#
# Targets:
#
-# install - compile and install the policy configuration, and context files.
+# install - compile and install the policy configuration.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
# policy - compile the policy configuration locally for testing/development.
# By default, checkpolicy will create the highest
# version policy it supports. Setting this will
# override the version.
-#OUTPUT_POLICY = 20
+# OUTPUT_POLICY = 24
# Policy Type
-# strict, targeted,
-# strict-mls, targeted-mls,
-# strict-mcs, targeted-mcs
-TYPE = strict
+# xen
+# xen-mls
+TYPE = xen
# Policy Name
# If set, this will be used as the policy
-# name. Otherwise the policy type will be
+# name. Otherwise xenpolicy will be
# used for the name.
-NAME = xenrefpolicy
+# NAME = xenpolicy
-# Distribution
-# Some distributions have portions of policy
-# for programs or configurations specific to the
-# distribution. Setting this will enable options
-# for the distribution.
-# redhat, gentoo, debian, and suse are current options.
-# Fedora users should enable redhat.
-#DISTRO =
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+# MLS_SENS = 16
-# Build monolithic policy. Putting n here
-# will build a loadable module policy.
-MONOLITHIC=y
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+# MLS_CATS = 256
# Uncomment this to disable command echoing
-#QUIET:=@
+# QUIET:=@
########################################
#
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
CHECKPOLICY := $(BINDIR)/checkpolicy
-CHECKMODULE := $(BINDIR)/checkmodule
-SEMOD_PKG := $(BINDIR)/semodule_package
LOADPOLICY := $(SBINDIR)/flask-loadpolicy
-CFLAGS := -Wall
-
# policy source layout
POLDIR := policy
MODDIR := $(POLDIR)/modules
ISIDS := $(FLASKDIR)/initial_sids
AVS := $(FLASKDIR)/access_vectors
-#policy building support tools
-SUPPORT := support
-FCSORT := tmp/fc_sort
-
# config file paths
GLOBALTUN := $(POLDIR)/global_tunables
GLOBALBOOL := $(POLDIR)/global_booleans
BOOLEANS := $(POLDIR)/booleans.conf
# install paths
-TOPDIR = $(DESTDIR)$(XEN_CONFIG_DIR)
-INSTALLDIR = $(TOPDIR)/$(NAME)
-SRCPATH = $(INSTALLDIR)/src
-USERPATH = $(INSTALLDIR)/users
-CONTEXTPATH = $(INSTALLDIR)/contexts
+
+DESTDIR = /boot
+INSTALLDIR = $(DESTDIR)
+LOADPATH = $(INSTALLDIR)/$(POLVER)
+
+# default MLS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 256
# enable MLS if requested.
ifneq ($(findstring -mls,$(TYPE)),)
- override M4PARAM += -D enable_mls
+ M4PARAM += -D enable_mls
CHECKPOLICY += -M
- CHECKMODULE += -M
endif
-# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
- override M4PARAM += -D enable_mcs
- CHECKPOLICY += -M
- CHECKMODULE += -M
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- override M4PARAM += -D targeted_policy
+ifeq ($(NAME),)
+ NAME := xenpolicy
endif
-# enable distribution-specific policy
-ifneq ($(DISTRO),)
- override M4PARAM += -D distro_$(DISTRO)
-endif
+PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
ifneq ($(OUTPUT_POLICY),)
CHECKPOLICY += -c $(OUTPUT_POLICY)
+ POLVER = $(NAME).$(OUTPUT_POLICY)
+else
+ POLVER +=$(NAME).$(PV)
endif
-ifeq ($(NAME),)
- NAME := $(TYPE)
-endif
# determine the policy version and current kernel version if possible
-PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
-KV := $(shell cat /selinux/policyvers)
-
-# dont print version warnings if we are unable to determine
-# the currently running kernel's policy version
-ifeq ($(KV),)
- KV := $(PV)
-endif
-
-FC := file_contexts
-POLVER := policy.$(PV)
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D hide_broken_symptoms
M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
-APPCONF := config/appconfig-$(TYPE)
-APPDIR := $(CONTEXTPATH)
-APPFILES := $(INSTALLDIR)/booleans
-CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
-USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
-
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
-GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
-GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
-GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in)))
-
# sort here since it removes duplicates, which can happen
# when a generated file is already generated
-DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE))
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
-# modules.conf setting for base module
-MODBASE := base
-
-# modules.conf setting for module
-MODMOD := module
+# modules.conf setting for policy configuration
+MODENABLED := on
# extract settings from modules.conf
-BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
-MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
+ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
+
+ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
-HOMEDIR_TEMPLATE = tmp/homedir_template
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_TE_FILES := $(ALL_MODULES)
+
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
+POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
########################################
#
-# Load appropriate rules
+# default action: build policy locally
#
+default: policy
-ifeq ($(MONOLITHIC),y)
- include Rules.monolithic
-else
- include Rules.modular
-endif
+policy: $(POLVER)
+
+install: $(LOADPATH)
+
+load: tmp/load
########################################
#
-# Create config files
+# Build a binary policy locally
#
-conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
-
-$(MOD_CONF) $(BOOLEANS): $(POLXML)
- @echo "Updating $(MOD_CONF) and $(BOOLEANS)"
- $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML)
+$(POLVER): policy.conf
+ @echo "Compiling $(NAME) $(POLVER)"
+ $(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
-# Appconfig files
+# Install a binary policy
#
-install-appconfig: $(APPFILES)
-
-$(INSTALLDIR)/booleans: $(BOOLEANS)
- @mkdir -p $(INSTALLDIR)
- $(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \
- | sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans
- $(QUIET) install -m 644 tmp/booleans $@
+$(LOADPATH): policy.conf
+ @echo "Compiling and installing $(NAME) $(LOADPATH)"
+ $(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
-# Install policy sources
+# Load the binary policy
#
-install-src:
- rm -rf $(SRCPATH)/policy.old
- -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- mkdir -p $(SRCPATH)/policy
- cp -R . $(SRCPATH)/policy
+reload tmp/load: $(LOADPATH) $(FCPATH)
+ @echo "Loading $(NAME) $(LOADPATH)"
+ $(QUIET) $(LOADPOLICY) $(LOADPATH)
+ @touch tmp/load
########################################
#
-# Clean everything
-#
-bare: clean
- rm -f $(POLXML)
- rm -f $(SUPPORT)/*.pyc
- rm -f $(FCSORT)
- rm -f $(MOD_CONF)
- rm -f $(BOOLEANS)
- rm -fR $(HTMLDIR)
-ifneq ($(GENERATED_TE),)
- rm -f $(GENERATED_TE)
-endif
-ifneq ($(GENERATED_IF),)
- rm -f $(GENERATED_IF)
+# Construct a monolithic policy.conf
+#
+policy.conf: $(POLICY_SECTIONS)
+ @echo "Creating $(NAME) policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+ $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
+
+tmp/pre_te_files.conf: $(PRE_TE_FILES)
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
endif
-ifneq ($(GENERATED_FC),)
- rm -f $(GENERATED_FC)
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(ALL_TE_FILES)
+ifeq ($(ALL_TE_FILES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
endif
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(POST_TE_FILES)
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last. portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+ $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
+ $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+ $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+ $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \
+ < tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: policy.conf
+ @test -d tmp || mkdir -p tmp
+ @echo "Removing dontaudit rules from policy.conf"
+ $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
+ $(QUIET) mv tmp/policy.audit policy.conf
+
+########################################
+#
+# Clean the built policies.
+#
+clean:
+ rm -fR tmp
+ rm -f policy.conf
+ rm -f $(POLVER)
-.PHONY: install-src install-appconfig conf html bare
+.PHONY: default policy install load reload enableaudit clean
+++ /dev/null
-########################################
-#
-# Rules and Targets for building modular policies
-#
-
-ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
-ALL_INTERFACES := $(ALL_MODULES:.te=.if)
-
-BASE_PKG := base.pp
-BASE_FC := base.fc
-
-BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
-
-BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
-BASE_TE_FILES := $(BASE_MODS)
-BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
-BASE_FC_FILES := $(BASE_MODS:.te=.fc)
-
-MOD_MODULES := $(MOD_MODS:.te=.mod)
-MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
-
-# search layer dirs for source files
-vpath %.te $(ALL_LAYERS)
-vpath %.if $(ALL_LAYERS)
-vpath %.fc $(ALL_LAYERS)
-
-########################################
-#
-# default action: create all module packages
-#
-default: base
-
-base: $(BASE_PKG)
-
-modules: $(MOD_PKGS)
-
-#policy: $(POLVER)
-#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
-#load: tmp/load
-
-########################################
-#
-# Create a base module package
-#
-$(BASE_PKG): tmp/base.mod $(BASE_FC)
- @echo "Creating $(NAME) base module package"
- $(QUIET) $(SEMOD_PKG) $@ $^
-
-########################################
-#
-# Compile a base module
-#
-tmp/base.mod: base.conf
- @echo "Compiling $(NAME) base module"
- $(QUIET) $(CHECKMODULE) $^ -o $@
-
-########################################
-#
-# Construct a base module policy.conf
-#
-base.conf: $(BASE_SECTIONS)
- @echo "Creating $(NAME) base module policy.conf"
-# checkpolicy can use the #line directives provided by -s for error reporting:
- $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
- $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
-# the ordering of these ocontexts matters:
- $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
- $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
- $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
-
-tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
- @test -d tmp || mkdir -p tmp
-# define all available object classes
- $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
-# per-userdomain templates
- $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
- $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
- echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
- >> $@ ;\
- done
- $(QUIET) echo "')" >> $@
-# define foo.te
- $(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
- echo "define(\`$$i')" >> $@ ;\
- done
- $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
-
-tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
-ifeq ($(ALL_INTERFACES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @test -d tmp || mkdir -p tmp
- $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-tmp/all_te_files.conf: $(BASE_TE_FILES)
-ifeq ($(BASE_TE_FILES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last. portcon, nodecon, and netifcon
-# is delayed since they are generated by m4
-tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
- $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
- $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
- $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
- $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
- -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
- < tmp/all_te_files.conf > tmp/only_te_rules.conf
-
-########################################
-#
-# Construct base module file contexts
-#
-$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
-ifeq ($(BASE_FC_FILES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @echo "Creating $(NAME) base module file contexts."
- @test -d tmp || mkdir -p tmp
- $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp
- $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
- $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
- $(QUIET) $(FCSORT) tmp/$@.tmp $@
-
-########################################
-#
-# Build module packages
-#
-tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
- @if test -z "$(filter $^,$(MOD_MODS))"; then \
- echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\
- false ;\
- fi
- @echo "Compliling $(NAME) $(@F) module"
- $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
-%.pp: tmp/%.mod %.fc
- @echo "Creating $(NAME) $(@F) policy package"
- $(QUIET) $(SEMOD_PKG) $@ $^
-
-########################################
-#
-# Clean the sources
-#
-clean:
- rm -fR tmp
- rm -f base.conf
- rm -f *.pp
- rm -f $(BASE_FC)
-
-.PHONY: default base modules clean
+++ /dev/null
-########################################
-#
-# Rules and Targets for building monolithic policies
-#
-
-# install paths
-POLICYPATH = $(INSTALLDIR)/policy
-LOADPATH = $(POLICYPATH)/$(POLVER)
-FCPATH = $(CONTEXTPATH)/files/file_contexts
-HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
-
-# for monolithic policy use all base and module to create policy
-ENABLEMOD := $(BASE_MODS) $(MOD_MODS)
-
-ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
-
-ALL_INTERFACES := $(ALL_MODULES:.te=.if)
-ALL_TE_FILES := $(ALL_MODULES)
-ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
-
-PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
-POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
-
-POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
-
-########################################
-#
-# default action: build policy locally
-#
-default: policy
-
-policy: $(POLVER)
-
-install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
-
-load: tmp/load
-
-########################################
-#
-# Build a binary policy locally
-#
-$(POLVER): policy.conf
- @echo "Compiling $(NAME) $(POLVER)"
-ifneq ($(PV),$(KV))
- @echo
- @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
- @echo
-endif
- $(QUIET) $(CHECKPOLICY) $^ -o $@
-
-########################################
-#
-# Install a binary policy
-#
-$(LOADPATH): policy.conf
- @mkdir -p $(POLICYPATH)
- @echo "Compiling and installing $(NAME) $(LOADPATH)"
-ifneq ($(PV),$(KV))
- @echo
- @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
- @echo
-endif
- $(QUIET) $(CHECKPOLICY) $^ -o $@
-
-########################################
-#
-# Load the binary policy
-#
-reload tmp/load: $(LOADPATH) $(FCPATH)
- @echo "Loading $(NAME) $(LOADPATH)"
- $(QUIET) $(LOADPOLICY) -q $(LOADPATH)
- @touch tmp/load
-
-########################################
-#
-# Construct a monolithic policy.conf
-#
-policy.conf: $(POLICY_SECTIONS)
- @echo "Creating $(NAME) policy.conf"
-# checkpolicy can use the #line directives provided by -s for error reporting:
- $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
- $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
-
-tmp/pre_te_files.conf: $(PRE_TE_FILES)
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
-# per-userdomain templates:
- @test -d tmp || mkdir -p tmp
- $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
- $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
- echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
- >> $@ ;\
- done
- $(QUIET) echo "')" >> $@
-# define foo.te
- $(QUIET) for i in $(notdir $(ALL_MODULES)); do \
- echo "define(\`$$i')" >> $@ ;\
- done
-# $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
-
-tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
-ifeq ($(ALL_INTERFACES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @test -d tmp || mkdir -p tmp
- $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-tmp/all_te_files.conf: $(ALL_TE_FILES)
-ifeq ($(ALL_TE_FILES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-tmp/post_te_files.conf: $(POST_TE_FILES)
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last. portcon, nodecon, and netifcon
-# is delayed since they are generated by m4
-tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
- $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
- $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
- $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
- $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
- -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
- < tmp/all_te_files.conf > tmp/only_te_rules.conf
-
-########################################
-#
-# Remove the dontaudit rules from the policy.conf
-#
-enableaudit: policy.conf
- @test -d tmp || mkdir -p tmp
- @echo "Removing dontaudit rules from policy.conf"
- $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
- $(QUIET) mv tmp/policy.audit policy.conf
-
-########################################
-#
-# Construct file_contexts
-#
-$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
-ifeq ($(ALL_FC_FILES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
-endif
- @echo "Creating $(NAME) file_contexts."
- @test -d tmp || mkdir -p tmp
- $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp
-# $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
-# $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
-# $(QUIET) $(FCSORT) tmp/$@.tmp $@
- $(QUIET) touch $(HOMEDIR_TEMPLATE)
- $(QUIET) touch $@
-
-########################################
-#
-# Install file_contexts
-#
-$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
- @echo "Validating $(NAME) file_contexts."
-# $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC)
- @echo "Installing file_contexts."
- @mkdir -p $(CONTEXTPATH)/files
- $(QUIET) install -m 644 $(FC) $(FCPATH)
- $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
-# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
-
-########################################
-#
-# Run policy source checks
-#
-check: policy.conf $(FC)
- $(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) > $@.res
-
-longcheck: policy.conf $(FC)
- $(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
-
-########################################
-#
-# Clean the sources
-#
-clean:
- rm -fR tmp
- rm -f policy.conf
- rm -f policy.$(PV)
- rm -f $(FC)
- rm -f *.res
-
-.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
+++ /dev/null
-ifdef(`enable_mcs',`
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-# MCS is single-sensitivity.
-#
-sensitivity s0;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0;
-category c1;
-category c2;
-category c3;
-category c4;
-category c5;
-category c6;
-category c7;
-category c8;
-category c9;
-category c10;
-category c11;
-category c12;
-category c13;
-category c14;
-category c15;
-category c16;
-category c17;
-category c18;
-category c19;
-category c20;
-category c21;
-category c22;
-category c23;
-category c24;
-category c25;
-category c26;
-category c27;
-category c28;
-category c29;
-category c30;
-category c31;
-category c32;
-category c33;
-category c34;
-category c35;
-category c36;
-category c37;
-category c38;
-category c39;
-category c40;
-category c41;
-category c42;
-category c43;
-category c44;
-category c45;
-category c46;
-category c47;
-category c48;
-category c49;
-category c50;
-category c51;
-category c52;
-category c53;
-category c54;
-category c55;
-category c56;
-category c57;
-category c58;
-category c59;
-category c60;
-category c61;
-category c62;
-category c63;
-category c64;
-category c65;
-category c66;
-category c67;
-category c68;
-category c69;
-category c70;
-category c71;
-category c72;
-category c73;
-category c74;
-category c75;
-category c76;
-category c77;
-category c78;
-category c79;
-category c80;
-category c81;
-category c82;
-category c83;
-category c84;
-category c85;
-category c86;
-category c87;
-category c88;
-category c89;
-category c90;
-category c91;
-category c92;
-category c93;
-category c94;
-category c95;
-category c96;
-category c97;
-category c98;
-category c99;
-category c100;
-category c101;
-category c102;
-category c103;
-category c104;
-category c105;
-category c106;
-category c107;
-category c108;
-category c109;
-category c110;
-category c111;
-category c112;
-category c113;
-category c114;
-category c115;
-category c116;
-category c117;
-category c118;
-category c119;
-category c120;
-category c121;
-category c122;
-category c123;
-category c124;
-category c125;
-category c126;
-category c127;
-category c128;
-category c129;
-category c130;
-category c131;
-category c132;
-category c133;
-category c134;
-category c135;
-category c136;
-category c137;
-category c138;
-category c139;
-category c140;
-category c141;
-category c142;
-category c143;
-category c144;
-category c145;
-category c146;
-category c147;
-category c148;
-category c149;
-category c150;
-category c151;
-category c152;
-category c153;
-category c154;
-category c155;
-category c156;
-category c157;
-category c158;
-category c159;
-category c160;
-category c161;
-category c162;
-category c163;
-category c164;
-category c165;
-category c166;
-category c167;
-category c168;
-category c169;
-category c170;
-category c171;
-category c172;
-category c173;
-category c174;
-category c175;
-category c176;
-category c177;
-category c178;
-category c179;
-category c180;
-category c181;
-category c182;
-category c183;
-category c184;
-category c185;
-category c186;
-category c187;
-category c188;
-category c189;
-category c190;
-category c191;
-category c192;
-category c193;
-category c194;
-category c195;
-category c196;
-category c197;
-category c198;
-category c199;
-category c200;
-category c201;
-category c202;
-category c203;
-category c204;
-category c205;
-category c206;
-category c207;
-category c208;
-category c209;
-category c210;
-category c211;
-category c212;
-category c213;
-category c214;
-category c215;
-category c216;
-category c217;
-category c218;
-category c219;
-category c220;
-category c221;
-category c222;
-category c223;
-category c224;
-category c225;
-category c226;
-category c227;
-category c228;
-category c229;
-category c230;
-category c231;
-category c232;
-category c233;
-category c234;
-category c235;
-category c236;
-category c237;
-category c238;
-category c239;
-category c240;
-category c241;
-category c242;
-category c243;
-category c244;
-category c245;
-category c246;
-category c247;
-category c248;
-category c249;
-category c250;
-category c251;
-category c252;
-category c253;
-category c254;
-category c255;
-
-
-#
-# Each MCS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-
-#
-# Define the MCS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-
-') dnl end enable_mcs
-
ifdef(`enable_mls',`
#
# Define sensitivities
#
-# Each sensitivity has a name and zero or more aliases.
-#
-sensitivity s0;
-sensitivity s1;
-sensitivity s2;
-sensitivity s3;
-sensitivity s4;
-sensitivity s5;
-sensitivity s6;
-sensitivity s7;
-sensitivity s8;
-sensitivity s9;
-sensitivity s10;
-sensitivity s11;
-sensitivity s12;
-sensitivity s13;
-sensitivity s14;
-sensitivity s15;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+# Domination of sensitivities is in increasin
+# numerical order, with s0 being the lowest
+gen_sens(mls_num_sens)
#
# Define the categories
#
-# Each category has a name and zero or more aliases.
-#
-category c0;
-category c1;
-category c2;
-category c3;
-category c4;
-category c5;
-category c6;
-category c7;
-category c8;
-category c9;
-category c10;
-category c11;
-category c12;
-category c13;
-category c14;
-category c15;
-category c16;
-category c17;
-category c18;
-category c19;
-category c20;
-category c21;
-category c22;
-category c23;
-category c24;
-category c25;
-category c26;
-category c27;
-category c28;
-category c29;
-category c30;
-category c31;
-category c32;
-category c33;
-category c34;
-category c35;
-category c36;
-category c37;
-category c38;
-category c39;
-category c40;
-category c41;
-category c42;
-category c43;
-category c44;
-category c45;
-category c46;
-category c47;
-category c48;
-category c49;
-category c50;
-category c51;
-category c52;
-category c53;
-category c54;
-category c55;
-category c56;
-category c57;
-category c58;
-category c59;
-category c60;
-category c61;
-category c62;
-category c63;
-category c64;
-category c65;
-category c66;
-category c67;
-category c68;
-category c69;
-category c70;
-category c71;
-category c72;
-category c73;
-category c74;
-category c75;
-category c76;
-category c77;
-category c78;
-category c79;
-category c80;
-category c81;
-category c82;
-category c83;
-category c84;
-category c85;
-category c86;
-category c87;
-category c88;
-category c89;
-category c90;
-category c91;
-category c92;
-category c93;
-category c94;
-category c95;
-category c96;
-category c97;
-category c98;
-category c99;
-category c100;
-category c101;
-category c102;
-category c103;
-category c104;
-category c105;
-category c106;
-category c107;
-category c108;
-category c109;
-category c110;
-category c111;
-category c112;
-category c113;
-category c114;
-category c115;
-category c116;
-category c117;
-category c118;
-category c119;
-category c120;
-category c121;
-category c122;
-category c123;
-category c124;
-category c125;
-category c126;
-category c127;
-category c128;
-category c129;
-category c130;
-category c131;
-category c132;
-category c133;
-category c134;
-category c135;
-category c136;
-category c137;
-category c138;
-category c139;
-category c140;
-category c141;
-category c142;
-category c143;
-category c144;
-category c145;
-category c146;
-category c147;
-category c148;
-category c149;
-category c150;
-category c151;
-category c152;
-category c153;
-category c154;
-category c155;
-category c156;
-category c157;
-category c158;
-category c159;
-category c160;
-category c161;
-category c162;
-category c163;
-category c164;
-category c165;
-category c166;
-category c167;
-category c168;
-category c169;
-category c170;
-category c171;
-category c172;
-category c173;
-category c174;
-category c175;
-category c176;
-category c177;
-category c178;
-category c179;
-category c180;
-category c181;
-category c182;
-category c183;
-category c184;
-category c185;
-category c186;
-category c187;
-category c188;
-category c189;
-category c190;
-category c191;
-category c192;
-category c193;
-category c194;
-category c195;
-category c196;
-category c197;
-category c198;
-category c199;
-category c200;
-category c201;
-category c202;
-category c203;
-category c204;
-category c205;
-category c206;
-category c207;
-category c208;
-category c209;
-category c210;
-category c211;
-category c212;
-category c213;
-category c214;
-category c215;
-category c216;
-category c217;
-category c218;
-category c219;
-category c220;
-category c221;
-category c222;
-category c223;
-category c224;
-category c225;
-category c226;
-category c227;
-category c228;
-category c229;
-category c230;
-category c231;
-category c232;
-category c233;
-category c234;
-category c235;
-category c236;
-category c237;
-category c238;
-category c239;
-category c240;
-category c241;
-category c242;
-category c243;
-category c244;
-category c245;
-category c246;
-category c247;
-category c248;
-category c249;
-category c250;
-category c251;
-category c252;
-category c253;
-category c254;
-category c255;
+# Generate declarations
+gen_cats(mls_num_cats)
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
-level s0:c0.c255;
-level s1:c0.c255;
-level s2:c0.c255;
-level s3:c0.c255;
-level s4:c0.c255;
-level s5:c0.c255;
-level s6:c0.c255;
-level s7:c0.c255;
-level s8:c0.c255;
-level s9:c0.c255;
-level s10:c0.c255;
-level s11:c0.c255;
-level s12:c0.c255;
-level s13:c0.c255;
-level s14:c0.c255;
-level s15:c0.c255;
+# Generate levels from all sensitivities
+# with all categories
+gen_levels(mls_num_sens,mls_num_cats)
#
# Define the MLS policy
# name_list : name | name_list name
#
+#
+# MLS policy for the domain class
+#
+
+# new domain labels must be dominated by the calling subject clearance
+# and sensitivity level changes require privilege
+mlsconstrain domain transition
+ (( h1 dom h2 ) and (( l1 eq l2 ) or (t1 == mls_priv)));
+
+# all the domain "read" ops
+mlsconstrain domain { getvcpuaffinity getdomaininfo getvcpuinfo getvcpucontext getaddrsize getextvcpucontext }
+ ((l1 dom l2) or (t1 == mls_priv));
+
+# all the domain "write" ops
+mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus destroy setvcpuaffinity scheduler setdomainmaxmem setdomainhandle setdebugging hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext }
+ ((l1 eq l2) or (t1 == mls_priv));
+
+# This is incomplete - similar constraints must be written for all classes
+# and permissions for which MLS enforcement is desired.
') dnl end enable_mls
#
# This file contains a listing of available modules.
# To prevent a module from being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module. "module" will be compiled
-# as individual loadable modules.
+# creation, set the module name to "off" otherwise
+# set the module name on "on".
#
# Layer: xen
#
# Policy for xen.
#
-xen = base
+xen = on
+###############################################################################
#
+# create_domain(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_domain', `
+ type $2, domain_type;
+ allow $1 $2:domain {create max_vcpus setdomainmaxmem
+ setaddrsize getdomaininfo hypercall
+ setvcpucontext scheduler unpause
+ getvcpuinfo getaddrsize getvcpuaffinity};
+ allow $1 $2:shadow {enable};
+ allow $1 $2:mmu {map_read map_write adjust physmap};
+ allow $2 $2:mmu {adjust physmap};
+ allow $1 $3:event {create};
+')
+
+###############################################################################
+#
+# create_hvm_dom(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_hvm_dom', `
+ create_domain($1, $2, $3)
+ allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel pcilevel };
+ allow $2 $2:hvm setparam;
+')
+
+###############################################################################
+#
+# create_pv_dom(priv_dom, domain, channel, iodomain)
+#
+################################################################################
+define(`create_pv_dom', `
+ create_domain($1, $2, $3)
+ allow $1 $2:mmu {memorymap pinpage};
+ allow $2 $2:mmu {map_read map_write pinpage};
+ allow $2 $4:mmu {map_read};
+
+ allow $2 $2:grant {query setup};
+ allow $1 $2:grant {map_read unmap};
+')
+################################################################################
+#
+# manage_domain(priv_dom, domain)
+#
+################################################################################
+define(`manage_domain', `
+ allow $1 $2:domain {pause destroy};
+')
+
+################################################################################
+#
+# create_channel(caller, peer, channel)
+#
+################################################################################
+define(`create_channel', `
+ type $3, event_type;
+ type_transition $1 $2:event $3;
+ allow $1 $3:event {create};
+ allow $3 $2:event {bind};
+')
attribute domain_type;
attribute resource_type;
attribute event_type;
+attribute mls_priv;
-type xen_t, xen_type, domain_type;
+type xen_t, xen_type, domain_type, mls_priv;
-type dom0_t, domain_type;
+type dom0_t, domain_type, mls_priv;
type domio_t, domain_type;
type iomem_t, resource_type;
type device_t, resource_type;
-################################################################################
-#
-# create_domain(priv_dom, domain, channel)
-#
-################################################################################
-define(`create_domain', `
- type $2, domain_type;
- allow $1 $2:domain {create max_vcpus setdomainmaxmem
- setaddrsize getdomaininfo hypercall
- setvcpucontext scheduler unpause
- getvcpuinfo getaddrsize getvcpuaffinity};
- allow $1 $2:shadow {enable};
- allow $1 $2:mmu {map_read map_write memorymap adjust pinpage};
- allow $2 $2:mmu {map_read map_write adjust pinpage};
- allow $2 domio_t:mmu {map_read};
- allow $2 $2:grant {query setup};
- allow $1 $2:grant {map_read unmap};
- allow $1 $3:event {create};
-')
-
-################################################################################
-#
-# manage_domain(priv_dom, domain)
-#
-################################################################################
-define(`manage_domain', `
- allow $1 $2:domain {pause destroy};
-')
-
-################################################################################
-#
-# create_channel(caller, peer, channel)
-#
-################################################################################
-define(`create_channel', `
- type $3, event_type;
- type_transition $1 $2:event $3;
- allow $1 $3:event {create};
- allow $3 $2:event {bind};
-')
-
################################################################################
#
# Boot the hypervisor and dom0
allow xen_t iomem_t:resource {add_iomem remove_iomem};
allow dom0_t iomem_t:resource {use};
allow xen_t pirq_t:resource {add_irq remove_irq};
-allow dom0_t pirq_t:resource {use};
+allow dom0_t pirq_t:resource { add_irq remove_irq use};
+allow dom0_t dom0_t:resource { add remove };
+allow dom0_t xen_t:xen firmware;
allow dom0_t security_t:security {compute_av compute_create compute_member
check_context load_policy compute_relabel compute_user setenforce setbool
# Create and manage a domU w/ dom0 IO
#
################################################################################
-create_domain(dom0_t, domU_t, evchnU-0_t)
+create_pv_dom(dom0_t, domU_t, evchnU-0_t, domio_t)
create_channel(domU_t, domU_t, evchnU-U_t)
allow domU_t evchnU-U_t:event {send};
manage_domain(dom0_t, domU_t)
+################################################################################
+#
+# Create and manage an HVM domU w/ dom0 IO
+#
+################################################################################
+create_hvm_dom(dom0_t, domHU_t, evchnHU-0_t)
+allow dom0_t evchn0-HU_t:event {send};
+
+create_channel(domHU_t, domHU_t, evchnHU-HU_t)
+allow domHU_t evchnU-U_t:event {send};
+
+create_channel(dom0_t, domHU_t, evchn0-HU_t)
+allow dom0_t evchn0-U_t:event {send};
+
+create_channel(domHU_t, dom0_t, evchnHU-0_t)
+allow domHU_t evchnU-0_t:event {send};
+
+allow dom0_t dom0_t:event {send};
+
+manage_domain(dom0_t, domHU_t)
+
################################################################################
#
#
sid device gen_context(system_u:object_r:device_t,s0)
role system_r types { xen_type domain_type };
-role user_r types { xen_type domain_type };
-role sysadm_r types { xen_type domain_type };
-role staff_r types { xen_type domain_type };
#
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+#
+# ifndef(expr,true_block,false_block)
+#
+# m4 does not have this.
+#
+define(`ifndef',`ifdef(`$1',`$3',`$2')')
+
+#
+# __endline__
+#
+# dummy macro to insert a newline. used for
+# errprint, so the close parentheses can be
+# indented correctly.
+#
+define(`__endline__',`
+')
+
+########################################
+#
+# refpolwarn(message)
+#
+# print a warning message
+#
+define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)')
+
+########################################
+#
+# refpolerr(message)
+#
+# print an error message. does not
+# make anything fail.
+#
+define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)')
+
########################################
#
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range)
#
-define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
+define(`gen_user',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`';
+')
########################################
#
# gen_context(context,mls_sensitivity,[mcs_categories])
#
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'')
########################################
#
--- /dev/null
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
+define(`mls_allcats',`c0.c`'decr(mls_num_cats)')
+++ /dev/null
-##################################
-#
-# System User configuration.
-#
-
-#
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
-#
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
-
-# Normal users should not be added to this file,
-# but instead added to the users file.
-
##################################
#
-# Core User configuration.
+# System User configuration.
#
#
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
#
#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user. If you do not want to
-# permit any access to such users, then remove this entry.
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
#
-ifdef(`targeted_policy',`
-gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
-',`
-gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
-')
+gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell. Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-ifdef(`targeted_policy',`
- gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
-',`
- ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
- ',`
- gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
- ')
-')
projects / xen.git / commitdiff