2020-12-01 16:00:44 +00:00
|
|
|
name: Build tests
|
|
|
|
|
2020-12-08 17:31:00 +00:00
|
|
|
on: [push, pull_request]
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
env:
|
2024-02-23 21:12:25 +00:00
|
|
|
# Minimum versions to build refpolicy.
|
|
|
|
PYTHON_VERSION: "3.10"
|
|
|
|
SELINUX_USERSPACE_VERSION: checkpolicy-3.2
|
|
|
|
USERSPACE_SRC: "selinux-src"
|
|
|
|
# branch for sechecker
|
|
|
|
SECHECKER_VERSION: "4.4"
|
|
|
|
SETOOLS_SRC: "setools-src"
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
jobs:
|
|
|
|
lint:
|
2024-02-23 21:12:25 +00:00
|
|
|
runs-on: ubuntu-22.04
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
steps:
|
2024-02-23 21:12:25 +00:00
|
|
|
- uses: actions/checkout@v4
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
# This version should be the minimum required to run the fc checker
|
2024-02-23 21:12:25 +00:00
|
|
|
# or the standard Python version on Ubuntu.
|
2020-12-01 16:00:44 +00:00
|
|
|
- name: Set up Python
|
2024-02-23 21:12:25 +00:00
|
|
|
uses: actions/setup-python@v5
|
2020-12-01 16:00:44 +00:00
|
|
|
with:
|
2024-02-23 21:12:25 +00:00
|
|
|
python-version: "${{env.PYTHON_VERSION}}"
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
- name: Install dependencies
|
|
|
|
run: |
|
2022-09-17 14:58:25 +00:00
|
|
|
sudo apt-get update -q
|
2022-09-17 14:54:48 +00:00
|
|
|
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev
|
2020-12-01 16:00:44 +00:00
|
|
|
|
2022-09-17 14:54:48 +00:00
|
|
|
- name: Checkout SELint
|
2024-02-23 21:12:25 +00:00
|
|
|
uses: actions/checkout@v4
|
2022-09-17 14:54:48 +00:00
|
|
|
with:
|
|
|
|
repository: SELinuxProject/selint
|
2024-01-10 16:01:59 +00:00
|
|
|
ref: 'v1.5.0'
|
2022-09-17 14:54:48 +00:00
|
|
|
path: selint
|
|
|
|
|
|
|
|
- name: Build SELint
|
|
|
|
run: |
|
|
|
|
cd selint/
|
|
|
|
./autogen.sh
|
|
|
|
./configure --without-check
|
|
|
|
make -j$(nproc)
|
|
|
|
sudo make install
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
- name: Create generated policy files
|
|
|
|
run: |
|
|
|
|
make conf
|
|
|
|
make generate
|
|
|
|
|
|
|
|
- name: Run file context checker
|
|
|
|
run: python3 -t -t -E -W error testing/check_fc_files.py
|
|
|
|
|
2022-01-29 17:56:38 +00:00
|
|
|
- name: Run SELint
|
|
|
|
run: |
|
|
|
|
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
|
2022-09-17 14:54:48 +00:00
|
|
|
# disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
|
2022-01-29 17:56:38 +00:00
|
|
|
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
|
2022-09-17 14:54:48 +00:00
|
|
|
selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
build:
|
2024-02-23 21:12:25 +00:00
|
|
|
runs-on: ubuntu-22.04
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
strategy:
|
|
|
|
fail-fast: false
|
|
|
|
|
|
|
|
matrix:
|
|
|
|
build-opts:
|
2022-10-08 00:41:22 +00:00
|
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
|
|
|
|
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
|
|
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
|
|
|
|
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
|
|
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
|
|
|
|
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
|
|
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
|
|
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
|
|
|
|
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
|
|
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
|
|
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
|
|
|
|
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
|
|
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
|
|
|
|
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
|
|
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
|
|
|
|
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
|
|
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
|
|
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
|
|
|
|
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
|
|
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
|
2022-09-14 18:17:45 +00:00
|
|
|
|
2020-12-01 16:00:44 +00:00
|
|
|
steps:
|
2024-02-23 21:12:25 +00:00
|
|
|
- name: Checkout Reference Policy
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
|
|
|
|
- name: Checkout SELinux userspace tools and libs
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
with:
|
|
|
|
repository: SELinuxProject/selinux
|
|
|
|
ref: "${{env.SELINUX_USERSPACE_VERSION}}"
|
|
|
|
path: "${{env.USERSPACE_SRC}}"
|
|
|
|
|
|
|
|
- name: Checkout setools
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
with:
|
|
|
|
repository: SELinuxProject/setools
|
|
|
|
ref: "${{env.SECHECKER_VERSION}}"
|
|
|
|
path: "${{env.SETOOLS_SRC}}"
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
# This should be the minimum required Python version to build refpolicy.
|
2024-02-23 21:12:25 +00:00
|
|
|
# or the standard Python version on Ubuntu.
|
2020-12-01 16:00:44 +00:00
|
|
|
- name: Set up Python
|
2024-02-23 21:12:25 +00:00
|
|
|
uses: actions/setup-python@v5
|
2020-12-01 16:00:44 +00:00
|
|
|
with:
|
2024-02-23 21:12:25 +00:00
|
|
|
python-version: "${{env.PYTHON_VERSION}}"
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
- name: Install dependencies
|
|
|
|
run: |
|
2022-09-17 14:58:25 +00:00
|
|
|
sudo apt-get update -q
|
|
|
|
sudo apt-get install -qy \
|
2020-12-01 16:00:44 +00:00
|
|
|
bison \
|
|
|
|
flex \
|
|
|
|
gettext \
|
|
|
|
libaudit-dev \
|
|
|
|
libbz2-dev \
|
|
|
|
libpcre3-dev \
|
|
|
|
libxml2-utils \
|
|
|
|
swig
|
|
|
|
|
|
|
|
- name: Configure environment
|
|
|
|
run: |
|
|
|
|
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
|
|
|
|
echo "PYTHON=python" >> $GITHUB_ENV
|
|
|
|
echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
|
|
|
|
echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
|
|
|
|
echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
|
|
|
|
echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
|
|
|
|
echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
|
|
|
|
echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
|
2022-10-08 00:41:22 +00:00
|
|
|
echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
|
2020-12-01 16:00:44 +00:00
|
|
|
echo "WERROR=y" >> $GITHUB_ENV
|
2024-02-23 21:12:25 +00:00
|
|
|
echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
- name: Build toolchain
|
|
|
|
run: |
|
|
|
|
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
|
2024-02-23 21:12:25 +00:00
|
|
|
sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile
|
2020-12-01 16:00:44 +00:00
|
|
|
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
|
2024-02-23 21:12:25 +00:00
|
|
|
sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile
|
2020-12-01 16:00:44 +00:00
|
|
|
# Drop restorecond to break glib dependence
|
2024-02-23 21:12:25 +00:00
|
|
|
sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile
|
2020-12-01 16:00:44 +00:00
|
|
|
# Drop sandbox to break libcap-ng dependence
|
2024-02-23 21:12:25 +00:00
|
|
|
sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile
|
2020-12-01 16:00:44 +00:00
|
|
|
# Compile and install SELinux toolchain
|
2024-02-23 21:12:25 +00:00
|
|
|
make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install
|
|
|
|
|
|
|
|
- name: Build setools
|
|
|
|
run: |
|
|
|
|
cd ${SETOOLS_SRC}
|
|
|
|
pip install .
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
- name: Build refpolicy
|
|
|
|
run: |
|
|
|
|
# Drop build.conf settings to listen to env vars
|
2022-10-08 00:41:22 +00:00
|
|
|
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
|
2020-12-01 16:00:44 +00:00
|
|
|
|
|
|
|
make bare
|
|
|
|
make conf
|
|
|
|
make
|
|
|
|
make validate
|
|
|
|
|
|
|
|
- name: Build docs
|
|
|
|
run: |
|
|
|
|
make xml
|
|
|
|
make html
|
|
|
|
|
|
|
|
- name: Test installation
|
|
|
|
run: |
|
|
|
|
make install
|
|
|
|
make install-headers
|
|
|
|
make install-src
|
|
|
|
make install-docs
|
2022-05-07 01:00:13 +00:00
|
|
|
make install-udica-templates
|
2020-12-01 16:00:44 +00:00
|
|
|
make install-appconfig
|
2024-02-23 21:12:25 +00:00
|
|
|
|
|
|
|
# This skips some combinations to keep GitHub actions runtime lower by
|
|
|
|
# eliminating duplicate analyses.
|
|
|
|
- name: Validate security goals
|
|
|
|
run: |
|
|
|
|
if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then
|
|
|
|
policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
|
|
|
|
sechecker testing/sechecker.ini "${policy_file}"
|
|
|
|
else
|
|
|
|
echo "Skipped"
|
|
|
|
fi
|