# Copyright (C) 2020-2022 Musarubra US LLC. All Rights Reserved.
POLDEV ?= /usr/share/selinux/devel
SEMODULE = /usr/sbin/semodule
SELINUX_VERSION = $(shell rpm -q selinux-policy-devel | sed -e 's/selinux-policy-devel-//g' -e 's/.el.*//g')

SOURCES = $(wildcard *.te) $(wildcard *.fc)
TARGETS = $(patsubst %.te,%.pp,$(sort $(wildcard *.te)))

ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.spt && echo true),true)
M4PARAM = -D map_permission_defined
else
M4PARAM = -D no_map_permission_defined
endif

ifeq ($(shell grep -q all_system_perms.*module_load $(POLDEV)/include/support/all_perms.spt && echo true),true)
M4PARAM += -D module_load_permission_defined
endif

ifeq ($(shell grep -q all_netlink_netfilter_socket_perms.* $(POLDEV)/include/support/all_perms.spt && echo true),true)
M4PARAM += -D all_netlink_netfilter_socket_perms_defined
endif

# Add watch permission which got introduced in RHEL 9.
ifeq ($(shell grep -q all_dir_perms.*watch $(POLDEV)/include/support/all_perms.spt && echo true),true)
M4PARAM += -D dir_mount_watch_perms_defined
endif

export M4PARAM

all: $(TARGETS) copypolicy clean

# Only targeted SELinux policies are supported
$(TARGETS): $(SOURCES)
	@if [ -d $(POLDEV) ]; then \
		$(MAKE) NAME=targeted -f $(POLDEV)/Makefile $(TARGETS); \
		if [ $$? -ne 0 ]; then exit 1; fi ; \
		echo "Exported M4PARAM $(M4PARAM)"; \
	else \
		echo "ERROR: You must have selinux-policy-devel installed."; \
		exit 1; \
	fi

copypolicy:
	rm -rf selinux-$(SELINUX_VERSION)
	mkdir -p selinux-$(SELINUX_VERSION)
	$(foreach target, $(TARGETS), /bin/mv -v $(target) $(target).targeted;)
	/bin/cp -vf *.pp.targeted selinux-$(SELINUX_VERSION)

clean:
	rm -rf *.pp *.pp.* tmp

policy: clean $(TARGETS)
