[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] flask/policy: Policy build updates

# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1328196040 0
# Node ID d2c02f12aa82532ccf6321868d57f85b568d6b48
# Parent  80ade5616fc1ccb76a8da3b4eace8b302fdc5219
flask/policy: Policy build updates

Eliminate temporary files used in creating FLASK policy to improve
error reporting during policy build. Syntax errors now point to the
file and line number visible to the user, not the intermediate
temporary file.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---


diff -r 80ade5616fc1 -r d2c02f12aa82 tools/flask/policy/Makefile
--- a/tools/flask/policy/Makefile       Thu Feb 02 15:19:57 2012 +0000
+++ b/tools/flask/policy/Makefile       Thu Feb 02 15:20:40 2012 +0000
@@ -102,9 +102,8 @@
        POLVER +=$(NAME).$(PV)
 endif
 
-
-# determine the policy version and current kernel version if possible
-M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D 
hide_broken_symptoms
+# Always define these because they are referenced even in non-MLS policy
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
 
 M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
 
@@ -126,9 +125,9 @@
 ALL_TE_FILES := $(ALL_MODULES)
 
 PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
-POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids
 
-POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf 
tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf 
tmp/all_post.conf
+POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) 
$(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES)
 
 ########################################
 #
@@ -140,7 +139,7 @@
 
 install: $(LOADPATH)
 
-load: tmp/load
+load: .load_stamp
 
 ########################################
 #
@@ -166,11 +165,11 @@
 #
 # Load the binary policy
 #
-tmp/load: reload
-reload: $(LOADPATH) $(FCPATH)
+.load_stamp: reload
+reload: $(LOADPATH)
        @echo "Loading $(NAME) $(LOADPATH)"
        $(QUIET) $(LOADPOLICY) $(LOADPATH)
-       @touch tmp/load
+       @touch .load_stamp
 
 ########################################
 #
@@ -181,50 +180,6 @@
 # checkpolicy can use the #line directives provided by -s for error reporting:
        $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
 
-tmp/pre_te_files.conf: $(PRE_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
-ifeq ($(ALL_INTERFACES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) please create a 
modules.conf file)
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-tmp/all_te_files.conf: $(ALL_TE_FILES)
-ifeq ($(ALL_TE_FILES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) please create a 
modules.conf file)
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/post_te_files.conf: $(POST_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last.  portcon, nodecon, and netifcon
-# is delayed since they are generated by m4
-tmp/all_attrs_types.conf tmp/all_post.conf: tmp/only_te_rules.conf
-tmp/only_te_rules.conf: tmp/all_te_files.conf tmp/post_te_files.conf
-       $(QUIET) grep ^attribute tmp/all_te_files.conf > 
tmp/all_attrs_types.conf || true
-       $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
-       $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
-       $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
-       $(QUIET) grep ^pirqcon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) grep ^ioportcon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) grep ^iomemcon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) grep ^pcidevicecon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \
-                     -e "/^pirqcon/d" -e "/^pcidevicecon/d" -e "/^ioportcon/d" 
\
-                     -e "/^iomemcon/d" < tmp/all_te_files.conf \
-                     > tmp/only_te_rules.conf
-
 ########################################
 #
 # Remove the dontaudit rules from the policy.conf
diff -r 80ade5616fc1 -r d2c02f12aa82 tools/flask/policy/policy/initial_sids
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/initial_sids    Thu Feb 02 15:20:40 2012 +0000
@@ -0,0 +1,12 @@
+# Labels for initial SIDs
+
+sid xen gen_context(system_u:system_r:xen_t,s0)
+sid dom0 gen_context(system_u:system_r:dom0_t,s0)
+sid domxen gen_context(system_u:system_r:domxen_t,s0)
+sid domio gen_context(system_u:system_r:domio_t,s0)
+sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
+sid security gen_context(system_u:system_r:security_t,s0)
+sid irq gen_context(system_u:object_r:irq_t,s0)
+sid iomem gen_context(system_u:object_r:iomem_t,s0)
+sid ioport gen_context(system_u:object_r:ioport_t,s0)
+sid device gen_context(system_u:object_r:device_t,s0)
diff -r 80ade5616fc1 -r d2c02f12aa82 
tools/flask/policy/policy/modules/xen/xen.te
--- a/tools/flask/policy/policy/modules/xen/xen.te      Thu Feb 02 15:19:57 
2012 +0000
+++ b/tools/flask/policy/policy/modules/xen/xen.te      Thu Feb 02 15:20:40 
2012 +0000
@@ -162,16 +162,6 @@
 # Labels for initial SIDs and system role
 #
 
################################################################################
-sid xen gen_context(system_u:system_r:xen_t,s0)
-sid dom0 gen_context(system_u:system_r:dom0_t,s0)
-sid domxen gen_context(system_u:system_r:domxen_t,s0)
-sid domio gen_context(system_u:system_r:domio_t,s0)
-sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
-sid security gen_context(system_u:system_r:security_t,s0)
-sid irq gen_context(system_u:object_r:irq_t,s0)
-sid iomem gen_context(system_u:object_r:iomem_t,s0)
-sid ioport gen_context(system_u:object_r:ioport_t,s0)
-sid device gen_context(system_u:object_r:device_t,s0)
 
 role system_r;
 role system_r types { xen_type domain_type };

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.