[selinux-policy: 263/3172] start adding module disable and tunable infrastructure
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:27:39 UTC 2010
commit 0fbe15dc8a940b9d469971178b4889621eeaff86
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jun 7 15:11:47 2005 +0000
start adding module disable and tunable infrastructure
refpolicy/Makefile | 47 ++++++++++++++++++++++++++++++++++++-----------
1 files changed, 36 insertions(+), 11 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 30f703d..b47dbd7 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -111,20 +111,26 @@ FLASKDIR = $(POLDIR)/flask
APPCONF = config/appconfig
M4SUPPORT = $(POLDIR)/support/support_macros $(wildcard $(POLDIR)/support/*.spt)
+MOD_DISABLE := $(POLDIR)/modules.disable
+TUNABLES = $(POLDIR)/tunables.conf
+
APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/users
+DISABLEMOD := $(foreach mod,$(shell egrep -v '^[[:blank:]]*\#' $(MOD_DISABLE)),$(shell find -iname $(mod).te))
DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS))
+DETECTED_MODS := $(foreach dir,$(ALL_LAYERS),$(wildcard ./$(dir)/*.te))
+ALL_MODULES := $(filter-out $(DISABLEMOD),$(DETECTED_MODS))
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls
-ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
-ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_TE_FILES := $(ALL_MODULES)
POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
-ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))
+ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf
@@ -205,13 +211,13 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor
# per-userdomain templates:
@test -d tmp || mkdir -p tmp
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
- $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_TE_FILES))); do \
+ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
>> $@ ;\
done
$(QUIET) echo "')" >> $@
# define foo.te
- $(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
+ $(QUIET) for i in $(notdir $(ALL_MODULES)); do \
echo "define(\`$$i')" >> $@ ;\
done
# generate network interfaces
@@ -221,13 +227,13 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor
# this is so the xml works:
$(QUIET) echo "## </module>" >> $@
-tmp/all_interfaces.conf: $(ALL_INTERFACES)
+tmp/all_interfaces.conf: $(ALL_INTERFACES) $(MOD_DISABLE)
@test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
+ $(QUIET) cat $(ALL_INTERFACES) > $@
-tmp/all_te_files.conf: $(ALL_TE_FILES)
+tmp/all_te_files.conf: $(ALL_TE_FILES) $(MOD_DISABLE)
@test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
+ $(QUIET) cat $(ALL_TE_FILES) > $@
tmp/post_te_files.conf: $(POST_TE_FILES)
@test -d tmp || mkdir -p tmp
@@ -249,6 +255,21 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
########################################
#
+# Create config files
+#
+conf $(MOD_DISABLE) $(TUNABLES):
+ $(QUIET) touch $(TUNABLES)
+ @echo "Creating $(MOD_DISABLE)"
+ @echo "# This file contains a listing of available modules." > $(MOD_DISABLE)
+ @echo "# To prevent a module from being used in policy" >> $(MOD_DISABLE)
+ @echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE)
+ @echo "" >> $(MOD_DISABLE)
+ @for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \
+ echo "#$$i" >> $(MOD_DISABLE) ;\
+ done
+
+########################################
+#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: policy.conf
@@ -269,7 +290,7 @@ $(FC): $(M4SUPPORT) $(ALL_FC_FILES)
#
# Install file_contexts
#
-$(FCPATH): $(FC) $(USERPATH)/system.users
+$(FCPATH): $(FC) $(USERPATH)/system.users $(MOD_DISABLE)
@mkdir -p $(CONTEXTPATH)/files
$(QUIET) install -m 644 $(FC) $(FCPATH)
# $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
@@ -396,4 +417,8 @@ clean:
rm -f policy.$(PV)
rm -f $(FC)
-.PHONY: default policy install reload enableaudit checklabels restorelabels relabel clean
+bare: clean
+ rm -f $(MOD_DISABLE)
+ rm -f $(TUNABLES)
+
+.PHONY: default policy install reload enableaudit checklabels restorelabels relabel conf clean bare
More information about the scm-commits
mailing list