diff options
Diffstat (limited to 'tools/flask')
| -rw-r--r-- | tools/flask/policy/Makefile | 61 | ||||
| -rw-r--r-- | tools/flask/policy/policy/initial_sids | 12 | ||||
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 10 |
3 files changed, 20 insertions, 63 deletions
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile index a27c813fb0..5c25cbe952 100644 --- a/tools/flask/policy/Makefile +++ b/tools/flask/policy/Makefile @@ -102,9 +102,8 @@ else POLVER +=$(NAME).$(PV) endif - -# determine the policy version and current kernel version if possible -M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D hide_broken_symptoms +# Always define these because they are referenced even in non-MLS policy +M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) @@ -126,9 +125,9 @@ ALL_INTERFACES := $(ALL_MODULES:.te=.if) ALL_TE_FILES := $(ALL_MODULES) PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls -POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints +POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids -POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf +POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) $(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES) ######################################## # @@ -140,7 +139,7 @@ policy: $(POLVER) install: $(LOADPATH) -load: tmp/load +load: .load_stamp ######################################## # @@ -166,11 +165,11 @@ $(LOADPATH): policy.conf # # Load the binary policy # -tmp/load: reload -reload: $(LOADPATH) $(FCPATH) +.load_stamp: reload +reload: $(LOADPATH) @echo "Loading $(NAME) $(LOADPATH)" $(QUIET) $(LOADPOLICY) $(LOADPATH) - @touch tmp/load + @touch .load_stamp ######################################## # @@ -181,50 +180,6 @@ policy.conf: $(POLICY_SECTIONS) # checkpolicy can use the #line directives provided by -s for error reporting: $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@ -tmp/pre_te_files.conf: $(PRE_TE_FILES) - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) -ifeq ($(ALL_INTERFACES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file) -endif - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@ - -tmp/all_te_files.conf: $(ALL_TE_FILES) -ifeq ($(ALL_TE_FILES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file) -endif - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -tmp/post_te_files.conf: $(POST_TE_FILES) - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -# extract attributes and put them first. extract post te stuff -# like genfscon and put last. portcon, nodecon, and netifcon -# is delayed since they are generated by m4 -tmp/all_attrs_types.conf tmp/all_post.conf: tmp/only_te_rules.conf -tmp/only_te_rules.conf: tmp/all_te_files.conf tmp/post_te_files.conf - $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true - $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf - $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf - $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) grep ^pirqcon tmp/all_te_files.conf >> \ - tmp/all_post.conf || true - $(QUIET) grep ^ioportcon tmp/all_te_files.conf >> \ - tmp/all_post.conf || true - $(QUIET) grep ^iomemcon tmp/all_te_files.conf >> \ - tmp/all_post.conf || true - $(QUIET) grep ^pcidevicecon tmp/all_te_files.conf >> \ - tmp/all_post.conf || true - $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \ - -e "/^pirqcon/d" -e "/^pcidevicecon/d" -e "/^ioportcon/d" \ - -e "/^iomemcon/d" < tmp/all_te_files.conf \ - > tmp/only_te_rules.conf - ######################################## # # Remove the dontaudit rules from the policy.conf diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids new file mode 100644 index 0000000000..b70a54ee7d --- /dev/null +++ b/tools/flask/policy/policy/initial_sids @@ -0,0 +1,12 @@ +# Labels for initial SIDs + +sid xen gen_context(system_u:system_r:xen_t,s0) +sid dom0 gen_context(system_u:system_r:dom0_t,s0) +sid domxen gen_context(system_u:system_r:domxen_t,s0) +sid domio gen_context(system_u:system_r:domio_t,s0) +sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0) +sid security gen_context(system_u:system_r:security_t,s0) +sid irq gen_context(system_u:object_r:irq_t,s0) +sid iomem gen_context(system_u:object_r:iomem_t,s0) +sid ioport gen_context(system_u:object_r:ioport_t,s0) +sid device gen_context(system_u:object_r:device_t,s0) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index c5e0883e69..ac52c3fd99 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -162,16 +162,6 @@ neverallow * ~event_type:event { create send status }; # Labels for initial SIDs and system role # ################################################################################ -sid xen gen_context(system_u:system_r:xen_t,s0) -sid dom0 gen_context(system_u:system_r:dom0_t,s0) -sid domxen gen_context(system_u:system_r:domxen_t,s0) -sid domio gen_context(system_u:system_r:domio_t,s0) -sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0) -sid security gen_context(system_u:system_r:security_t,s0) -sid irq gen_context(system_u:object_r:irq_t,s0) -sid iomem gen_context(system_u:object_r:iomem_t,s0) -sid ioport gen_context(system_u:object_r:ioport_t,s0) -sid device gen_context(system_u:object_r:device_t,s0) role system_r; role system_r types { xen_type domain_type }; |