Skip to content

Commit

Permalink
Merge pull request #785 from pebenito/sediff
Browse files Browse the repository at this point in the history 
tests.yml: Add policy diff on PRs.
  • Loading branch information
@pebenito
pebenito authored Jun 27, 2024
2 parents 04eca2f + cb68df0 commit eca307c
Show file tree
Hide file tree
Showing 7 changed files with 619 additions and 218 deletions.
143 changes: 143 additions & 0 deletions .github/workflows/build-policy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
name: Build refpolicy

on:
workflow_call:
inputs:
version:
description: "Refpolicy version (a git commit ID, tag, or branch)"
required: false
type: string
default: ""
path:
description: "Path to store the refpolicy sources"
required: false
type: string
default: "refpolicy-src"
python-version:
description: "Python version to use"
required: true
type: string
artifact-name:
description: "Artifact name to use; suffixed with policy build options (distro, mls/mcs, etc.)"
required: false
type: string
default: "refpolicy"

jobs:
build:
runs-on: ubuntu-22.04

strategy:
matrix:
# matrix updates must also be duplicated to validate-policy.yml and diff-policy.yml
distro: ["redhat", "debian", "gentoo"]
type: ["standard", "mcs", "mls"]
monolithic: ["y", "n"]
systemd: ["y", "n"]
direct_initrc: ["y", "n"]
apps-off: ["unconfined", ""]
exclude:
- { distro: "redhat", systemd: "n" }
- { distro: "redhat", direct_initrc: "y" }
- { distro: "debian", systemd: "n" }
- { distro: "debian", direct_initrc: "y" }
- { type: "mls", apps-off: "" }
- { systemd: "y", direct_initrc: "y" }

steps:
- name: Checkout refpolicy sources
uses: actions/checkout@v4
with:
ref: "${{ inputs.version }}"
path: "${{ inputs.path }}"

- name: Download userspace binary artifact
uses: actions/download-artifact@v4
id: dl-userspace
with:
name: selinux-bin

# actions/upload-artifact does not preserve permissions.
- name: Fix userspace file permissions
shell: bash
working-directory: "${{ steps.dl-userspace.outputs.download-path }}"
run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/*

# This should be the minimum required Python version to build refpolicy.
# or the standard Python version on Ubuntu.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"

- name: Configure environment
shell: bash
run: |
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
echo "PYTHON=python${{ inputs.python-version }}" >> $GITHUB_ENV
echo "TYPE=${{ matrix.type }}" >> $GITHUB_ENV
echo "DISTRO=${{ matrix.distro }}" >> $GITHUB_ENV
echo "MONOLITHIC=${{ matrix.monolithic }}" >> $GITHUB_ENV
echo "SYSTEMD=${{ matrix.systemd }}" >> $GITHUB_ENV
echo "APPS_OFF=${{ matrix.apps-off }}" >> $GITHUB_ENV
echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV
echo "WERROR=y" >> $GITHUB_ENV
echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV
- name: Build refpolicy
shell: bash
working-directory: "${{ inputs.path }}"
run: |
# Drop build.conf settings to listen to env vars
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
make bare
make conf
make
- name: Validate output policy
working-directory: ${{ inputs.path }}
shell: bash
run: |
make validate
- name: Build docs
working-directory: ${{ inputs.path }}
shell: bash
run: |
make xml
make html
- name: Test installation
working-directory: ${{ inputs.path }}
shell: bash
run: |
make install
make install-headers
make install-src
make install-docs
make install-udica-templates
make install-appconfig
env:
DESTDIR: /tmp/refpolicy-install

# normalize to "sepolicy" and "file_contexts"
- name: Normalize artifacts
working-directory: ${{ inputs.path }}
shell: bash
run: |
if [[ $MONOLITHIC == "y" ]]; then
policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
mv "${policy_file}" sepolicy
else
mv tmp/policy.bin sepolicy
mv tmp/all_mods.fc file_contexts
fi
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.artifact-name }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
path: |
${{ inputs.path }}/sepolicy
${{ inputs.path }}/file_contexts
60 changes: 60 additions & 0 deletions .github/workflows/build-setools.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: Build SETools

on:
workflow_call:
inputs:
version:
description: "SETools version (a git commit ID, tag, or branch)"
type: string
required: true
python-version:
description: "Python version to use"
type: string
required: true
outputs:
artifact-id:
description: "SETools wheel artifact ID"
value: ${{ jobs.build.outputs.artifact-id }}

jobs:
build:
runs-on: ubuntu-22.04
outputs:
artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}

steps:
- name: Checkout setools
uses: actions/checkout@v4
with:
repository: SELinuxProject/setools
ref: "${{ inputs.version }}"

- name: Install dependencies
shell: bash
run: |
sudo apt-get update -q
- name: Download userspace source artifact
uses: actions/download-artifact@v4
id: dl-userspace
with:
name: selinux-src

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"

- name: Build setools
shell: bash
run: pip wheel --no-deps .
env:
CFLAGS: "-O2"
USERSPACE_SRC: "${{ steps.dl-userspace.outputs.download-path }}"

- name: Upload wheel
uses: actions/upload-artifact@v4
id: upload-artifact
with:
name: setools
path: "setools-*.whl"
84 changes: 84 additions & 0 deletions .github/workflows/build-userspace.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: "Build SELinux userspace"

env:
SELINUX_SRC: "${{ github.workspace }}/selinux-src"
SELINUX_BIN: "${{ github.workspace }}/selinux-bin"

on:
workflow_call:
inputs:
version:
description: "Userspace version (a git commit ID, tag, or branch)"
required: false
type: string
outputs:
source-id:
description: "Userspace source artifact ID"
value: ${{ jobs.build.outputs.source-id }}
binary-id:
description: "Userspace binary artifact ID"
value: ${{ jobs.build.outputs.binary-id }}

jobs:
build:
runs-on: ubuntu-22.04
outputs:
source-id: ${{ steps.upload-src-artifact.outputs.artifact-id }}
binary-id: ${{ steps.upload-bin-artifact.outputs.artifact-id }}

steps:
- name: Checkout SELinux userspace tools and libs
uses: actions/checkout@v4
with:
repository: SELinuxProject/selinux
ref: "${{ inputs.version }}"
path: "${{ env.SELINUX_SRC }}"

- name: Install dependencies
shell: bash
run: |
sudo apt-get update -q
sudo apt-get install -qy \
bison \
flex \
gettext \
libaudit-dev \
libbz2-dev \
libpcre3-dev \
libxml2-utils \
swig
- name: Compile
shell: bash
id: compile
working-directory: "${{ env.SELINUX_SRC }}"
run: |
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
sed -i -e 's/secilc//' Makefile
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
sed -i -e 's/sepolicy//' policycoreutils/Makefile
# Drop restorecond to break glib dependence
sed -i -e 's/ restorecond//' policycoreutils/Makefile
# Drop sandbox to break libcap-ng dependence
sed -i -e 's/ sandbox//' policycoreutils/Makefile
# Compile and install SELinux toolchain
make OPT_SUBDIRS=semodule-utils install
# set output directory on successful/pre-existing compile
echo "DESTDIR=\"${DESTDIR}\"" >> $GITHUB_OUTPUT
env:
DESTDIR: "${{ env.SELINUX_BIN }}"
CFLAGS: "-O2"

- name: Upload source artifact
uses: actions/upload-artifact@v4
id: upload-src-artifact
with:
name: selinux-src
path: "${{ env.SELINUX_SRC }}/"

- name: Upload binary artifact
uses: actions/upload-artifact@v4
id: upload-bin-artifact
with:
name: selinux-bin
path: "${{ env.SELINUX_BIN }}/"
Loading

0 comments on commit eca307c

Please sign in to comment.