# # Makefile for the security policy. # # Targets: # # install - compile and install the policy configuration. # load - compile, install, and load the policy configuration. # reload - compile, install, and load/reload the policy configuration. # policy - compile the policy configuration locally for testing/development. # # The default target is 'policy'. # ######################################## # # Configurable portions of the Makefile # # Policy version # By default, checkpolicy will create the highest # version policy it supports. Setting this will # override the version. OUTPUT_POLICY = 24 # Policy Type # xen # xen-mls TYPE = xen # Policy Name # If set, this will be used as the policy # name. Otherwise xenpolicy will be # used for the name. # NAME = xenpolicy # Number of MLS Sensitivities # The sensitivities will be s0 to s(MLS_SENS-1). # Dominance will be in increasing numerical order # with s0 being lowest. # MLS_SENS = 16 # Number of MLS Categories # The categories will be c0 to c(MLS_CATS-1). # MLS_CATS = 256 # Uncomment this to disable command echoing # QUIET:=@ ######################################## # # NO OPTIONS BELOW HERE # # executable paths PREFIX := /usr BINDIR := $(PREFIX)/bin SBINDIR := $(PREFIX)/sbin CHECKPOLICY := $(BINDIR)/checkpolicy LOADPOLICY := $(SBINDIR)/flask-loadpolicy # policy source layout POLDIR := policy MODDIR := $(POLDIR)/modules FLASKDIR := ../../../xen/xsm/flask/policy SECCLASS := $(FLASKDIR)/security_classes ISIDS := $(FLASKDIR)/initial_sids AVS := $(FLASKDIR)/access_vectors # config file paths GLOBALTUN := $(POLDIR)/global_tunables GLOBALBOOL := $(POLDIR)/global_booleans MOD_CONF := $(POLDIR)/modules.conf TUNABLES := $(POLDIR)/tunables.conf BOOLEANS := $(POLDIR)/booleans.conf # install paths DESTDIR = /boot INSTALLDIR = $(DESTDIR) LOADPATH = $(INSTALLDIR)/$(POLVER) # default MLS sensitivity and category settings. MLS_SENS ?= 16 MLS_CATS ?= 256 # enable MLS if requested. ifneq ($(findstring -mls,$(TYPE)),) M4PARAM += -D enable_mls CHECKPOLICY += -M endif ifeq ($(NAME),) NAME := xenpolicy endif PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') ifneq ($(OUTPUT_POLICY),) CHECKPOLICY += -c $(OUTPUT_POLICY) POLVER = $(NAME).$(OUTPUT_POLICY) else POLVER +=$(NAME).$(PV) endif # Always define these because they are referenced even in non-MLS policy M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d)) # sort here since it removes duplicates, which can happen # when a generated file is already generated DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))) # modules.conf setting for policy configuration MODENABLED := on # extract settings from modules.conf ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS)) ALL_INTERFACES := $(ALL_MODULES:.te=.if) ALL_TE_FILES := $(ALL_MODULES) PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) $(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES) ######################################## # # default action: build policy locally # default: policy policy: $(POLVER) install: $(LOADPATH) load: .load_stamp ######################################## # # Build a binary policy locally # $(POLVER): policy.conf @echo "Compiling $(NAME) $(POLVER)" $(QUIET) $(CHECKPOLICY) $^ -o $@ # Uncomment line below to enable policies for devices # $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ ######################################## # # Install a binary policy # $(LOADPATH): policy.conf @echo "Compiling and installing $(NAME) $(LOADPATH)" $(QUIET) $(CHECKPOLICY) $^ -o $@ # Uncomment line below to enable policies for devices # $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ ######################################## # # Load the binary policy # .load_stamp: reload reload: $(LOADPATH) @echo "Loading $(NAME) $(LOADPATH)" $(QUIET) $(LOADPOLICY) $(LOADPATH) @touch .load_stamp ######################################## # # Construct a monolithic policy.conf # policy.conf: $(POLICY_SECTIONS) @echo "Creating $(NAME) policy.conf" # checkpolicy can use the #line directives provided by -s for error reporting: $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@ ######################################## # # Remove the dontaudit rules from the policy.conf # enableaudit: policy.conf @test -d tmp || mkdir -p tmp @echo "Removing dontaudit rules from policy.conf" $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit $(QUIET) mv tmp/policy.audit policy.conf ######################################## # # Clean the built policies. # clean: rm -fR tmp rm -f policy.conf rm -f $(POLVER) .PHONY: default policy install load reload enableaudit clean