From 43924b1f864febcba21cd49e9b5b179790b3e7f6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 7 Nov 2024 15:10:57 -0500 Subject: [PATCH] CI: Add a semodule load test to verify modules insert to store. There have been some discrepancies between semodule_link/_expand and semodule -i, see #829. Add an extra CI test of installing the modules using semodule -i. Signed-off-by: Chris PeBenito --- .github/workflows/build-policy.yml | 11 +++++++++++ Rules.modular | 10 ++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-policy.yml b/.github/workflows/build-policy.yml index 017c674861..15877d0c99 100644 --- a/.github/workflows/build-policy.yml +++ b/.github/workflows/build-policy.yml @@ -90,6 +90,12 @@ jobs: echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV echo "WERROR=y" >> $GITHUB_ENV echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV + echo 'multiple-decls = true' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + sed -i -e '/^module-store/a compiler-directory = ${{ steps.dl-userspace.outputs.download-path }}/usr/libexec/selinux/hll' ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + echo -e '[sefcontext_compile]\npath = ${{ steps.dl-userspace.outputs.download-path }}/usr/sbin/sefcontext_compile\nargs = $@\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + echo -e '[setfiles]\npath = ${{ steps.dl-userspace.outputs.download-path }}/sbin/setfiles\nargs = -c $@ $<\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + sudo cp ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf /etc/selinux/semanage.conf + cat /etc/selinux/semanage.conf - name: Build refpolicy shell: bash @@ -125,8 +131,13 @@ jobs: make install-docs make install-udica-templates make install-appconfig + if [[ $MONOLITHIC == "n" ]]; then + # test modules insertion + make load + fi env: DESTDIR: /tmp/refpolicy-install + LD_LIBRARY_PATH: "${{ steps.dl-userspace.outputs.download-path }}/lib:${{ steps.dl-userspace.outputs.download-path }}/usr/lib" # normalize to "sepolicy" and "file_contexts" - name: Normalize artifacts diff --git a/Rules.modular b/Rules.modular index c705541ec9..3b5e7ca1d5 100644 --- a/Rules.modular +++ b/Rules.modular @@ -3,6 +3,12 @@ # Rules and Targets for building modular policies # +module_store_root := $(DESTDIR)/var/lib/selinux + +ifneq ($(DESTDIR),) + SEMODULE += -p $(DESTDIR) -n +endif + all_modules := $(base_mods) $(mod_mods) $(off_mods) all_interfaces := $(all_modules:.te=.if) enabled_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(base_mods:.te=.mod.fc) $(mod_mods:.te=.mod.fc))) @@ -57,7 +63,7 @@ load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root) $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## @@ -68,7 +74,7 @@ pure-load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root) $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) $(foreach omod,$(filter-out base $(notdir $(mod_mods:.te=)),$(shell $(SEMODULE) -l)),-r $(omod)) ########################################