diff options
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | Rules.monolithic | 15 | ||||
-rw-r--r-- | support/selinux_binary_policy_path.py | 12 |
3 files changed, 27 insertions, 1 deletions
@@ -97,6 +97,7 @@ genxml := $(PYTHON) $(support)/segenxml.py gendoc := $(PYTHON) $(support)/sedoctool.py genperm := $(PYTHON) $(support)/genclassperms.py policyvers := $(PYTHON) $(support)/policyvers.py +binary_policy_path := $(PYTHON) $(support)/selinux_binary_policy_path.py fcsort := $(PYTHON) $(support)/fc_sort.py setbools := $(AWK) -f $(support)/set_bools_tuns.awk get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed diff --git a/Rules.monolithic b/Rules.monolithic index a8ae98d12..7dbc2e1cf 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -13,6 +13,12 @@ ifeq "$(kv)" "" kv := $(pv) endif +# load_policy(8) loads policy from /etc/selinux/<SELINUXTYPE>/policy/policy.$(pv) +# It does this by reading the /etc/selinux/config file SELINUXTYPE entry to +# form the full path. $(polbinpath) will contain this evaluated path for use as +# a validation check. +polbinpath := $(shell $(binary_policy_path)) + policy_conf = $(builddir)policy.conf fc = $(builddir)file_contexts polver = $(builddir)policy.$(pv) @@ -91,9 +97,16 @@ endif # Load the binary policy # reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) +ifneq ($(DESTDIR),) + $(error Cannot load policy as '$$DESTDIR' is set to $(DESTDIR), \ + creating an invalid policy load path) +endif +ifneq ($(polbinpath).$(pv),$(loadpath)) + $(error Cannot load policy as invalid policy path: $(polbinpath).$(pv) - \ + Check $(topdir)/config file entry is: "SELINUXTYPE=$(NAME)") +endif @echo "Loading $(NAME) $(loadpath)" $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load ######################################## # diff --git a/support/selinux_binary_policy_path.py b/support/selinux_binary_policy_path.py new file mode 100644 index 000000000..a30eb9b6b --- /dev/null +++ b/support/selinux_binary_policy_path.py @@ -0,0 +1,12 @@ +#!/usr/bin/env python3 + +try: + import warnings + with warnings.catch_warnings(): + warnings.filterwarnings("ignore", category=PendingDeprecationWarning) + import selinux + + if selinux.is_selinux_enabled(): + print(selinux.selinux_binary_policy_path()) +except ImportError: + exit(0) |