#
# Makefile for the security policy.
#
# Targets:
# 
# install - compile and install the policy configuration.
# load    - compile, install, and load the policy configuration.
# reload  - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# policy  - compile the policy configuration locally for testing/development.
#
# The default target is 'install'.
#

# Set to y if MLS is enabled in the module.
MLS=n

FLASKDIR = flask/
PREFIX = /usr
BINDIR = $(PREFIX)/bin
SBINDIR = $(PREFIX)/sbin
LOADPOLICY  = $(SBINDIR)/load_policy
CHECKPOLICY = $(BINDIR)/checkpolicy
SETFILES = $(SBINDIR)/setfiles

POLICYVER := policy.$(shell $(CHECKPOLICY) -V)
INSTALLDIR = $(DESTDIR)/etc/security/selinux
LOADPATH = $(INSTALLDIR)/$(POLICYVER)
SRCINSTALLDIR = $(INSTALLDIR)/src
POLICYCONF = $(SRCINSTALLDIR)/policy.conf

POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ifeq ($(MLS),y)
POLICYFILES += mls
endif
POLICYFILES += tmp/te-rbac.m4
POLICYFILES += users 
POLICYFILES += tmp/constraints-contexts.m4

UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)

FC = file_contexts/file_contexts
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))

APPDIR=$(DESTDIR)/etc/security
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context)

install: $(APPFILES) $(LOADPATH) 

$(APPDIR)/default_contexts: appconfig/default_contexts
	install -m 644 $< $@

$(APPDIR)/default_type: appconfig/default_type
	install -m 644 $< $@

$(APPDIR)/initrc_context: appconfig/initrc_context
	install -m 644 $< $@

$(LOADPATH):  $(POLICYCONF) $(CHECKPOLICY)
	mkdir -p $(INSTALLDIR)
	$(CHECKPOLICY) -o $@ $(POLICYCONF)
# Note: Can't use install, so not sure how to deal with mode, user, and group
#	other than by default.

policy: $(POLICYVER)

$(POLICYVER):  policy.conf $(CHECKPOLICY)
	$(CHECKPOLICY) -o $@ policy.conf

$(POLICYCONF): policy.conf 
	mkdir -p $(SRCINSTALLDIR)
	install -m 644 policy.conf $@

reload tmp/load: $(LOADPATH)
	$(LOADPOLICY) $(LOADPATH)
	touch tmp/load

load: tmp/load

policy.conf: $(POLICYFILES) 
	mkdir -p tmp
	cat $^ > $@

install-src: 
	rm -rf $(SRCINSTALLDIR)/policy.old
	-mv $(SRCINSTALLDIR)/policy $(SRCINSTALLDIR)/policy.old
	mkdir -p $(SRCINSTALLDIR)/policy
	cp -R . $(SRCINSTALLDIR)/policy

ALLTEFILES := attrib.te tmp/program_used_flags.te tmp/all_macros.te tmp/all_types.te tmp/all_domains.te assert.te 
TE_RBAC_MACRO_FILES := tmp/all.te rbac
CONSTRAINT_CONTEXT_MACRO_FILES := tmp/program_used_flags.te tmp/all_macros.te constraints initial_sid_contexts fs_use genfs_contexts net_contexts

tmp/te-rbac.m4: $(TE_RBAC_MACRO_FILES)
	m4 -Imacros -s $^ > $@

tmp/constraints-contexts.m4: $(CONSTRAINT_CONTEXT_MACRO_FILES)
	m4 -Imacros -s $^ > $@

tmp/all.te: $(ALLTEFILES)
	cat $^ > $@

tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
	mkdir -p tmp
	( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@
	( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@

tmp/all_macros.te:  macros $(wildcard macros/*.te) tmp/all_program_macros.te
	cat $(wildcard macros/*.te) tmp/all_program_macros.te > $@

tmp/all_program_macros.te: macros/program $(wildcard macros/program/*.te)
	cat $(wildcard macros/program/*.te) > $@

tmp/all_types.te: $(wildcard types/*.te) types
	cat types/*.te > $@

tmp/all_domains.te: $(wildcard domains/*.te domains/misc/*.te domains/program/*.te) domains domains/misc domains/program
	cat domains/*.te domains/misc/*.te domains/program/*.te > $@

relabel:  $(FC) $(SETFILES)
	$(SETFILES) $(FC) `mount | awk '/ext[23]/{print $$3}'`

reset:  $(FC) $(SETFILES)
	$(SETFILES) -R $(FC) `mount | awk '/ext[23]/{print $$3}'`

$(FC): $(FCFILES) file_contexts/program 
	cat $(FCFILES) > $@

clean:
	rm -f policy.conf
	rm -f tmp/*
	rm -f $(FC)
# for the policy regression tester
	find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \

# Policy regression tester.
# Written by Colin Walters <walters@debian.org>
cur_te = $(filter-out %/,$(subst /,/ ,$@))

TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))

define compute_depends
  export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
endef


ifeq ($(TE_DEPENDS_DEFINED),)
ifeq ($(MAKECMDGOALS),check-all)
  GENRULES := $(TESTED_TE_FILES)
  export TE_DEPENDS_DEFINED := yes
else
  # Handle the case where checkunused/blah.te is run directly.
  ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
    GENRULES := $(TESTED_TE_FILES)
    export TE_DEPENDS_DEFINED := yes
  endif
endif
endif

# Test for a new enough version of GNU Make.
$(eval have_eval := yes)
ifneq ($(GENRULES),)
  ifeq ($(have_eval),)
$(error Need GNU Make 3.80 or better!)
Need GNU Make 3.80 or better
  endif
endif
$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))

PHONIES :=

define compute_presymlinks
PHONIES += presymlink/$(1)
presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
	@if ! test -L domains/program/$(1); then \
	  cd domains/program && ln -s unused/$(1) .; \
	fi
endef

# Compute dependencies.
$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))

PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : 
	@$(MAKE) -s clean

$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
	@if test -n "$(TE_DEPENDS_$(cur_te))"; then \
	  echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
	fi
	@echo "Testing $(cur_te)...";
	@if ! make -s policy 1>/dev/null; then \
	  echo "Testing $(cur_te)...FAILED"; \
	  exit 1; \
	fi;
	@echo "Testing $(cur_te)...success."; \

check-all:
	@for goal in  $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
	  $(MAKE) --no-print-directory $$goal; \
	done

.PHONY: clean $(PHONIES)
