selinux-refpolicy/.github/workflows/validate-policy.yml

96 lines
3.1 KiB
YAML

name: Validate policy
on:
workflow_call:
inputs:
python-version:
description: "Python version to use"
required: true
type: string
jobs:
sechecker:
runs-on: ubuntu-22.04
strategy:
matrix:
distro: ["redhat", "debian", "gentoo"]
type: ["standard", "mcs", "mls"]
monolithic: ["y", "n"]
systemd: ["y", "n"]
direct_initrc: ["y", "n"]
apps-off: ["unconfined", ""]
exclude:
- { distro: "redhat", systemd: "n" }
- { distro: "redhat", direct_initrc: "y" }
- { distro: "debian", systemd: "n" }
- { distro: "debian", direct_initrc: "y" }
- { type: "mls", apps-off: "" }
- { systemd: "y", direct_initrc: "y" }
# above here, the matrix must be the same as in build-policy.yml.
# below here, remove duplicate analyses
- { monolithic: "n" }
- { type: "standard" }
- { apps-off: "" }
- { systemd: "n" }
steps:
- name: Checkout testing dir of repo
uses: actions/checkout@v4
with:
sparse-checkout: testing
- name: Install dependencies
shell: bash
run: |
sudo apt-get update -q
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"
- name: Download userspace binary artifact
uses: actions/download-artifact@v4
id: dl-userspace
with:
name: selinux-bin
# actions/upload-artifact does not preserve permissions.
- name: Fix userspace file permissions
shell: bash
working-directory: "${{ steps.dl-userspace.outputs.download-path }}"
run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/*
- name: Download policy artifact
uses: actions/download-artifact@v4
id: dl-refpolicy
with:
name: refpolicy-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
- name: Download setools artifact
uses: actions/download-artifact@v4
id: dl-setools
with:
name: setools
- name: Install setools
shell: bash
working-directory: ${{ steps.dl-setools.outputs.download-path }}
run: sudo pip install setools*.whl
- name: Validate security goals with sechecker
shell: bash
id: sechecker
run: sechecker testing/sechecker.ini ${{ steps.dl-refpolicy.outputs.download-path }}/sepolicy -o sechecker.log
env:
LD_LIBRARY_PATH: "${{ steps.dl-userspace.outputs.download-path }}/lib:${{ steps.dl-userspace.outputs.download-path }}/usr/lib"
- name: Upload artifact
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
name: validation-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
path: |
sechecker.log