diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 000000000..59f3e2c04 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,158 @@ +name: Build tests + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + +env: + SELINUX_USERSPACE_VERSION: checkpolicy-3.1 + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + # This version should be the minimum required to run the fc checker + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Install dependencies + run: | + sudo apt-get update -qq + + # Install SELint from Debian testing + wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add - + sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y + sudo apt-get install -qqy selint + selint -V + + - name: Create generated policy files + run: | + make conf + make generate + + - name: Run file context checker + run: python3 -t -t -E -W error testing/check_fc_files.py + + - name: Run SELint + run: | + # disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing + # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule + selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy + + build: + runs-on: ubuntu-latest + + needs: lint + + strategy: + fail-fast: false + + matrix: + build-opts: + - {type: standard, distro: redhat, monolithic: y, systemd: y} + - {type: standard, distro: redhat, monolithic: n, systemd: y} + - {type: standard, distro: debian, monolithic: y, systemd: y} + - {type: standard, distro: debian, monolithic: n, systemd: y} + - {type: standard, distro: gentoo, monolithic: y, systemd: n} + - {type: standard, distro: gentoo, monolithic: n, systemd: n} + - {type: mcs, distro: redhat, monolithic: y, systemd: y} + - {type: mcs, distro: redhat, monolithic: n, systemd: y} + - {type: mcs, distro: debian, monolithic: y, systemd: y} + - {type: mcs, distro: debian, monolithic: n, systemd: y} + - {type: mcs, distro: gentoo, monolithic: y, systemd: n} + - {type: mcs, distro: gentoo, monolithic: n, systemd: n} + - {type: mls, distro: redhat, monolithic: y, systemd: y} + - {type: mls, distro: redhat, monolithic: n, systemd: y} + - {type: mls, distro: debian, monolithic: y, systemd: y} + - {type: mls, distro: debian, monolithic: n, systemd: y} + - {type: mls, distro: gentoo, monolithic: y, systemd: n} + - {type: mls, distro: gentoo, monolithic: n, systemd: n} + - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined} + - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined} + - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined} + - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined} + - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined} + - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined} + - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined} + - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined} + - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined} + + steps: + - uses: actions/checkout@v2 + + # This should be the minimum required Python version to build refpolicy. + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: 3.5 + + - name: Install dependencies + run: | + sudo apt-get update -qq + sudo apt-get install -qqy \ + bison \ + flex \ + gettext \ + libaudit-dev \ + libbz2-dev \ + libpcre3-dev \ + libxml2-utils \ + swig + + - name: Configure environment + run: | + echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV + echo "PYTHON=python" >> $GITHUB_ENV + echo "TEST_TOOLCHAIN_SRC=/tmp/selinux-src" >> $GITHUB_ENV + echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV + echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV + echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV + echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV + echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV + echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV + echo "WERROR=y" >> $GITHUB_ENV + + - name: Build toolchain + run: | + # Download current SELinux userspace tools and libraries + git clone https://github.com/SELinuxProject/selinux.git ${TEST_TOOLCHAIN_SRC} -b ${SELINUX_USERSPACE_VERSION} + # Drop secilc to break xmlto dependence (secilc isn't used here anyway) + sed -i -e 's/secilc//' ${TEST_TOOLCHAIN_SRC}/Makefile + # Drop sepolicy to break setools dependence (sepolicy isn't used anyway) + sed -i -e 's/sepolicy//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile + # Drop restorecond to break glib dependence + sed -i -e 's/ restorecond//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile + # Drop sandbox to break libcap-ng dependence + sed -i -e 's/ sandbox//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile + # Compile and install SELinux toolchain + make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${TEST_TOOLCHAIN_SRC} install + + - name: Build refpolicy + run: | + # Drop build.conf settings to listen to env vars + sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf + + make bare + make conf + make + make validate + + - name: Build docs + run: | + make xml + make html + + - name: Test installation + run: | + make install + make install-headers + make install-src + make install-docs + make install-appconfig diff --git a/.travis.yml b/.travis.yml deleted file mode 100755 index 08b00a19d..000000000 --- a/.travis.yml +++ /dev/null @@ -1,139 +0,0 @@ -# Derived from Nicolas Iooss: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml - -language: python -python: 3.5 - -env: - - TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y - - TYPE=standard DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y - - TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y - - TYPE=standard DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y - - TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y - - TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y - - TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y - - TYPE=mcs DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y - - TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y - - TYPE=mcs DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y - - TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y - - TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y - - TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y - - TYPE=mls DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y - - TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y - - TYPE=mls DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y - - TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y - - TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y - - TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined - - TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined - - TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y APPS_OFF=unconfined - - TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined - - TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined - - TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y APPS_OFF=unconfined - - TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined - - TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined - - TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y APPS_OFF=unconfined - -jobs: - fast_finish: true - include: - - python: 3.7 - env: LINT=true TYPE=standard - -os: linux -dist: bionic - -cache: - directories: - - ${TRAVIS_BUILD_DIR}/selinux - -addons: - apt: - packages: - # Install SELinux userspace utilities dependencies - - bison - - flex - - gettext - - libaudit-dev - - libbz2-dev - - libpcre3-dev - - swig - - libxml2-utils - -before_install: - - lsb_release -a - - bison -V - - flex -V - - swig -version - - python3 -V - -install: - - SELINUX_USERSPACE_VERSION=master - - - export DESTDIR="${TRAVIS_BUILD_DIR}/selinux" - - | - if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then - rm -fR selinux-src - - # Download current SELinux userspace tools and libraries - git clone https://github.com/SELinuxProject/selinux.git selinux-src -b ${SELINUX_USERSPACE_VERSION} - mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src - - # Drop secilc to break xmlto dependence (secilc isn't used here anyway) - sed -i -e 's/secilc//' selinux-src/Makefile - - # Drop sepolicy to break setools dependence (sepolicy isn't used anyway) - sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile - - # Drop restorecond to break glib dependence - sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile - - # Drop sandbox to break libcap-ng dependence - sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile - - # Compile and install SELinux toolchain into ~/selinux - make OPT_SUBDIRS=semodule-utils -C selinux-src install - echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version" - fi - - # Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location - - export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux" - - # Drop build.conf settings to listen to env vars - - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf - - - | - if [ -n "$LINT" ] ; then - # Install SELint from Debian testing - wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add - - sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y - sudo apt-get update -q - sudo apt-get install -y selint - - selint -V - fi - -script: - - echo $TYPE $DISTRO $MONOLITHIC $SYSTEMD $WERROR - - set -e - - make bare - - make conf - - | - if [ -n "$LINT" ] ; then - # Run filecontext checker - python3 -t -t -E -W error testing/check_fc_files.py - - # Run SELint - # disable C-005 (Permissions in av rule or class declaration not ordered) for now: has 712 findings - # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule - selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy - - exit 0 - fi - - make - - make validate - - make xml - - make html - - make DESTDIR=${HOME}/tmp install - - make DESTDIR=${HOME}/tmp install-headers - - make DESTDIR=${HOME}/tmp install-src - - make DESTDIR=${HOME}/tmp install-docs - - make DESTDIR=${HOME}/tmp install-appconfig