Merge pull request #779 from yizhao1/fixes #1350
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build tests | |
on: [push, pull_request] | |
env: | |
# Minimum versions to build refpolicy. | |
PYTHON_VERSION: "3.10" | |
SELINUX_USERSPACE_VERSION: checkpolicy-3.2 | |
USERSPACE_SRC: "selinux-src" | |
# branch for sechecker | |
SECHECKER_VERSION: "4.4" | |
SETOOLS_SRC: "setools-src" | |
jobs: | |
lint: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
# This version should be the minimum required to run the fc checker | |
# or the standard Python version on Ubuntu. | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "${{env.PYTHON_VERSION}}" | |
- name: Install dependencies | |
run: | | |
sudo apt-get update -q | |
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev | |
- name: Checkout SELint | |
uses: actions/checkout@v4 | |
with: | |
repository: SELinuxProject/selint | |
ref: 'v1.5.0' | |
path: selint | |
- name: Build SELint | |
run: | | |
cd selint/ | |
./autogen.sh | |
./configure --without-check | |
make -j$(nproc) | |
sudo make install | |
- name: Create generated policy files | |
run: | | |
make conf | |
make generate | |
- name: Run file context checker | |
run: python3 -t -t -E -W error testing/check_fc_files.py | |
- name: Run SELint | |
run: | | |
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing | |
# disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing | |
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule | |
selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy | |
build: | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
build-opts: | |
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} | |
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} | |
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n} | |
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n} | |
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} | |
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} | |
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} | |
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} | |
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n} | |
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n} | |
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} | |
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} | |
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} | |
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} | |
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n} | |
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n} | |
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} | |
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} | |
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} | |
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} | |
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} | |
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} | |
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} | |
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} | |
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} | |
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} | |
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} | |
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} | |
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} | |
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y} | |
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y} | |
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} | |
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} | |
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} | |
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} | |
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y} | |
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y} | |
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} | |
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} | |
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} | |
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} | |
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y} | |
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y} | |
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} | |
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} | |
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} | |
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} | |
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} | |
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} | |
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} | |
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} | |
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} | |
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} | |
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} | |
steps: | |
- name: Checkout Reference Policy | |
uses: actions/checkout@v4 | |
- name: Checkout SELinux userspace tools and libs | |
uses: actions/checkout@v4 | |
with: | |
repository: SELinuxProject/selinux | |
ref: "${{env.SELINUX_USERSPACE_VERSION}}" | |
path: "${{env.USERSPACE_SRC}}" | |
- name: Checkout setools | |
uses: actions/checkout@v4 | |
with: | |
repository: SELinuxProject/setools | |
ref: "${{env.SECHECKER_VERSION}}" | |
path: "${{env.SETOOLS_SRC}}" | |
# This should be the minimum required Python version to build refpolicy. | |
# or the standard Python version on Ubuntu. | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "${{env.PYTHON_VERSION}}" | |
- name: Install dependencies | |
run: | | |
sudo apt-get update -q | |
sudo apt-get install -qy \ | |
bison \ | |
flex \ | |
gettext \ | |
libaudit-dev \ | |
libbz2-dev \ | |
libpcre3-dev \ | |
libxml2-utils \ | |
swig | |
- name: Configure environment | |
run: | | |
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV | |
echo "PYTHON=python" >> $GITHUB_ENV | |
echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV | |
echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV | |
echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV | |
echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV | |
echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV | |
echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV | |
echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV | |
echo "WERROR=y" >> $GITHUB_ENV | |
echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV | |
- name: Build toolchain | |
run: | | |
# Drop secilc to break xmlto dependence (secilc isn't used here anyway) | |
sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile | |
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway) | |
sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile | |
# Drop restorecond to break glib dependence | |
sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile | |
# Drop sandbox to break libcap-ng dependence | |
sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile | |
# Compile and install SELinux toolchain | |
make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install | |
- name: Build setools | |
run: | | |
cd ${SETOOLS_SRC} | |
pip install . | |
- name: Build refpolicy | |
run: | | |
# Drop build.conf settings to listen to env vars | |
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf | |
make bare | |
make conf | |
make | |
make validate | |
- name: Build docs | |
run: | | |
make xml | |
make html | |
- name: Test installation | |
run: | | |
make install | |
make install-headers | |
make install-src | |
make install-docs | |
make install-udica-templates | |
make install-appconfig | |
# This skips some combinations to keep GitHub actions runtime lower by | |
# eliminating duplicate analyses. | |
- name: Validate security goals | |
run: | | |
if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then | |
policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename) | |
sechecker testing/sechecker.ini "${policy_file}" | |
else | |
echo "Skipped" | |
fi |