diff options
| author |   Nicolas Iooss <nicolas.iooss@m4x.org> | 2017-02-27 22:02:52 +0100 |
|---|---|---|
| committer |   Sven Vermeulen <swift@gentoo.org> | 2017-03-02 11:16:50 +0100 |
| commit | f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678 (patch) | |
| tree | 5bb3fc6cde76b40c1186c669e3b12145ee7d5c97 /Rules.modular | |
| parent | improve documentation for user_user_(inherited_)?user_terminals (diff) | |
| download | hardened-refpolicy-f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678.tar.gz hardened-refpolicy-f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678.tar.bz2 hardened-refpolicy-f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678.zip | |
Make "validate" target verify file contexts
When I synchronized my personal policy with the git master branch, "git
rebase" merged the file contexts I have defined for some systemd
components with the ones which have recently been merged. This resulted
in duplicated file contexts in systemd.fc, which made the policy unable
to be loaded.
This issue has not been detected by "make validate" because this command
only verifies policy linking, not the correctness of the file contexts.
Moreover this behavior of "make validate" only happens when building a
modular policy. Indeed Rules.monolithic calls setfiles in order to
validate the file contexts:
validate: $(fc) $(polver)
@echo "Validating $(NAME) file_contexts."
$(verbose) $(SETFILES) -q -c $(polver) $(fc)
@echo "Success."
Invoke setfiles in Rules.modular too in order to catch issues in file
contexts with "make validate". With the issue I experienced, I would
have got the following message:
Validating policy file contexts.
/sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc
tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?.
tmp/all_mods.fc: Invalid argument
make: *** [Rules.modular:210: validate] Error 1
While at it, simplify .SECONDARY definition with a newly-introduced
$(all_mod_fc) variable.
Diffstat (limited to 'Rules.modular')
| -rw-r--r-- | Rules.modular | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/Rules.modular b/Rules.modular index 60fe55496..49d3cca91 100644 --- a/Rules.modular +++ b/Rules.modular @@ -5,6 +5,7 @@ all_modules := $(base_mods) $(mod_mods) $(off_mods) all_interfaces := $(all_modules:.te=.if) +all_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(all_modules:.te=.mod.fc))) base_pkg := $(builddir)base.pp base_fc := $(builddir)base.fc @@ -30,7 +31,7 @@ vpath %.te $(all_layers) vpath %.if $(all_layers) vpath %.fc $(all_layers) -.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc)) +.SECONDARY: $(all_mod_fc:.mod.fc=.mod) $(all_mod_fc) ######################################## # @@ -85,6 +86,9 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc @test -d $(builddir) || mkdir -p $(builddir) $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc +$(tmpdir)/all_mods.fc: $(all_mod_fc) + $(verbose) cat $^ > $@ + ######################################## # # Create a base module package @@ -198,10 +202,12 @@ $(appdir)/customizable_types: $(base_conf) # # Validate linking and expanding of modules # -validate: $(base_pkg) $(mod_pkgs) +validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc @echo "Validating policy linking." - $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ + $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs) $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin + @echo "Validating policy file contexts." + $(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc @echo "Success." ######################################## |