Makefile: add target rebuild-interface-db

Makefile

@@ -62,6 +62,7 @@ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
 SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
 SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
 LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
 SETFILES ?= $(tc_sbindir)/setfiles
 XMLLINT ?= $(BINDIR)/xmllint
 SECHECK ?= $(BINDIR)/sechecker
@@ -228,6 +229,8 @@ MCS_CATS ?= 1024
 
 ifeq ($(QUIET),y)
 	verbose = @
+else
+	VERBOSE_FLAG = --verbose
 endif
 
 M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
@@ -554,6 +557,14 @@ endif
 	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
 	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
 
+########################################
+#
+# Build policy interface database
+#
+build-interface-db: install-headers
+	@mkdir -p $(DESTDIR)/var/lib/sepolgen $(tmpdir)
+	$(verbose) $(SEPOLGEN_IFGEN) $(VERBOSE_FLAG) --interfaces $(headerdir) --output $(DESTDIR)/var/lib/sepolgen/interface_info
+
 ########################################
 #
 # Install policy documentation
@@ -657,4 +668,4 @@ ifneq ($(generated_fc),)
 endif
 endif
 
-.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
+.PHONY: install-src install-appconfig install-headers build-interface-db generate xml conf html bare tags

README

@@ -60,6 +60,11 @@ install-headers		Install the policy headers into /usr/share/selinux/NAME.
 			for this policy configuration should be set before
 			using this target.
 
+build-interface-db	Build the policy interface database with
+			'sepolgen-ifgen'.  This database is required for
+			reference style policy generation by
+			'audit2allow --reference'.
+
 Make targets specific to monolithic policies:
 
 policy			Compile a policy locally for development and testing.

policy/modules/kernel/devices.if

@@ -2802,7 +2802,7 @@ interface(`dev_read_raw_memory_cond',`
 	')
 
 	typeattribute $1 memory_raw_read;
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		read_chr_files_pattern($1, device_t, memory_device_t)
 		allow $1 self:capability sys_rawio;
 	')
@@ -2880,7 +2880,7 @@ interface(`dev_write_raw_memory_cond',`
 	')
 
 	typeattribute $1 memory_raw_write;
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		write_chr_files_pattern($1, device_t, memory_device_t)
 		allow $1 self:capability sys_rawio;
 	')
@@ -2956,7 +2956,7 @@ interface(`dev_wx_raw_memory_cond',`
 
 	typeattribute $1 memory_raw_write;
 	dev_write_raw_memory_cond($1, $2)
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		allow $1 memory_device_t:chr_file { map execute };
 	')
 ')

policy/modules/kernel/storage.if

@@ -130,7 +130,7 @@ interface(`storage_raw_read_fixed_disk_cond',`
 	')
 
 	typeattribute $1 fixed_disk_raw_read;
-	tunable_policy($2, `
+	tunable_policy(`$2', `
 		dev_list_all_dev_nodes($1)
 		allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
 		allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;

policy/modules/services/apache.if

@@ -32,7 +32,7 @@ template(`apache_content_template',`
 	##	be labeled public_content_rw_t.
 	##	</p>
 	## </desc>
-	gen_tunable(allow_httpd_$1_script_anon_write, false)
+	gen_tunable(`allow_httpd_$1_script_anon_write', false)
 
 	type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
 	files_type(httpd_$1_content_t)