194 lines
9.3 KiB
YAML
194 lines
9.3 KiB
YAML
name: Build tests
|
|
|
|
on: [push, pull_request]
|
|
|
|
env:
|
|
# Minimum userspace version to build refpolicy.
|
|
SELINUX_USERSPACE_VERSION: checkpolicy-3.1
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-20.04
|
|
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
# This version should be the minimum required to run the fc checker
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: 3.7
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt-get update -q
|
|
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev
|
|
|
|
- name: Checkout SELint
|
|
uses: actions/checkout@v3
|
|
with:
|
|
repository: SELinuxProject/selint
|
|
ref: 'v1.5.0'
|
|
path: selint
|
|
|
|
- name: Build SELint
|
|
run: |
|
|
cd selint/
|
|
./autogen.sh
|
|
./configure --without-check
|
|
make -j$(nproc)
|
|
sudo make install
|
|
|
|
- name: Create generated policy files
|
|
run: |
|
|
make conf
|
|
make generate
|
|
|
|
- name: Run file context checker
|
|
run: python3 -t -t -E -W error testing/check_fc_files.py
|
|
|
|
- name: Run SELint
|
|
run: |
|
|
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
|
|
# disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
|
|
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
|
|
selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
|
|
|
|
build:
|
|
runs-on: ubuntu-20.04
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
|
|
matrix:
|
|
build-opts:
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
|
|
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
|
|
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
|
|
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
|
|
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
|
|
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
|
|
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
|
|
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
|
|
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
|
|
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
|
|
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
|
|
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
|
|
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
|
|
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
|
|
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
|
|
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
|
|
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
|
|
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
|
|
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
|
|
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
|
|
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
|
|
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
|
|
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
# This should be the minimum required Python version to build refpolicy.
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: 3.5
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt-get update -q
|
|
sudo apt-get install -qy \
|
|
bison \
|
|
flex \
|
|
gettext \
|
|
libaudit-dev \
|
|
libbz2-dev \
|
|
libpcre3-dev \
|
|
libxml2-utils \
|
|
swig
|
|
|
|
- name: Configure environment
|
|
run: |
|
|
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
|
|
echo "PYTHON=python" >> $GITHUB_ENV
|
|
echo "TEST_TOOLCHAIN_SRC=/tmp/selinux-src" >> $GITHUB_ENV
|
|
echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
|
|
echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
|
|
echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
|
|
echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
|
|
echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
|
|
echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
|
|
echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
|
|
echo "WERROR=y" >> $GITHUB_ENV
|
|
|
|
- name: Build toolchain
|
|
run: |
|
|
# Download current SELinux userspace tools and libraries
|
|
git clone https://github.com/SELinuxProject/selinux.git ${TEST_TOOLCHAIN_SRC} -b ${SELINUX_USERSPACE_VERSION}
|
|
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
|
|
sed -i -e 's/secilc//' ${TEST_TOOLCHAIN_SRC}/Makefile
|
|
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
|
|
sed -i -e 's/sepolicy//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
|
|
# Drop restorecond to break glib dependence
|
|
sed -i -e 's/ restorecond//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
|
|
# Drop sandbox to break libcap-ng dependence
|
|
sed -i -e 's/ sandbox//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
|
|
# Compile and install SELinux toolchain
|
|
make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${TEST_TOOLCHAIN_SRC} install
|
|
|
|
- name: Build refpolicy
|
|
run: |
|
|
# Drop build.conf settings to listen to env vars
|
|
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
|
|
|
|
make bare
|
|
make conf
|
|
make
|
|
make validate
|
|
|
|
- name: Build docs
|
|
run: |
|
|
make xml
|
|
make html
|
|
|
|
- name: Test installation
|
|
run: |
|
|
make install
|
|
make install-headers
|
|
make install-src
|
|
make install-docs
|
|
make install-udica-templates
|
|
make install-appconfig
|