Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/Rules.monolithic
Commit message (Collapse)AuthorAgeFilesLines
* Rules.monolithic: pre-compile fcontexts on installChristian Göttsche2024-03-011-0/+6
| | | | | | | On install pre-compile the file contexts. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Rules.monolithic: add target to generate CIL policyChristian Göttsche2022-03-301-0/+15
| | | | | | | | Add a Makefile target to generate a CIL policy, useful for debugging, introspection or testing. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rules.modular/Rules.monolithic: Fix intdented labeling statement moves.Chris PeBenito2021-04-021-8/+8
| | | | | | | | | | The secure_mode_policyload Boolean labeling statement was lost moving the statement to the proper place in the policy.conf/base.conf. Fix this for all other labeling statements too. Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rules.monolithic: add missing phony declarationsChristian Göttsche2021-02-061-1/+1
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rules.monolithic: drop dead variableChristian Göttsche2021-02-061-1/+1
| | | | | | | USEPWD is nowhere declared or documented. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rules.monolithic: tweak checkpolicy argumentsChristian Göttsche2021-02-061-2/+2
| | | | | | | | | - enable optimizations (3.0 https://github.com/SELinuxProject/selinux/commit/071247e8f4e9584095474093537f1869379ca43f) - fail on warnings (3.1 https://github.com/SELinuxProject/selinux/commit/62a91d7d71736c67dcecff3060dd2301b6313285) - sort ocontexts (2.9 https://github.com/SELinuxProject/selinux/commit/9077c5c056f348ab4908bdf004ca82cb1f01bd38) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rules.monolithic: do not suppress load_policy warning messagesChristian Göttsche2021-02-061-1/+1
| | | | | | | | | | Also do not supply the policy path, it is ignored since at least 2008 (https://github.com/SELinuxProject/selinux/commit/13cd4c8960688af11ad23b4c946149015c80d549). /usr/sbin/load_policy: Warning! Policy file argument (/etc/selinux/debian/policy/policy.32) is no longer supported, installed policy is always loaded. Continuing... Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rules.monolithic: ignore version mismatchChristian Göttsche2021-02-061-2/+7
| | | | | | | | | | Ignore version mismatch when OUTPUT_POLICY is defined and the kernel supports a higher policy version. Currently Debian ships SELinux userland tools 3.1, which supports version 32, and Linux 5.10, which supports version 33. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Ensure correct monolithic binary policy is loadedRichard Haines2021-01-311-1/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When building a monolithic policy with 'make load', the selinux_config(5) file 'SELINUXTYPE' entry determines what policy is loaded as load_policy(8) does not take a path value (it always loads the active system policy as defined by /etc/selinux/config). Currently it is possible to load the wrong binary policy, for example if the Reference Policy source is located at: /etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=targeted Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when 'make load' is executed. Resolve this by using selinux_binary_policy_path(3) to determine the current configured policy name and its location. Another example is that if the Reference Policy source is located at: /tmp/custom-rootfs/etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=refpolicy Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when 'make DESTDIR=/tmp/custom-rootfs load' is executed (not the /tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the developer thought would be loaded). Resolve this by checking if DESTDIR has been set. Remove the '@touch $(tmpdir)/load' line as the file is never referenced. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Move user definitions to the right place during compilation.Chris PeBenito2020-08-091-2/+3
| | | | | | | | This will allow user definitions in modules to work for monolithic policies and base module. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Override old all_interfaces.conf.tmp fileChristian Göttsche2020-08-091-1/+1
| | | | | | | Do not keep interfaces from previous builds. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Build and install Netfilter rulesTopi Miettinen2020-08-091-10/+1
| | | | | | | | Build SECMARK rules for iptables and NFT, install them as /usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Add divert to generated_definitions creation, and fix all_interfaces.conf ↵Daniel Burgener2020-08-091-3/+5
| | | | | | | | | divert creation. During normal m4 parsing, m4 outputs a blank line for each define() call. This results in the first roughly 500 lines of the .tmp files for each module being largely blank lines. Adding divert() calls to the m4 generation for generated_definitions redirects this output, so the beginning of the actual policy appears near the top of the .tmp files. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rules: allow the usage of class sets in context_defaultsChristian Göttsche2020-08-091-1/+1
| | | | | | | | Allow class sets , e.g. defined in policy/support/obj_perm_sets.spt, to be used in default_* statements in the file policy/context_defaults Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* re-implement fc_sort in pythonChristian Göttsche2019-12-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | fc_sort is the only/last build tool that requires a C compiler Re-implement it in python, so that gcc dependencies can be dropped The output of the C and the python version differ slightly in the order of equally specific file contexts old: /.* system_u:object_r:default_t /sys(/.*)? system_u:object_r:sysfs_t /mnt(/[^/]*) -l system_u:object_r:mnt_t /mnt(/[^/]*)? -d system_u:object_r:mnt_t /opt/.* system_u:object_r:usr_t /var/.* system_u:object_r:var_t /usr/.* system_u:object_r:usr_t /srv/.* system_u:object_r:var_t /tmp/.* <<none>> /run/.* <<none>> /dev/.* system_u:object_r:device_t /etc/.* system_u:object_r:etc_t new: /.* system_u:object_r:default_t /sys(/.*)? system_u:object_r:sysfs_t /mnt(/[^/]*) -l system_u:object_r:mnt_t /mnt(/[^/]*)? -d system_u:object_r:mnt_t /dev/.* system_u:object_r:device_t /etc/.* system_u:object_r:etc_t /opt/.* system_u:object_r:usr_t /run/.* <<none>> /srv/.* system_u:object_r:var_t /tmp/.* <<none>> /usr/.* system_u:object_r:usr_t /var/.* system_u:object_r:var_t Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* refpolicy: Infiniband pkeys and endportsDaniel Jurgens2017-05-261-0/+2
| | | | | | | | | | | | | | | | | Every Infiniband network will have a default pkey, so that is labeled. The rest of the pkey configuration is network specific. The policy allows access to the default and unlabeled pkeys for sysadm and staff users. kernel_t is allowed access to all pkeys, which it needs to process and route management datagrams. Endports are all unlabeled by default, sysadm users are allowed to manage the subnet on unlabeled endports. kernel_t is allowed to manage the subnet on all ibendports, which is required for configuring the HCA. This patch requires selinux series: "SELinux user space support for Infiniband RDMA", due to the new ipkeycon labeling mechanism. Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
* Implement WERROR build option to treat warnings as errors.Chris PeBenito2017-02-211-1/+1
| | | | Add this to all Travis-CI builds.
* Add validate target for monolithic policySven Vermeulen2015-02-151-0/+9
|
* Drop RHEL4 and RHEL5 support.Chris PeBenito2014-10-121-7/+0
|
* Always use the unknown permissions handling build option.Chris PeBenito2014-06-251-8/+2
| | | | | This compile-time feature is in the minimum-required checkpolicy/checkmodule for building the policy, so it should always be used.
* Add file for placing default_* statements.Chris PeBenito2014-04-301-1/+1
|
* Fix parallel build of the policyNicolas Iooss2014-03-171-10/+14
| | | | | | | | | | | | | | | | | | | | | | | | | Before this commit, "make -j2" would execute twice at the same time the rules written to build tmp/all_post.conf because these rules were applied every time tmp/all_post.conf, tmp/all_attrs_types.conf and tmp/only_te_rules.conf needed to be built. However, executing twice in parallel such line is buggy: $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> \ tmpdir)/all_post.conf This is why "make" reports following error for parallel builds: Compiling refpolicy-patched base module /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/kernel/ubac.te":710:ERROR 'syntax error' at token 'fs_use_trans' on line 26520: fs_use_trans devtmpfs system_u:object_r:device_t:s0; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1 This commit fixes this bug by splitting the rules in 3 different targets, in both monolithic and modular builds.
* Make the QUIET build option apply to clean and bare targets.Chris PeBenito2014-01-191-7/+7
|
* Use python libselinux bindings to determine policy version.Chris PeBenito2013-08-151-1/+1
| | | | | This eliminates the hardcoded /selinux in Rules.monolithic, which broke when the filesystem mount was moved to /sys/fs/selinux.
* Pushing 2.20120215 (current version)Sven Vermeulen2012-04-211-0/+256