name: Build tests on: [push, pull_request] env: # Minimum versions to build refpolicy. PYTHON_VERSION: "3.10" SELINUX_USERSPACE_VERSION: checkpolicy-3.2 USERSPACE_SRC: "selinux-src" # branch for sechecker SECHECKER_VERSION: "4.4" SETOOLS_SRC: "setools-src" jobs: lint: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 # This version should be the minimum required to run the fc checker # or the standard Python version on Ubuntu. - name: Set up Python uses: actions/setup-python@v5 with: python-version: "${{env.PYTHON_VERSION}}" - name: Install dependencies run: | sudo apt-get update -q sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev - name: Checkout SELint uses: actions/checkout@v4 with: repository: SELinuxProject/selint ref: 'v1.5.0' path: selint - name: Build SELint run: | cd selint/ ./autogen.sh ./configure --without-check make -j$(nproc) sudo make install - name: Create generated policy files run: | make conf make generate - name: Run file context checker run: python3 -t -t -E -W error testing/check_fc_files.py - name: Run SELint run: | # disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing # disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy build: runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: build-opts: - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n} - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n} - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n} - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n} - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n} - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n} - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y} - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y} - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y} - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y} - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y} - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y} - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} steps: - name: Checkout Reference Policy uses: actions/checkout@v4 - name: Checkout SELinux userspace tools and libs uses: actions/checkout@v4 with: repository: SELinuxProject/selinux ref: "${{env.SELINUX_USERSPACE_VERSION}}" path: "${{env.USERSPACE_SRC}}" - name: Checkout setools uses: actions/checkout@v4 with: repository: SELinuxProject/setools ref: "${{env.SECHECKER_VERSION}}" path: "${{env.SETOOLS_SRC}}" # This should be the minimum required Python version to build refpolicy. # or the standard Python version on Ubuntu. - name: Set up Python uses: actions/setup-python@v5 with: python-version: "${{env.PYTHON_VERSION}}" - name: Install dependencies run: | sudo apt-get update -q sudo apt-get install -qy \ bison \ flex \ gettext \ libaudit-dev \ libbz2-dev \ libpcre3-dev \ libxml2-utils \ swig - name: Configure environment run: | echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV echo "PYTHON=python" >> $GITHUB_ENV echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV echo "WERROR=y" >> $GITHUB_ENV echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV - name: Build toolchain run: | # Drop secilc to break xmlto dependence (secilc isn't used here anyway) sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile # Drop sepolicy to break setools dependence (sepolicy isn't used anyway) sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile # Drop restorecond to break glib dependence sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile # Drop sandbox to break libcap-ng dependence sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile # Compile and install SELinux toolchain make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install - name: Build setools run: | cd ${SETOOLS_SRC} pip install . - name: Build refpolicy run: | # Drop build.conf settings to listen to env vars sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf make bare make conf make make validate - name: Build docs run: | make xml make html - name: Test installation run: | make install make install-headers make install-src make install-docs make install-udica-templates make install-appconfig # This skips some combinations to keep GitHub actions runtime lower by # eliminating duplicate analyses. - name: Validate security goals run: | if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename) sechecker testing/sechecker.ini "${policy_file}" else echo "Skipped" fi