commit: f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Feb 27 21:02:52 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar 2 10:16:50 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f95f7ed0
Make "validate" target verify file contexts
When I synchronized my personal policy with the git master branch, "git
rebase" merged the file contexts I have defined for some systemd
components with the ones which have recently been merged. This resulted
in duplicated file contexts in systemd.fc, which made the policy unable
to be loaded.
This issue has not been detected by "make validate" because this command
only verifies policy linking, not the correctness of the file contexts.
Moreover this behavior of "make validate" only happens when building a
modular policy. Indeed Rules.monolithic calls setfiles in order to
validate the file contexts:
validate: $(fc) $(polver)
@echo "Validating $(NAME) file_contexts."
$(verbose) $(SETFILES) -q -c $(polver) $(fc)
@echo "Success."
Invoke setfiles in Rules.modular too in order to catch issues in file
contexts with "make validate". With the issue I experienced, I would
have got the following message:
Validating policy file contexts.
/sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc
tmp/all_mods.fc: Multiple same specifications for
/run/systemd/machines(/.*)?.
tmp/all_mods.fc: Invalid argument
make: *** [Rules.modular:210: validate] Error 1
While at it, simplify .SECONDARY definition with a newly-introduced
$(all_mod_fc) variable.
Rules.modular | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/Rules.modular b/Rules.modular
index 60fe5549..49d3cca9 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -5,6 +5,7 @@
all_modules := $(base_mods) $(mod_mods) $(off_mods)
all_interfaces := $(all_modules:.te=.if)
+all_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(all_modules:.te=.mod.fc)))
base_pkg := $(builddir)base.pp
base_fc := $(builddir)base.fc
@@ -30,7 +31,7 @@ vpath %.te $(all_layers)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)
-.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix
$(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
+.SECONDARY: $(all_mod_fc:.mod.fc=.mod) $(all_mod_fc)
########################################
#
@@ -85,6 +86,9 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+$(tmpdir)/all_mods.fc: $(all_mod_fc)
+ $(verbose) cat $^ > $@
+
########################################
#
# Create a base module package
@@ -198,10 +202,12 @@ $(appdir)/customizable_types: $(base_conf)
#
# Validate linking and expanding of modules
#
-validate: $(base_pkg) $(mod_pkgs)
+validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc
@echo "Validating policy linking."
- $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+ @echo "Validating policy file contexts."
+ $(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc
@echo "Success."
########################################
