The current Travis CI runs the userspace tooling and libraries against
policy files, but cannot test against an SELinux enabled kernel. Thus,
some tests are not being done in the CI. Travis, unfortunately only
provides Ubuntu images, so in order to run against a modern distro with
SELinux in enforcing mode, we need to launch a KVM with something like
Fedora.
This patch enables this support by launching a Fedora32 Cloud Image with
the SELinux userspace library passed on from the Travis clone, it then
builds and replaces the current SELinux bits on the Fedora32 image and
runs the SELinux testsuite.
The cloud image run can be controlled with the TRAVIS env variable:
TRAVIS_CLOUD_IMAGE_VERSION. That variable takes the major and minor
version numbers in a colon delimited string, eg: "32:1.6".
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
* Test Python 3.8 and Pypy3 3.6-7.2.0
* Test Ruby 2.7
* Drop Ruby 2.2 and 2.3 (they are not supported with Ubuntu 18.04 in
https://rubies.travis-ci.org/)
* While at it, replace deprecated libdbus-glib-1-dev with libglib2.0-dev
now that restorecond has been upgraded.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
As a result of Python 2 sunset - https://www.python.org/doc/sunset-python-2/ -
Python 2 code will not be supported in this project anymore and new Python code
should be written only for Python 3.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Set-up environment variables in order to use DESTDIR in Python, Ruby,
etc. This makes testing Python scripts easier.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Ubuntu 14.04 uses SWIG 2.0.11 which produces Python files which contain
lines ending with a semicolon:
__del__ = lambda self : None;
Ubuntu 16.04 uses SWIG 3.0.8, which does not put a semicolon. Moreover
Travis CI only support Python 3.7 with Ubuntu 16.04. The reason for this
is clearly stated on
https://docs.travis-ci.com/user/languages/python/#development-releases-support :
Recent Python branches require OpenSSL 1.0.2+. As this library is
not available for Trusty, 3.7, 3.7-dev, 3.8-dev, and nightly do not
work (or use outdated archive).
Enabling Python 3.7 in Travis CI build matrix is therefore another
reason to upgrade .travis.yml to Ubuntu 16.04. As this new template does
not support Python 3.4 nor 3.5, and does not support PyPy2.7 yet, drop
them from the build matrix.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
flake8 is a Python linter which is able to detect issues in Python code
(syntax errors, undefined variables, etc.). It has been used to find
bugs in the project. In order to prevent the introduction of new bugs
which can be detected by it, add a script which runs it and use it in
Travis-CI.
flake8 can be used to detect code which is not written according to PEP8
style guide (which forbids whitespaces in some places, enforces the use
of space-indenting, specifies how many blank lines are used between
functions, etc.). As SELinux code does not follow this style guide,
scripts/run-flake8 disables many warnings related to this when running
the linter.
In order to silence flake8 warnings, the Python code can also be
modified. However fixing every "do not use bare 'except'" in the project
needs to be done carefully and takes much time.
This is why the warnings which are disabled have been ordered in three
lists:
* The warnings which can be activated in a not-so-distant future after
the code has been modified.
* The warnings related to PEP8 which cannot be activated without a major
cleaning work of the codebase (for example to modify white spaces)
* The warnings which are introduced by code generated by SWIG 3.0.12,
which would require patches in SWIG in order to be activated (there
is right now only one such warning).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
refpolicy moved from github.com/TresysTechnology to
github.com/SELinuxProject. It is still used in sepolgen tests (they
build modules using Makefile.devel and build.conf) so update the
location of the repository.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Ruby 2.5 is not installed by default, force reinstall with rvm
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
libselinux and libsemanage Makefiles invoke site.getsitepackages() in
order to get the path to the directory /usr/lib/pythonX.Y/site-packages
that matches the Python interpreter chosen with $(PYTHON). This method
is incompatible with Python virtual environments, as described in
https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
This issue has been opened for more than 5 years.
On the contrary python/semanage/ and python/sepolgen/ Makefiles use
distutils.sysconfig.get_python_lib() in order to get the site-packages
path into a variable named PYTHONLIBDIR. This way of computing
PYTHONLIBDIR is compatible with virtual environments and gives the same
result as PYSITEDIR.
As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
libsemanage Makefiles use it. And as native code is installed (as part
of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
on systems which distinguish /usr/lib64 from /usr/lib.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Recent commits removed $DESTDIR from $PYSITEDIR in libselinux and
libsemanage:
-PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site;
print(site.getsitepackages()[0])')
+PYSITEDIR ?= $(shell $(PYTHON) -c 'import site;
print(site.getsitepackages()[0])')
As "site.getsitepackages()" does not work within virtualenvs,
.travis.yml defines PYSITEDIR's value in it and this definition needs to
be updated too.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Some Travis-CI builds failed because of issues when downloading
refpolicy files for sepolgen tests. Use curl's option --retry to make
the downloads work when the networking issues are only transient.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The latest update to Travis-CI build environment splitted sugilite
environment into amethyst and garnet and deprecated sugilite. As garnet
provides tools for languages C and Python, and as it is automatically
selected according to
https://travis-ci.org/fishilico/selinux/jobs/278927391 , remove "group:
sugilite" from Travis-CI configuration file.
This update introduced two issues:
- Ruby 2.1 is no longer provided. As it has reached End Of Life
according to https://www.ruby-lang.org/en/downloads/, remove it from
the tested versions
- Python 3.3, 3.4 and 3.5 are no longer installed by default. When
Travis-CI builds Python projects using these versions, it
automatically download and extract an archive from
https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/14.04/x86_64/.
Implement this process in .travis.yml directly (because Travis-CI does
not support multi-language projects which use several versions of C
compilers and Python and Ruby interpreters).
Last but not least, it is now possible to build with PyPy3. Enable this
interpreter in the build environment matrix.
More information about the Travis-CI update is available at
https://docs.travis-ci.com/user/build-environment-updates/2017-09-06/
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
clang does not know -fuse-ld=gold. It only needs -flto, which
automatically adds -plugin=LLVMgold.so to the linker command line, but
this does not work on Travis-CI because the gold linker plugin is not
installed:
/usr/bin/ld: /usr/local/clang-3.9.0/bin/../lib/LLVMgold.so: error
loading plugin: /usr/local/clang-3.9.0/bin/../lib/LLVMgold.so:
cannot open shared object file: No such file or directory
Disable in the build matrix the combination of linking with special
linkers with using clang.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Some Makefiles rely on adding values to variables like CFLAGS,
LDFLAGS, etc. For example doing "LDFLAGS += -L../src" does not work fine
when LDFLAGS is defined on the command line of "make".
Commits 297877ab88 ("libselinux utils: override LD{FLAGS, LIBS} for
libselinux.so in Makefile") and 15f2740733 ("Makefiles: override
*FLAGS and *LIBS") recently fixed such issues, by introducing keyword
"override" in the relevant Makefile statements.
In order to prevent the fixed issues from appearing again, add a test
case in Travis-CI configuration file. This case adds on make's command
line minimal definitions for CFLAGS and LDFLAGS and empty definitions
for CPPFLAGS and LDLIBS.
An example of build failure due to a missing override in a required
CPPFLAGS addition is provided on
https://travis-ci.org/fishilico/selinux/builds/245107609
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Travis-CI no longer provides Ruby 2.0 in its Trusty environment (it has
been updated according to
https://blog.travis-ci.com/2017-06-21-trusty-updates-2017-Q2-launch).
Remove this version from .travis.yml.
Moreover Python 3.6 and Ruby 3.4 are available. Test building with them.
Last by not least, pypy virtual environment directory has been renamed
pypy2 (/home/travis/virtualenv/pypy2 is a symbolic link to pypy2-5.6.0).
The updated .travis.yml file has been tested on
https://travis-ci.org/fishilico/selinux/builds/248126824
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When building and running tests on a system without SELinux with a
command similar to "make DESTDIR=/tmp/destdir install test", libsemanage
tests fail to build with the following error:
In file included from utilities.h:20:0,
from utilities.c:24:
../src/handle.h:29:26: fatal error: sepol/handle.h: No such file or
directory
#include <sepol/handle.h>
^
Fix this by adding the newly-installed directory under $DESTDIR (using
variable $PREFIX) in the search paths of the compiler.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On systems where $PYTHON is python3.5 (instead of python2 or python3),
pkg-config fails to find the Python package because it is named with a
dash (e.g. python-3.5).
Moreover the build system may have been using the pkg-config
configuration files for the wrong Python version when several Python
with the same major version number are installed (e.g. using python-3.5
on a system with both python-3.4 and python-3.5 and where
/usr/lib/pkgconfig/python3.pc is a symlink to python-3.5.pc).
In order to fix these two issues, compute $PYPREFIX from $PYTHON by
using the full major.minor version.
Moreover update Travis-Ci configuration to grab the relevant
configuration files for pkg-config from /opt/python (for example
/opt/python/3.5.2/lib/pkgconfig/python-3.5.pc) instead of using
system-provided files (/usr/lib/x86_64-linux-gnu/pkgconfig/python3.pc
and /usr/lib/x86_64-linux-gnu/pkgconfig/python2.pc).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Add a configuration file for https://travis-ci.org/. This continuous
integration platform can build the project for several configurations on
Linux, using different compilers, linkers, Python versions and Ruby
versions. An example of build results is available on
https://travis-ci.org/fishilico/selinux/builds/185912863
Even if the SELinux userland libraries and tools project does not enable
Travis-CI integration, the .travis.yml file may be helpful for
contributors who wish to run tests in several configurations.
Current limitations:
- It does not run an OS X build. Travis-CI provides free OS X
environments but it is quite difficult to configure a single
.travis.yml file which defines many Linux environments and some OS X
ones.
- It only runs Ubuntu 14.04 with an x86-64 CPU. This does not test
Android, ARM nor 32-bit x86 configurations.
- It only builds with glibc, not musl or other light C library.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>