Switch to GitHub actions for CI actions.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
parent
fe29a74cad
commit
e7b9598865
|
@ -0,0 +1,158 @@
|
|||
name: Build tests
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ $default-branch ]
|
||||
pull_request:
|
||||
branches: [ $default-branch ]
|
||||
|
||||
env:
|
||||
SELINUX_USERSPACE_VERSION: checkpolicy-3.1
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# This version should be the minimum required to run the fc checker
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.7
|
||||
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
sudo apt-get update -qq
|
||||
|
||||
# Install SELint from Debian testing
|
||||
wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add -
|
||||
sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y
|
||||
sudo apt-get install -qqy selint
|
||||
selint -V
|
||||
|
||||
- name: Create generated policy files
|
||||
run: |
|
||||
make conf
|
||||
make generate
|
||||
|
||||
- name: Run file context checker
|
||||
run: python3 -t -t -E -W error testing/check_fc_files.py
|
||||
|
||||
- name: Run SELint
|
||||
run: |
|
||||
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
|
||||
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
|
||||
selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
needs: lint
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
||||
matrix:
|
||||
build-opts:
|
||||
- {type: standard, distro: redhat, monolithic: y, systemd: y}
|
||||
- {type: standard, distro: redhat, monolithic: n, systemd: y}
|
||||
- {type: standard, distro: debian, monolithic: y, systemd: y}
|
||||
- {type: standard, distro: debian, monolithic: n, systemd: y}
|
||||
- {type: standard, distro: gentoo, monolithic: y, systemd: n}
|
||||
- {type: standard, distro: gentoo, monolithic: n, systemd: n}
|
||||
- {type: mcs, distro: redhat, monolithic: y, systemd: y}
|
||||
- {type: mcs, distro: redhat, monolithic: n, systemd: y}
|
||||
- {type: mcs, distro: debian, monolithic: y, systemd: y}
|
||||
- {type: mcs, distro: debian, monolithic: n, systemd: y}
|
||||
- {type: mcs, distro: gentoo, monolithic: y, systemd: n}
|
||||
- {type: mcs, distro: gentoo, monolithic: n, systemd: n}
|
||||
- {type: mls, distro: redhat, monolithic: y, systemd: y}
|
||||
- {type: mls, distro: redhat, monolithic: n, systemd: y}
|
||||
- {type: mls, distro: debian, monolithic: y, systemd: y}
|
||||
- {type: mls, distro: debian, monolithic: n, systemd: y}
|
||||
- {type: mls, distro: gentoo, monolithic: y, systemd: n}
|
||||
- {type: mls, distro: gentoo, monolithic: n, systemd: n}
|
||||
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
|
||||
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
|
||||
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
|
||||
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
|
||||
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
|
||||
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
|
||||
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
|
||||
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
|
||||
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
# This should be the minimum required Python version to build refpolicy.
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.5
|
||||
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
sudo apt-get update -qq
|
||||
sudo apt-get install -qqy \
|
||||
bison \
|
||||
flex \
|
||||
gettext \
|
||||
libaudit-dev \
|
||||
libbz2-dev \
|
||||
libpcre3-dev \
|
||||
libxml2-utils \
|
||||
swig
|
||||
|
||||
- name: Configure environment
|
||||
run: |
|
||||
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
|
||||
echo "PYTHON=python" >> $GITHUB_ENV
|
||||
echo "TEST_TOOLCHAIN_SRC=/tmp/selinux-src" >> $GITHUB_ENV
|
||||
echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
|
||||
echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
|
||||
echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
|
||||
echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
|
||||
echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
|
||||
echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
|
||||
echo "WERROR=y" >> $GITHUB_ENV
|
||||
|
||||
- name: Build toolchain
|
||||
run: |
|
||||
# Download current SELinux userspace tools and libraries
|
||||
git clone https://github.com/SELinuxProject/selinux.git ${TEST_TOOLCHAIN_SRC} -b ${SELINUX_USERSPACE_VERSION}
|
||||
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
|
||||
sed -i -e 's/secilc//' ${TEST_TOOLCHAIN_SRC}/Makefile
|
||||
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
|
||||
sed -i -e 's/sepolicy//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
|
||||
# Drop restorecond to break glib dependence
|
||||
sed -i -e 's/ restorecond//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
|
||||
# Drop sandbox to break libcap-ng dependence
|
||||
sed -i -e 's/ sandbox//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
|
||||
# Compile and install SELinux toolchain
|
||||
make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${TEST_TOOLCHAIN_SRC} install
|
||||
|
||||
- name: Build refpolicy
|
||||
run: |
|
||||
# Drop build.conf settings to listen to env vars
|
||||
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
|
||||
|
||||
make bare
|
||||
make conf
|
||||
make
|
||||
make validate
|
||||
|
||||
- name: Build docs
|
||||
run: |
|
||||
make xml
|
||||
make html
|
||||
|
||||
- name: Test installation
|
||||
run: |
|
||||
make install
|
||||
make install-headers
|
||||
make install-src
|
||||
make install-docs
|
||||
make install-appconfig
|
139
.travis.yml
139
.travis.yml
|
@ -1,139 +0,0 @@
|
|||
# Derived from Nicolas Iooss: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
|
||||
|
||||
language: python
|
||||
python: 3.5
|
||||
|
||||
env:
|
||||
- TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y
|
||||
- TYPE=standard DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y
|
||||
- TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y
|
||||
- TYPE=standard DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y
|
||||
- TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
|
||||
- TYPE=standard DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
|
||||
- TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y
|
||||
- TYPE=mcs DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y
|
||||
- TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y
|
||||
- TYPE=mcs DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y
|
||||
- TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
|
||||
- TYPE=mcs DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
|
||||
- TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y
|
||||
- TYPE=mls DISTRO=redhat MONOLITHIC=n SYSTEMD=y WERROR=y
|
||||
- TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y
|
||||
- TYPE=mls DISTRO=debian MONOLITHIC=n SYSTEMD=y WERROR=y
|
||||
- TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y
|
||||
- TYPE=mls DISTRO=gentoo MONOLITHIC=n SYSTEMD=n WERROR=y
|
||||
- TYPE=standard DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=standard DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=standard DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=mcs DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=mcs DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=mcs DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=mls DISTRO=redhat MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=mls DISTRO=debian MONOLITHIC=y SYSTEMD=y WERROR=y APPS_OFF=unconfined
|
||||
- TYPE=mls DISTRO=gentoo MONOLITHIC=y SYSTEMD=n WERROR=y APPS_OFF=unconfined
|
||||
|
||||
jobs:
|
||||
fast_finish: true
|
||||
include:
|
||||
- python: 3.7
|
||||
env: LINT=true TYPE=standard
|
||||
|
||||
os: linux
|
||||
dist: bionic
|
||||
|
||||
cache:
|
||||
directories:
|
||||
- ${TRAVIS_BUILD_DIR}/selinux
|
||||
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
# Install SELinux userspace utilities dependencies
|
||||
- bison
|
||||
- flex
|
||||
- gettext
|
||||
- libaudit-dev
|
||||
- libbz2-dev
|
||||
- libpcre3-dev
|
||||
- swig
|
||||
- libxml2-utils
|
||||
|
||||
before_install:
|
||||
- lsb_release -a
|
||||
- bison -V
|
||||
- flex -V
|
||||
- swig -version
|
||||
- python3 -V
|
||||
|
||||
install:
|
||||
- SELINUX_USERSPACE_VERSION=master
|
||||
|
||||
- export DESTDIR="${TRAVIS_BUILD_DIR}/selinux"
|
||||
- |
|
||||
if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then
|
||||
rm -fR selinux-src
|
||||
|
||||
# Download current SELinux userspace tools and libraries
|
||||
git clone https://github.com/SELinuxProject/selinux.git selinux-src -b ${SELINUX_USERSPACE_VERSION}
|
||||
mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src
|
||||
|
||||
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
|
||||
sed -i -e 's/secilc//' selinux-src/Makefile
|
||||
|
||||
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
|
||||
sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
|
||||
|
||||
# Drop restorecond to break glib dependence
|
||||
sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
|
||||
|
||||
# Drop sandbox to break libcap-ng dependence
|
||||
sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
|
||||
|
||||
# Compile and install SELinux toolchain into ~/selinux
|
||||
make OPT_SUBDIRS=semodule-utils -C selinux-src install
|
||||
echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version"
|
||||
fi
|
||||
|
||||
# Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location
|
||||
- export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
|
||||
|
||||
# Drop build.conf settings to listen to env vars
|
||||
- sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
|
||||
|
||||
- |
|
||||
if [ -n "$LINT" ] ; then
|
||||
# Install SELint from Debian testing
|
||||
wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add -
|
||||
sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y
|
||||
sudo apt-get update -q
|
||||
sudo apt-get install -y selint
|
||||
|
||||
selint -V
|
||||
fi
|
||||
|
||||
script:
|
||||
- echo $TYPE $DISTRO $MONOLITHIC $SYSTEMD $WERROR
|
||||
- set -e
|
||||
- make bare
|
||||
- make conf
|
||||
- |
|
||||
if [ -n "$LINT" ] ; then
|
||||
# Run filecontext checker
|
||||
python3 -t -t -E -W error testing/check_fc_files.py
|
||||
|
||||
# Run SELint
|
||||
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: has 712 findings
|
||||
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
|
||||
selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy
|
||||
|
||||
exit 0
|
||||
fi
|
||||
- make
|
||||
- make validate
|
||||
- make xml
|
||||
- make html
|
||||
- make DESTDIR=${HOME}/tmp install
|
||||
- make DESTDIR=${HOME}/tmp install-headers
|
||||
- make DESTDIR=${HOME}/tmp install-src
|
||||
- make DESTDIR=${HOME}/tmp install-docs
|
||||
- make DESTDIR=${HOME}/tmp install-appconfig
|
Loading…
Reference in New Issue