selinux-refpolicy/.github/workflows/tests.yml

230 lines
10 KiB
YAML
Raw Normal View History

name: Build tests
on: [push, pull_request]
env:
# Minimum versions to build refpolicy.
PYTHON_VERSION: "3.10"
SELINUX_USERSPACE_VERSION: checkpolicy-3.2
USERSPACE_SRC: "selinux-src"
# branch for sechecker
SECHECKER_VERSION: "4.4"
SETOOLS_SRC: "setools-src"
jobs:
lint:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
# This version should be the minimum required to run the fc checker
# or the standard Python version on Ubuntu.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{env.PYTHON_VERSION}}"
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev
- name: Checkout SELint
uses: actions/checkout@v4
with:
repository: SELinuxProject/selint
ref: 'v1.5.0'
path: selint
- name: Build SELint
run: |
cd selint/
./autogen.sh
./configure --without-check
make -j$(nproc)
sudo make install
- name: Create generated policy files
run: |
make conf
make generate
- name: Run file context checker
run: python3 -t -t -E -W error testing/check_fc_files.py
- name: Run SELint
run: |
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
# disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
build:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
build-opts:
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
steps:
- name: Checkout Reference Policy
uses: actions/checkout@v4
- name: Checkout SELinux userspace tools and libs
uses: actions/checkout@v4
with:
repository: SELinuxProject/selinux
ref: "${{env.SELINUX_USERSPACE_VERSION}}"
path: "${{env.USERSPACE_SRC}}"
- name: Checkout setools
uses: actions/checkout@v4
with:
repository: SELinuxProject/setools
ref: "${{env.SECHECKER_VERSION}}"
path: "${{env.SETOOLS_SRC}}"
# This should be the minimum required Python version to build refpolicy.
# or the standard Python version on Ubuntu.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{env.PYTHON_VERSION}}"
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -qy \
bison \
flex \
gettext \
libaudit-dev \
libbz2-dev \
libpcre3-dev \
libxml2-utils \
swig
- name: Configure environment
run: |
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
echo "PYTHON=python" >> $GITHUB_ENV
echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
echo "WERROR=y" >> $GITHUB_ENV
echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV
- name: Build toolchain
run: |
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile
# Drop restorecond to break glib dependence
sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile
# Drop sandbox to break libcap-ng dependence
sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile
# Compile and install SELinux toolchain
make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install
- name: Build setools
run: |
cd ${SETOOLS_SRC}
pip install .
- name: Build refpolicy
run: |
# Drop build.conf settings to listen to env vars
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
make bare
make conf
make
make validate
- name: Build docs
run: |
make xml
make html
- name: Test installation
run: |
make install
make install-headers
make install-src
make install-docs
make install-udica-templates
make install-appconfig
# This skips some combinations to keep GitHub actions runtime lower by
# eliminating duplicate analyses.
- name: Validate security goals
run: |
if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then
policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
sechecker testing/sechecker.ini "${policy_file}"
else
echo "Skipped"
fi