conf +# Construct a base.conf # base.conf: $(BASE_SECTIONS) @echo "Creating $(NAME) base module policy.conf" @@ -125,45 +155,27 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi ######################################## # -# Construct base module file contexts +# Construct a base.fc # -$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT) +$(BASE_FC): tmp/$(BASE_FC).tmp $(FCSORT) + $(QUIET) $(FCSORT) $< $@ + +tmp/$(BASE_FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) ifeq ($(BASE_FC_FILES),) $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") endif @echo "Creating $(NAME) base module file contexts." @test -d tmp || mkdir -p tmp - $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp - $(QUIET) $(FCSORT) tmp/$@.tmp $@ - -######################################## -# -# Build module packages -# -tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te - @if test -z "$(filter $^,$(MOD_MODS))"; then \ - echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\ - false ;\ - fi - @echo "Compliling $(NAME) $(@F) module" - $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - -tmp/%.mod.fc: $(M4SUPPORT) %.fc - $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) $^ > $@ - -%.pp: tmp/%.mod tmp/%.mod.fc - @echo "Creating $(NAME) $(@F) policy package" - $(QUIET) $(SEMOD_PKG) -o $@ -m $< -f $<.fc + $(QUIET) m4 $(M4PARAM) $^ > $@ ######################################## # # Clean the sources # clean: - rm -fR tmp rm -f base.conf rm -f *.pp rm -f $(BASE_FC) + rm -fR tmp -.PHONY: default base modules clean +.PHONY: default all base modules install load clean diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index 7bcd912..7198dd3 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -9,13 +9,13 @@ LOADPATH = $(POLICYPATH)/$(POLVER) FCPATH = $(CONTEXTPATH)/files/file_contexts HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template -# Monolithic still uses booleans file -APPFILES += $(INSTALLDIR)/booleans +FC := file_contexts +POLVER := policy.$(PV) -# for monolithic policy use all base and module to create policy -ENABLEMOD := $(BASE_MODS) $(MOD_MODS) +APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans -ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS)) +# for monolithic policy use all base and module to create policy +ALL_MODULES := $(BASE_MODS) $(MOD_MODS) ALL_INTERFACES := $(ALL_MODULES:.te=.if) ALL_TE_FILES := $(ALL_MODULES) @@ -26,6 +26,13 @@ POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf +HOMEDIR_TEMPLATE = homedir_template + +# search layer dirs for source files +vpath %.te $(ALL_LAYERS) +vpath %.if $(ALL_LAYERS) +vpath %.fc $(ALL_LAYERS) + ######################################## # # default action: build policy locally @@ -69,7 +76,7 @@ endif # # Load the binary policy # -reload tmp/load: $(LOADPATH) $(FCPATH) +reload tmp/load: $(LOADPATH) $(FCPATH) $(APPFILES) @echo "Loading $(NAME) $(LOADPATH)" $(QUIET) $(LOADPOLICY) -q $(LOADPATH) @touch tmp/load @@ -153,16 +160,18 @@ enableaudit: policy.conf # # Construct file_contexts # -$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) $(FCSORT) +$(FC): tmp/$(FC).tmp $(FCSORT) + $(QUIET) $(FCSORT) $< $@ + $(QUIET) grep -e HOME -e ROLE $@ > $(HOMEDIR_TEMPLATE) + $(QUIET) sed -i -e /HOME/d -e /ROLE/d $@ + +tmp/$(FC).tmp: $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) ifeq ($(ALL_FC_FILES),) $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") endif @echo "Creating $(NAME) file_contexts." @test -d tmp || mkdir -p tmp - $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp - $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE) - $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp - $(QUIET) $(FCSORT) tmp/$@.tmp $@ + $(QUIET) m4 $(M4PARAM) $^ > $@ ######################################## # @@ -183,26 +192,29 @@ $(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users # FILESYSTEMS := `mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';` -checklabels: $(FC) $(SETFILES) +checklabels: $(FCPATH) $(SETFILES) + @echo "Checking labels on filesystem types: ext2 ext3 xfs jfs" @if test -z "$(FILESYSTEMS)"; then \ echo "No filesystems with extended attributes found!" ;\ false ;\ fi - $(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS) + $(QUIET) $(SETFILES) -v -n $(FCPATH) $(FILESYSTEMS) -restorelabels: $(FC) $(SETFILES) +restorelabels: $(FCPATH) $(SETFILES) + @echo "Restoring labels on filesystem types: ext2 ext3 xfs jfs" @if test -z "$(FILESYSTEMS)"; then \ echo "No filesystems with extended attributes found!" ;\ false ;\ fi - $(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS) + $(QUIET) $(SETFILES) -v $(FCPATH) $(FILESYSTEMS) -relabel: $(FC) $(SETFILES) +relabel: $(FCPATH) $(SETFILES) + @echo "Relabeling filesystem types: ext2 ext3 xfs jfs" @if test -z "$(FILESYSTEMS)"; then \ echo "No filesystems with extended attributes found!" ;\ false ;\ fi - $(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS) + $(QUIET) $(SETFILES) $(FCPATH) $(FILESYSTEMS) ######################################## # @@ -219,10 +231,11 @@ longcheck: policy.conf $(FC) # Clean the sources # clean: - rm -fR tmp rm -f policy.conf rm -f policy.$(PV) rm -f $(FC) + rm -f $(HOMEDIR_TEMPLATE) rm -f *.res + rm -fR tmp .PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean