nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tests.yml: Divide into reusable workflows. 

Keep artifacts from each to allow analysis when there are failures.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2024-06-18 12:59:12 -04:00
parent 04eca2fa9b
commit 99258825ce
6 changed files with 486 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
.github/workflows/build-policy.yml vendored Normal file
View File

@ -0,0 +1,143 @@
name: Build refpolicy
on:
workflow_call:
inputs:
version:
description: "Refpolicy version (a git commit ID, tag, or branch)"
required: false
type: string
default: ""
path:
description: "Path to store the refpolicy sources"
required: false
type: string
default: "refpolicy-src"
python-version:
description: "Python version to use"
required: true
type: string
artifact-name:
description: "Artifact name to use; suffixed with policy build options (distro, mls/mcs, etc.)"
required: false
type: string
default: "refpolicy"
jobs:
build:
runs-on: ubuntu-22.04
strategy:
matrix:
# matrix updates must also be duplicated to validate-policy.yml and diff-policy.yml
distro: ["redhat", "debian", "gentoo"]
type: ["standard", "mcs", "mls"]
monolithic: ["y", "n"]
systemd: ["y", "n"]
direct_initrc: ["y", "n"]
apps-off: ["unconfined", ""]
exclude:
- { distro: "redhat", systemd: "n" }
- { distro: "redhat", direct_initrc: "y" }
- { distro: "debian", systemd: "n" }
- { distro: "debian", direct_initrc: "y" }
- { type: "mls", apps-off: "" }
- { systemd: "y", direct_initrc: "y" }
steps:
- name: Checkout refpolicy sources
uses: actions/checkout@v4
with:
ref: "${{ inputs.version }}"
path: "${{ inputs.path }}"
- name: Download userspace binary artifact
uses: actions/download-artifact@v4
id: dl-userspace
with:
name: selinux-bin
# actions/upload-artifact does not preserve permissions.
- name: Fix userspace file permissions
shell: bash
working-directory: "${{ steps.dl-userspace.outputs.download-path }}"
run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/*
# This should be the minimum required Python version to build refpolicy.
# or the standard Python version on Ubuntu.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"
- name: Configure environment
shell: bash
run: |
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
echo "PYTHON=python${{ inputs.python-version }}" >> $GITHUB_ENV
echo "TYPE=${{ matrix.type }}" >> $GITHUB_ENV
echo "DISTRO=${{ matrix.distro }}" >> $GITHUB_ENV
echo "MONOLITHIC=${{ matrix.monolithic }}" >> $GITHUB_ENV
echo "SYSTEMD=${{ matrix.systemd }}" >> $GITHUB_ENV
echo "APPS_OFF=${{ matrix.apps-off }}" >> $GITHUB_ENV
echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV
echo "WERROR=y" >> $GITHUB_ENV
echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV
- name: Build refpolicy
shell: bash
working-directory: "${{ inputs.path }}"
run: |
# Drop build.conf settings to listen to env vars
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
make bare
make conf
make
- name: Validate output policy
working-directory: ${{ inputs.path }}
shell: bash
run: |
make validate
- name: Build docs
working-directory: ${{ inputs.path }}
shell: bash
run: |
make xml
make html
- name: Test installation
working-directory: ${{ inputs.path }}
shell: bash
run: |
make install
make install-headers
make install-src
make install-docs
make install-udica-templates
make install-appconfig
env:
DESTDIR: /tmp/refpolicy-install
# normalize to "sepolicy" and "file_contexts"
- name: Normalize artifacts
working-directory: ${{ inputs.path }}
shell: bash
run: |
if [[ $MONOLITHIC == "y" ]]; then
policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
mv "${policy_file}" sepolicy
else
mv tmp/policy.bin sepolicy
mv tmp/all_mods.fc file_contexts
fi
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.artifact-name }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
path: |
${{ inputs.path }}/sepolicy
${{ inputs.path }}/file_contexts

60
.github/workflows/build-setools.yml vendored Normal file
View File

@ -0,0 +1,60 @@
name: Build SETools
on:
workflow_call:
inputs:
version:
description: "SETools version (a git commit ID, tag, or branch)"
type: string
required: true
python-version:
description: "Python version to use"
type: string
required: true
outputs:
artifact-id:
description: "SETools wheel artifact ID"
value: ${{ jobs.build.outputs.artifact-id }}
jobs:
build:
runs-on: ubuntu-22.04
outputs:
artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}
steps:
- name: Checkout setools
uses: actions/checkout@v4
with:
repository: SELinuxProject/setools
ref: "${{ inputs.version }}"
- name: Install dependencies
shell: bash
run: |
sudo apt-get update -q
- name: Download userspace source artifact
uses: actions/download-artifact@v4
id: dl-userspace
with:
name: selinux-src
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"
- name: Build setools
shell: bash
run: pip wheel --no-deps .
env:
CFLAGS: "-O2"
USERSPACE_SRC: "${{ steps.dl-userspace.outputs.download-path }}"
- name: Upload wheel
uses: actions/upload-artifact@v4
id: upload-artifact
with:
name: setools
path: "setools-*.whl"

84
.github/workflows/build-userspace.yml vendored Normal file
View File

@ -0,0 +1,84 @@
name: "Build SELinux userspace"
env:
SELINUX_SRC: "${{ github.workspace }}/selinux-src"
SELINUX_BIN: "${{ github.workspace }}/selinux-bin"
on:
workflow_call:
inputs:
version:
description: "Userspace version (a git commit ID, tag, or branch)"
required: false
type: string
outputs:
source-id:
description: "Userspace source artifact ID"
value: ${{ jobs.build.outputs.source-id }}
binary-id:
description: "Userspace binary artifact ID"
value: ${{ jobs.build.outputs.binary-id }}
jobs:
build:
runs-on: ubuntu-22.04
outputs:
source-id: ${{ steps.upload-src-artifact.outputs.artifact-id }}
binary-id: ${{ steps.upload-bin-artifact.outputs.artifact-id }}
steps:
- name: Checkout SELinux userspace tools and libs
uses: actions/checkout@v4
with:
repository: SELinuxProject/selinux
ref: "${{ inputs.version }}"
path: "${{ env.SELINUX_SRC }}"
- name: Install dependencies
shell: bash
run: |
sudo apt-get update -q
sudo apt-get install -qy \
bison \
flex \
gettext \
libaudit-dev \
libbz2-dev \
libpcre3-dev \
libxml2-utils \
swig
- name: Compile
shell: bash
id: compile
working-directory: "${{ env.SELINUX_SRC }}"
run: |
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
sed -i -e 's/secilc//' Makefile
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
sed -i -e 's/sepolicy//' policycoreutils/Makefile
# Drop restorecond to break glib dependence
sed -i -e 's/ restorecond//' policycoreutils/Makefile
# Drop sandbox to break libcap-ng dependence
sed -i -e 's/ sandbox//' policycoreutils/Makefile
# Compile and install SELinux toolchain
make OPT_SUBDIRS=semodule-utils install
# set output directory on successful/pre-existing compile
echo "DESTDIR=\"${DESTDIR}\"" >> $GITHUB_OUTPUT
env:
DESTDIR: "${{ env.SELINUX_BIN }}"
CFLAGS: "-O2"
- name: Upload source artifact
uses: actions/upload-artifact@v4
id: upload-src-artifact
with:
name: selinux-src
path: "${{ env.SELINUX_SRC }}/"
- name: Upload binary artifact
uses: actions/upload-artifact@v4
id: upload-bin-artifact
with:
name: selinux-bin
path: "${{ env.SELINUX_BIN }}/"

73
.github/workflows/lint-policy.yml vendored Normal file
View File

@ -0,0 +1,73 @@
name: Policy linting
on:
workflow_call:
inputs:
python-version:
description: "Python version to use"
required: true
type: string
selint-version:
description: "SELint version (a git commit ID, tag, or branch)"
required: true
type: string
jobs:
selint:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev
- name: Checkout SELint
uses: actions/checkout@v4
with:
repository: SELinuxProject/selint
ref: "${{ inputs.selint-version }}"
path: selint
- name: Build SELint
working-directory: selint
run: |
./autogen.sh
./configure --without-check
make -j$(nproc)
sudo make install
- name: Create generated policy files
run: |
make conf
make generate
- name: Run SELint
run: |
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
# disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
check_fc_files:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
# This version should be the minimum required to run the fc checker
# or the standard Python version on Ubuntu.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"
- name: Create generated policy files
run: |
make conf
make generate
- name: Run file context checker
run: python${{ inputs.python-version }} -t -t -E -W error testing/check_fc_files.py

244
.github/workflows/tests.yml vendored
View File

@ -5,225 +5,43 @@ on: [push, pull_request]
env: env:
# Minimum versions to build refpolicy. # Minimum versions to build refpolicy.
PYTHON_VERSION: "3.10" PYTHON_VERSION: "3.10"
SELINUX_USERSPACE_VERSION: checkpolicy-3.2 SELINUX_USERSPACE_VERSION: "3.2"
USERSPACE_SRC: "selinux-src"
# branch for sechecker # branch for sechecker
SECHECKER_VERSION: "4.4" SECHECKER_VERSION: "4.4"
SETOOLS_SRC: "setools-src" # branch for selint
SELINT_VERSION: "v1.5.0"
jobs: jobs:
lint: lint_branch_policy:
runs-on: ubuntu-22.04 uses: ./.github/workflows/lint-policy.yml
with:
python-version: "3.10"
selint-version: "v1.5.0"
steps: build_userspace:
- uses: actions/checkout@v4 uses: ./.github/workflows/build-userspace.yml
# depend on lint so expensive operations don't run if lint fails
needs: lint_branch_policy
with:
version: "3.2"
# This version should be the minimum required to run the fc checker build_setools:
# or the standard Python version on Ubuntu. uses: ./.github/workflows/build-setools.yml
- name: Set up Python needs: build_userspace
uses: actions/setup-python@v5 with:
with: version: "4.4"
python-version: "${{env.PYTHON_VERSION}}" python-version: "3.10"
- name: Install dependencies build_branch_policy:
run: | uses: ./.github/workflows/build-policy.yml
sudo apt-get update -q needs: build_userspace
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev with:
# Minimum versions to build refpolicy.
python-version: "3.10"
- name: Checkout SELint validate_branch_policy:
uses: actions/checkout@v4 uses: ./.github/workflows/validate-policy.yml
with: needs: [build_branch_policy, build_setools, build_userspace]
repository: SELinuxProject/selint with:
ref: 'v1.5.0' python-version: "3.10"
path: selint
- name: Build SELint
run: |
cd selint/
./autogen.sh
./configure --without-check
make -j$(nproc)
sudo make install
- name: Create generated policy files
run: |
make conf
make generate
- name: Run file context checker
run: python3 -t -t -E -W error testing/check_fc_files.py
- name: Run SELint
run: |
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
# disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
build:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
build-opts:
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
steps:
- name: Checkout Reference Policy
uses: actions/checkout@v4
- name: Checkout SELinux userspace tools and libs
uses: actions/checkout@v4
with:
repository: SELinuxProject/selinux
ref: "${{env.SELINUX_USERSPACE_VERSION}}"
path: "${{env.USERSPACE_SRC}}"
- name: Checkout setools
uses: actions/checkout@v4
with:
repository: SELinuxProject/setools
ref: "${{env.SECHECKER_VERSION}}"
path: "${{env.SETOOLS_SRC}}"
# This should be the minimum required Python version to build refpolicy.
# or the standard Python version on Ubuntu.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{env.PYTHON_VERSION}}"
- name: Install dependencies
run: |
sudo apt-get update -q
sudo apt-get install -qy \
bison \
flex \
gettext \
libaudit-dev \
libbz2-dev \
libpcre3-dev \
libxml2-utils \
swig
- name: Configure environment
run: |
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
echo "PYTHON=python" >> $GITHUB_ENV
echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
echo "WERROR=y" >> $GITHUB_ENV
echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV
- name: Build toolchain
run: |
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile
# Drop restorecond to break glib dependence
sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile
# Drop sandbox to break libcap-ng dependence
sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile
# Compile and install SELinux toolchain
make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install
- name: Build setools
run: |
cd ${SETOOLS_SRC}
pip install .
- name: Build refpolicy
run: |
# Drop build.conf settings to listen to env vars
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
make bare
make conf
make
make validate
- name: Build docs
run: |
make xml
make html
- name: Test installation
run: |
make install
make install-headers
make install-src
make install-docs
make install-udica-templates
make install-appconfig
# This skips some combinations to keep GitHub actions runtime lower by
# eliminating duplicate analyses.
- name: Validate security goals
run: |
if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then
policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
sechecker testing/sechecker.ini "${policy_file}"
else
echo "Skipped"
fi

95
.github/workflows/validate-policy.yml vendored Normal file
View File

@ -0,0 +1,95 @@
name: Validate policy
on:
workflow_call:
inputs:
python-version:
description: "Python version to use"
required: true
type: string
jobs:
sechecker:
runs-on: ubuntu-22.04
strategy:
matrix:
distro: ["redhat", "debian", "gentoo"]
type: ["standard", "mcs", "mls"]
monolithic: ["y", "n"]
systemd: ["y", "n"]
direct_initrc: ["y", "n"]
apps-off: ["unconfined", ""]
exclude:
- { distro: "redhat", systemd: "n" }
- { distro: "redhat", direct_initrc: "y" }
- { distro: "debian", systemd: "n" }
- { distro: "debian", direct_initrc: "y" }
- { type: "mls", apps-off: "" }
- { systemd: "y", direct_initrc: "y" }
# above here, the matrix must be the same as in build-policy.yml.
# below here, remove duplicate analyses
- { monolithic: "n" }
- { type: "standard" }
- { apps-off: "" }
- { systemd: "n" }
steps:
- name: Checkout testing dir of repo
uses: actions/checkout@v4
with:
sparse-checkout: testing
- name: Install dependencies
shell: bash
run: |
sudo apt-get update -q
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"
- name: Download userspace binary artifact
uses: actions/download-artifact@v4
id: dl-userspace
with:
name: selinux-bin
# actions/upload-artifact does not preserve permissions.
- name: Fix userspace file permissions
shell: bash
working-directory: "${{ steps.dl-userspace.outputs.download-path }}"
run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/*
- name: Download policy artifact
uses: actions/download-artifact@v4
id: dl-refpolicy
with:
name: refpolicy-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
- name: Download setools artifact
uses: actions/download-artifact@v4
id: dl-setools
with:
name: setools
- name: Install setools
shell: bash
working-directory: ${{ steps.dl-setools.outputs.download-path }}
run: sudo pip install setools*.whl
- name: Validate security goals with sechecker
shell: bash
id: sechecker
run: sechecker testing/sechecker.ini ${{ steps.dl-refpolicy.outputs.download-path }}/sepolicy -o sechecker.log
env:
LD_LIBRARY_PATH: "${{ steps.dl-userspace.outputs.download-path }}/lib:${{ steps.dl-userspace.outputs.download-path }}/usr/lib"
- name: Upload artifact
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
name: validation-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
path: |
sechecker.log