[selinux-policy: 245/3172] move global.if to support_macros at top level

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:26:07 UTC 2010 

commit de96491bda41322e3d4ff8277826d8b5c33ebb75
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jun 1 19:17:13 2005 +0000

    move global.if to support_macros at top level

 refpolicy/Makefile                      |    7 +-
 refpolicy/policy/support/support_macros |  283 +++++++++++++++++++++++++++++++
 2 files changed, 287 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 98beae7..8443652 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -89,6 +89,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
 BASE_MODULE = kernel
 FLASKDIR = flask
 APPCONF = appconfig
+M4SUPPORT = support_macros
 
 APPDIR := $(CONTEXTPATH)
 APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
@@ -98,7 +99,7 @@ USER_FILES := users
 DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
 ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS))
 
-PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls
+PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) mls
 ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
 ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
 POST_TE_FILES := users constraints initial_sid_contexts fs_use
@@ -185,7 +186,7 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor
 		echo "define(\`$$i')" >> $@ ;\
 	done
 	$(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
-		| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if - \
+		| m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \
 		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
 # this is so the xml works:
 	$(QUIET) echo "## </module>" >> $@
@@ -226,7 +227,7 @@ enableaudit: policy.conf
 #
 # Construct file_contexts
 #
-$(FC): kernel/global.if $(ALL_FC_FILES)
+$(FC): $(M4SUPPORT) $(ALL_FC_FILES)
 	@test -d tmp || mkdir -p tmp
 	$(QUIET) m4 $(M4PARAM) $^ > $@
 
diff --git a/refpolicy/policy/support/support_macros b/refpolicy/policy/support/support_macros
new file mode 100644
index 0000000..c02e0a1
--- /dev/null
+++ b/refpolicy/policy/support/support_macros
@@ -0,0 +1,283 @@
+
+########################################
+#
+# Macros for switching between source policy
+# and loadable policy module support
+#
+
+##############################
+#
+# For adding the module statement
+#
+define(`policy_module',`
+ifdef(`monolithic_policy',`',`
+module $1 $2;
+')
+')
+
+##############################
+#
+# For use in interfaces, to optionally insert a requires block
+#
+define(`requires_block_template',`
+ifdef(`monolithic_policy',`',`
+require {
+$1
+}
+') dnl end ifdef monolithic_policy
+') dnl end requires_block_template
+
+##############################
+#
+# Optional policy handling
+#
+define(`optional_policy',`
+ifdef(`monolithic_policy',`
+ifdef(`$1',$2,$3)
+',`
+optional {
+$2
+} else {
+$3
+}
+') dnl end ifdef monolithic_policy
+') dnl end optional_policy
+
+##############################
+#
+# Tunable policy handling
+#
+define(`tunable_policy',`
+ifdef(`monolithic_policy',`
+ifdef(`$1',$2,$3)
+',`
+optional {
+require { $1 }
+$2
+} else {
+$3
+}
+') dnl end ifdef monolithic_policy
+') dnl end tunable_policy
+
+########################################
+#
+# Helper macros
+#
+
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+########################################
+#
+# context_template(context,sensitivity)
+#
+# Optionally put the sensitivity for the file
+#
+define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
+
+########################################
+#
+# user_mls(level,range)
+#
+define(`user_mls',`ifdef(`enable_mls',`level $1 range $2')') dnl
+
+########################################
+# 
+# Macros for sets of classes and permissions.
+#
+
+#
+# All directory and file classes
+#
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# All non-directory file classes.
+#
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# Non-device file classes.
+#
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+
+#
+# Device file classes.
+#
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+#
+# All socket classes.
+#
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }')
+
+
+#
+# Datagram socket classes.
+# 
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+
+#
+# Stream socket classes.
+#
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+
+# 
+# Permissions for getting file attributes.
+#
+define(`stat_file_perms', `{ getattr }')
+
+# 
+# Permissions for executing files.
+#
+define(`x_file_perms', `{ getattr execute }')
+
+# 
+# Permissions for reading files and their attributes.
+#
+define(`r_file_perms', `{ read getattr lock ioctl }')
+
+# 
+# Permissions for reading and executing files.
+#
+define(`rx_file_perms', `{ read getattr lock execute ioctl }')
+
+# 
+# Permissions for reading and writing files and their attributes.
+#
+define(`rw_file_perms', `{ ioctl read getattr lock write append }')
+
+# 
+# Permissions for reading and appending to files.
+#
+define(`ra_file_perms', `{ ioctl read getattr lock append }')
+
+#
+# Permissions for linking, unlinking and renaming files.
+# 
+define(`link_file_perms', `{ getattr link unlink rename }')
+
+#
+# Permissions for creating lnk_files.
+#
+define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
+
+#
+# Permissions for creating and using files.
+# 
+define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
+
+# 
+# Permissions for reading directories and their attributes.
+#
+define(`r_dir_perms', `{ read getattr lock search ioctl }')
+
+# 
+# Permissions for reading and writing directories and their attributes.
+#
+define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
+
+# 
+# Permissions for reading and adding names to directories.
+#
+define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
+
+
+#
+# Permissions for creating and using directories.
+# 
+define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
+
+#
+# Permissions to mount and unmount file systems.
+#
+define(`mount_fs_perms', `{ mount remount unmount getattr }')
+
+#
+# Permissions for using sockets.
+# 
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`create_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for using stream sockets.
+# 
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+# 
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+
+#
+# Permissions for creating and using netlink sockets.
+# 
+define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that modify state.
+# 
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that observe state.
+# 
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+
+#
+# Permissions for sending all signals.
+#
+define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
+
+#
+# Permissions for sending and receiving network packets.
+#
+define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
+
+#
+# Permissions for using System V IPC
+#
+define(`r_sem_perms', `{ associate getattr read unix_read }')
+define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`r_msgq_perms', `{ associate getattr read unix_read }')
+define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`r_shm_perms', `{ associate getattr read unix_read }')
+define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+
+
+
+
+
+
+
+
+

More information about the scm-commits mailing list