flask/policy: Policy build updates

Eliminate temporary files used in creating FLASK policy to improve
error reporting during policy build. Syntax errors now point to the
file and line number visible to the user, not the intermediate
temporary file.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index a27c813fb0b5c8000cb051976ac6f8f579f43af5..5c25cbe9521e9237d75e089ab2565a1f8209b356 100644 (file)
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -102,9 +102,8 @@ else
        POLVER +=$(NAME).$(PV)
 endif
 
-
-# determine the policy version and current kernel version if possible
-M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D hide_broken_symptoms
+# Always define these because they are referenced even in non-MLS policy
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
 
 M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
 
@@ -126,9 +125,9 @@ ALL_INTERFACES := $(ALL_MODULES:.te=.if)
 ALL_TE_FILES := $(ALL_MODULES)
 
 PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
-POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids
 
-POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) $(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES)
 
 ########################################
 #
@@ -140,7 +139,7 @@ policy: $(POLVER)
 
 install: $(LOADPATH)
 
-load: tmp/load
+load: .load_stamp
 
 ########################################
 #
@@ -166,11 +165,11 @@ $(LOADPATH): policy.conf
 #
 # Load the binary policy
 #
-tmp/load: reload
-reload: $(LOADPATH) $(FCPATH)
+.load_stamp: reload
+reload: $(LOADPATH)
        @echo "Loading $(NAME) $(LOADPATH)"
        $(QUIET) $(LOADPOLICY) $(LOADPATH)
-       @touch tmp/load
+       @touch .load_stamp
 
 ########################################
 #
@@ -181,50 +180,6 @@ policy.conf: $(POLICY_SECTIONS)
 # checkpolicy can use the #line directives provided by -s for error reporting:
        $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
 
-tmp/pre_te_files.conf: $(PRE_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
-ifeq ($(ALL_INTERFACES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-tmp/all_te_files.conf: $(ALL_TE_FILES)
-ifeq ($(ALL_TE_FILES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/post_te_files.conf: $(POST_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last.  portcon, nodecon, and netifcon
-# is delayed since they are generated by m4
-tmp/all_attrs_types.conf tmp/all_post.conf: tmp/only_te_rules.conf
-tmp/only_te_rules.conf: tmp/all_te_files.conf tmp/post_te_files.conf
-       $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
-       $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
-       $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
-       $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
-       $(QUIET) grep ^pirqcon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) grep ^ioportcon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) grep ^iomemcon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) grep ^pcidevicecon tmp/all_te_files.conf >> \
-                      tmp/all_post.conf || true
-       $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \
-                     -e "/^pirqcon/d" -e "/^pcidevicecon/d" -e "/^ioportcon/d" \
-                     -e "/^iomemcon/d" < tmp/all_te_files.conf \
-                     > tmp/only_te_rules.conf
-
 ########################################
 #
 # Remove the dontaudit rules from the policy.conf

diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
new file mode 100644 (file)
index 0000000..b70a54e
--- /dev/null
+++ b/tools/flask/policy/policy/initial_sids
@@ -0,0 +1,12 @@
+# Labels for initial SIDs
+
+sid xen gen_context(system_u:system_r:xen_t,s0)
+sid dom0 gen_context(system_u:system_r:dom0_t,s0)
+sid domxen gen_context(system_u:system_r:domxen_t,s0)
+sid domio gen_context(system_u:system_r:domio_t,s0)
+sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
+sid security gen_context(system_u:system_r:security_t,s0)
+sid irq gen_context(system_u:object_r:irq_t,s0)
+sid iomem gen_context(system_u:object_r:iomem_t,s0)
+sid ioport gen_context(system_u:object_r:ioport_t,s0)
+sid device gen_context(system_u:object_r:device_t,s0)

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index c5e0883e69f0da6fe4ac3fa98c01ff6b49f730fc..ac52c3fd99ec78919872641bb98e0de233806971 100644 (file)
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -162,16 +162,6 @@ neverallow * ~event_type:event { create send status };
 # Labels for initial SIDs and system role
 #
 ################################################################################
-sid xen gen_context(system_u:system_r:xen_t,s0)
-sid dom0 gen_context(system_u:system_r:dom0_t,s0)
-sid domxen gen_context(system_u:system_r:domxen_t,s0)
-sid domio gen_context(system_u:system_r:domio_t,s0)
-sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
-sid security gen_context(system_u:system_r:security_t,s0)
-sid irq gen_context(system_u:object_r:irq_t,s0)
-sid iomem gen_context(system_u:object_r:iomem_t,s0)
-sid ioport gen_context(system_u:object_r:ioport_t,s0)
-sid device gen_context(system_u:object_r:device_t,s0)
 
 role system_r;
 role system_r types { xen_type domain_type };