From 99258825ce2e0444bc10aaa1a4b7bab4b4691883 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 18 Jun 2024 12:59:12 -0400 Subject: [PATCH 1/2] tests.yml: Divide into reusable workflows. Keep artifacts from each to allow analysis when there are failures. Signed-off-by: Chris PeBenito --- .github/workflows/build-policy.yml | 143 +++++++++++++++ .github/workflows/build-setools.yml | 60 ++++++ .github/workflows/build-userspace.yml | 84 +++++++++ .github/workflows/lint-policy.yml | 73 ++++++++ .github/workflows/tests.yml | 252 ++++---------------------- .github/workflows/validate-policy.yml | 95 ++++++++++ 6 files changed, 490 insertions(+), 217 deletions(-) create mode 100644 .github/workflows/build-policy.yml create mode 100644 .github/workflows/build-setools.yml create mode 100644 .github/workflows/build-userspace.yml create mode 100644 .github/workflows/lint-policy.yml create mode 100644 .github/workflows/validate-policy.yml diff --git a/.github/workflows/build-policy.yml b/.github/workflows/build-policy.yml new file mode 100644 index 0000000000..b0279f0450 --- /dev/null +++ b/.github/workflows/build-policy.yml @@ -0,0 +1,143 @@ +name: Build refpolicy + +on: + workflow_call: + inputs: + version: + description: "Refpolicy version (a git commit ID, tag, or branch)" + required: false + type: string + default: "" + path: + description: "Path to store the refpolicy sources" + required: false + type: string + default: "refpolicy-src" + python-version: + description: "Python version to use" + required: true + type: string + artifact-name: + description: "Artifact name to use; suffixed with policy build options (distro, mls/mcs, etc.)" + required: false + type: string + default: "refpolicy" + +jobs: + build: + runs-on: ubuntu-22.04 + + strategy: + matrix: + # matrix updates must also be duplicated to validate-policy.yml and diff-policy.yml + distro: ["redhat", "debian", "gentoo"] + type: ["standard", "mcs", "mls"] + monolithic: ["y", "n"] + systemd: ["y", "n"] + direct_initrc: ["y", "n"] + apps-off: ["unconfined", ""] + exclude: + - { distro: "redhat", systemd: "n" } + - { distro: "redhat", direct_initrc: "y" } + - { distro: "debian", systemd: "n" } + - { distro: "debian", direct_initrc: "y" } + - { type: "mls", apps-off: "" } + - { systemd: "y", direct_initrc: "y" } + + steps: + - name: Checkout refpolicy sources + uses: actions/checkout@v4 + with: + ref: "${{ inputs.version }}" + path: "${{ inputs.path }}" + + - name: Download userspace binary artifact + uses: actions/download-artifact@v4 + id: dl-userspace + with: + name: selinux-bin + + # actions/upload-artifact does not preserve permissions. + - name: Fix userspace file permissions + shell: bash + working-directory: "${{ steps.dl-userspace.outputs.download-path }}" + run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/* + + # This should be the minimum required Python version to build refpolicy. + # or the standard Python version on Ubuntu. + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "${{ inputs.python-version }}" + + - name: Configure environment + shell: bash + run: | + echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV + echo "PYTHON=python${{ inputs.python-version }}" >> $GITHUB_ENV + echo "TYPE=${{ matrix.type }}" >> $GITHUB_ENV + echo "DISTRO=${{ matrix.distro }}" >> $GITHUB_ENV + echo "MONOLITHIC=${{ matrix.monolithic }}" >> $GITHUB_ENV + echo "SYSTEMD=${{ matrix.systemd }}" >> $GITHUB_ENV + echo "APPS_OFF=${{ matrix.apps-off }}" >> $GITHUB_ENV + echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV + echo "WERROR=y" >> $GITHUB_ENV + echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV + + - name: Build refpolicy + shell: bash + working-directory: "${{ inputs.path }}" + run: | + # Drop build.conf settings to listen to env vars + sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf + + make bare + make conf + make + + - name: Validate output policy + working-directory: ${{ inputs.path }} + shell: bash + run: | + make validate + + - name: Build docs + working-directory: ${{ inputs.path }} + shell: bash + run: | + make xml + make html + + - name: Test installation + working-directory: ${{ inputs.path }} + shell: bash + run: | + make install + make install-headers + make install-src + make install-docs + make install-udica-templates + make install-appconfig + env: + DESTDIR: /tmp/refpolicy-install + + # normalize to "sepolicy" and "file_contexts" + - name: Normalize artifacts + working-directory: ${{ inputs.path }} + shell: bash + run: | + if [[ $MONOLITHIC == "y" ]]; then + policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename) + mv "${policy_file}" sepolicy + else + mv tmp/policy.bin sepolicy + mv tmp/all_mods.fc file_contexts + fi + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.artifact-name }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }} + path: | + ${{ inputs.path }}/sepolicy + ${{ inputs.path }}/file_contexts diff --git a/.github/workflows/build-setools.yml b/.github/workflows/build-setools.yml new file mode 100644 index 0000000000..3f9262ef30 --- /dev/null +++ b/.github/workflows/build-setools.yml @@ -0,0 +1,60 @@ +name: Build SETools + +on: + workflow_call: + inputs: + version: + description: "SETools version (a git commit ID, tag, or branch)" + type: string + required: true + python-version: + description: "Python version to use" + type: string + required: true + outputs: + artifact-id: + description: "SETools wheel artifact ID" + value: ${{ jobs.build.outputs.artifact-id }} + +jobs: + build: + runs-on: ubuntu-22.04 + outputs: + artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }} + + steps: + - name: Checkout setools + uses: actions/checkout@v4 + with: + repository: SELinuxProject/setools + ref: "${{ inputs.version }}" + + - name: Install dependencies + shell: bash + run: | + sudo apt-get update -q + + - name: Download userspace source artifact + uses: actions/download-artifact@v4 + id: dl-userspace + with: + name: selinux-src + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "${{ inputs.python-version }}" + + - name: Build setools + shell: bash + run: pip wheel --no-deps . + env: + CFLAGS: "-O2" + USERSPACE_SRC: "${{ steps.dl-userspace.outputs.download-path }}" + + - name: Upload wheel + uses: actions/upload-artifact@v4 + id: upload-artifact + with: + name: setools + path: "setools-*.whl" diff --git a/.github/workflows/build-userspace.yml b/.github/workflows/build-userspace.yml new file mode 100644 index 0000000000..786c25b662 --- /dev/null +++ b/.github/workflows/build-userspace.yml @@ -0,0 +1,84 @@ +name: "Build SELinux userspace" + +env: + SELINUX_SRC: "${{ github.workspace }}/selinux-src" + SELINUX_BIN: "${{ github.workspace }}/selinux-bin" + +on: + workflow_call: + inputs: + version: + description: "Userspace version (a git commit ID, tag, or branch)" + required: false + type: string + outputs: + source-id: + description: "Userspace source artifact ID" + value: ${{ jobs.build.outputs.source-id }} + binary-id: + description: "Userspace binary artifact ID" + value: ${{ jobs.build.outputs.binary-id }} + +jobs: + build: + runs-on: ubuntu-22.04 + outputs: + source-id: ${{ steps.upload-src-artifact.outputs.artifact-id }} + binary-id: ${{ steps.upload-bin-artifact.outputs.artifact-id }} + + steps: + - name: Checkout SELinux userspace tools and libs + uses: actions/checkout@v4 + with: + repository: SELinuxProject/selinux + ref: "${{ inputs.version }}" + path: "${{ env.SELINUX_SRC }}" + + - name: Install dependencies + shell: bash + run: | + sudo apt-get update -q + sudo apt-get install -qy \ + bison \ + flex \ + gettext \ + libaudit-dev \ + libbz2-dev \ + libpcre3-dev \ + libxml2-utils \ + swig + + - name: Compile + shell: bash + id: compile + working-directory: "${{ env.SELINUX_SRC }}" + run: | + # Drop secilc to break xmlto dependence (secilc isn't used here anyway) + sed -i -e 's/secilc//' Makefile + # Drop sepolicy to break setools dependence (sepolicy isn't used anyway) + sed -i -e 's/sepolicy//' policycoreutils/Makefile + # Drop restorecond to break glib dependence + sed -i -e 's/ restorecond//' policycoreutils/Makefile + # Drop sandbox to break libcap-ng dependence + sed -i -e 's/ sandbox//' policycoreutils/Makefile + # Compile and install SELinux toolchain + make OPT_SUBDIRS=semodule-utils install + # set output directory on successful/pre-existing compile + echo "DESTDIR=\"${DESTDIR}\"" >> $GITHUB_OUTPUT + env: + DESTDIR: "${{ env.SELINUX_BIN }}" + CFLAGS: "-O2" + + - name: Upload source artifact + uses: actions/upload-artifact@v4 + id: upload-src-artifact + with: + name: selinux-src + path: "${{ env.SELINUX_SRC }}/" + + - name: Upload binary artifact + uses: actions/upload-artifact@v4 + id: upload-bin-artifact + with: + name: selinux-bin + path: "${{ env.SELINUX_BIN }}/" diff --git a/.github/workflows/lint-policy.yml b/.github/workflows/lint-policy.yml new file mode 100644 index 0000000000..f7004ce631 --- /dev/null +++ b/.github/workflows/lint-policy.yml @@ -0,0 +1,73 @@ +name: Policy linting + +on: + workflow_call: + inputs: + python-version: + description: "Python version to use" + required: true + type: string + selint-version: + description: "SELint version (a git commit ID, tag, or branch)" + required: true + type: string + +jobs: + selint: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v4 + + - name: Install dependencies + run: | + sudo apt-get update -q + sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev + + - name: Checkout SELint + uses: actions/checkout@v4 + with: + repository: SELinuxProject/selint + ref: "${{ inputs.selint-version }}" + path: selint + + - name: Build SELint + working-directory: selint + run: | + ./autogen.sh + ./configure --without-check + make -j$(nproc) + sudo make install + + - name: Create generated policy files + run: | + make conf + make generate + + - name: Run SELint + run: | + # disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing + # disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing + # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule + selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy + + check_fc_files: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v4 + + # This version should be the minimum required to run the fc checker + # or the standard Python version on Ubuntu. + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "${{ inputs.python-version }}" + + - name: Create generated policy files + run: | + make conf + make generate + + - name: Run file context checker + run: python${{ inputs.python-version }} -t -t -E -W error testing/check_fc_files.py diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c864b17b2d..5192a396ca 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -5,225 +5,43 @@ on: [push, pull_request] env: # Minimum versions to build refpolicy. PYTHON_VERSION: "3.10" - SELINUX_USERSPACE_VERSION: checkpolicy-3.2 - USERSPACE_SRC: "selinux-src" + SELINUX_USERSPACE_VERSION: "3.2" # branch for sechecker SECHECKER_VERSION: "4.4" - SETOOLS_SRC: "setools-src" + # branch for selint + SELINT_VERSION: "v1.5.0" jobs: - lint: - runs-on: ubuntu-22.04 + lint_branch_policy: + uses: ./.github/workflows/lint-policy.yml + with: + python-version: "3.10" + selint-version: "v1.5.0" + + build_userspace: + uses: ./.github/workflows/build-userspace.yml + # depend on lint so expensive operations don't run if lint fails + needs: lint_branch_policy + with: + version: "3.2" + + build_setools: + uses: ./.github/workflows/build-setools.yml + needs: build_userspace + with: + version: "4.4" + python-version: "3.10" + + build_branch_policy: + uses: ./.github/workflows/build-policy.yml + needs: build_userspace + with: + # Minimum versions to build refpolicy. + python-version: "3.10" + + validate_branch_policy: + uses: ./.github/workflows/validate-policy.yml + needs: [build_branch_policy, build_setools, build_userspace] + with: + python-version: "3.10" - steps: - - uses: actions/checkout@v4 - - # This version should be the minimum required to run the fc checker - # or the standard Python version on Ubuntu. - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: "${{env.PYTHON_VERSION}}" - - - name: Install dependencies - run: | - sudo apt-get update -q - sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev - - - name: Checkout SELint - uses: actions/checkout@v4 - with: - repository: SELinuxProject/selint - ref: 'v1.5.0' - path: selint - - - name: Build SELint - run: | - cd selint/ - ./autogen.sh - ./configure --without-check - make -j$(nproc) - sudo make install - - - name: Create generated policy files - run: | - make conf - make generate - - - name: Run file context checker - run: python3 -t -t -E -W error testing/check_fc_files.py - - - name: Run SELint - run: | - # disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing - # disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing - # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule - selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy - - build: - runs-on: ubuntu-22.04 - - strategy: - fail-fast: false - - matrix: - build-opts: - - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} - - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} - - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n} - - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n} - - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} - - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} - - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} - - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} - - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n} - - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n} - - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} - - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} - - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n} - - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n} - - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n} - - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n} - - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n} - - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n} - - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} - - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} - - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n} - - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n} - - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} - - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} - - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y} - - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y} - - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} - - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} - - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} - - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} - - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y} - - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y} - - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} - - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} - - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y} - - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y} - - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y} - - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y} - - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y} - - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y} - - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} - - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} - - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y} - - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} - - steps: - - name: Checkout Reference Policy - uses: actions/checkout@v4 - - - name: Checkout SELinux userspace tools and libs - uses: actions/checkout@v4 - with: - repository: SELinuxProject/selinux - ref: "${{env.SELINUX_USERSPACE_VERSION}}" - path: "${{env.USERSPACE_SRC}}" - - - name: Checkout setools - uses: actions/checkout@v4 - with: - repository: SELinuxProject/setools - ref: "${{env.SECHECKER_VERSION}}" - path: "${{env.SETOOLS_SRC}}" - - # This should be the minimum required Python version to build refpolicy. - # or the standard Python version on Ubuntu. - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: "${{env.PYTHON_VERSION}}" - - - name: Install dependencies - run: | - sudo apt-get update -q - sudo apt-get install -qy \ - bison \ - flex \ - gettext \ - libaudit-dev \ - libbz2-dev \ - libpcre3-dev \ - libxml2-utils \ - swig - - - name: Configure environment - run: | - echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV - echo "PYTHON=python" >> $GITHUB_ENV - echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV - echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV - echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV - echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV - echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV - echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV - echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV - echo "WERROR=y" >> $GITHUB_ENV - echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV - - - name: Build toolchain - run: | - # Drop secilc to break xmlto dependence (secilc isn't used here anyway) - sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile - # Drop sepolicy to break setools dependence (sepolicy isn't used anyway) - sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile - # Drop restorecond to break glib dependence - sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile - # Drop sandbox to break libcap-ng dependence - sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile - # Compile and install SELinux toolchain - make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install - - - name: Build setools - run: | - cd ${SETOOLS_SRC} - pip install . - - - name: Build refpolicy - run: | - # Drop build.conf settings to listen to env vars - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf - - make bare - make conf - make - make validate - - - name: Build docs - run: | - make xml - make html - - - name: Test installation - run: | - make install - make install-headers - make install-src - make install-docs - make install-udica-templates - make install-appconfig - - # This skips some combinations to keep GitHub actions runtime lower by - # eliminating duplicate analyses. - - name: Validate security goals - run: | - if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then - policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename) - sechecker testing/sechecker.ini "${policy_file}" - else - echo "Skipped" - fi diff --git a/.github/workflows/validate-policy.yml b/.github/workflows/validate-policy.yml new file mode 100644 index 0000000000..31e0969faa --- /dev/null +++ b/.github/workflows/validate-policy.yml @@ -0,0 +1,95 @@ +name: Validate policy + +on: + workflow_call: + inputs: + python-version: + description: "Python version to use" + required: true + type: string + +jobs: + sechecker: + runs-on: ubuntu-22.04 + + strategy: + matrix: + distro: ["redhat", "debian", "gentoo"] + type: ["standard", "mcs", "mls"] + monolithic: ["y", "n"] + systemd: ["y", "n"] + direct_initrc: ["y", "n"] + apps-off: ["unconfined", ""] + exclude: + - { distro: "redhat", systemd: "n" } + - { distro: "redhat", direct_initrc: "y" } + - { distro: "debian", systemd: "n" } + - { distro: "debian", direct_initrc: "y" } + - { type: "mls", apps-off: "" } + - { systemd: "y", direct_initrc: "y" } + # above here, the matrix must be the same as in build-policy.yml. + # below here, remove duplicate analyses + - { monolithic: "n" } + - { type: "standard" } + - { apps-off: "" } + - { systemd: "n" } + + steps: + - name: Checkout testing dir of repo + uses: actions/checkout@v4 + with: + sparse-checkout: testing + + - name: Install dependencies + shell: bash + run: | + sudo apt-get update -q + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "${{ inputs.python-version }}" + + - name: Download userspace binary artifact + uses: actions/download-artifact@v4 + id: dl-userspace + with: + name: selinux-bin + + # actions/upload-artifact does not preserve permissions. + - name: Fix userspace file permissions + shell: bash + working-directory: "${{ steps.dl-userspace.outputs.download-path }}" + run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/* + + - name: Download policy artifact + uses: actions/download-artifact@v4 + id: dl-refpolicy + with: + name: refpolicy-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }} + + - name: Download setools artifact + uses: actions/download-artifact@v4 + id: dl-setools + with: + name: setools + + - name: Install setools + shell: bash + working-directory: ${{ steps.dl-setools.outputs.download-path }} + run: sudo pip install setools*.whl + + - name: Validate security goals with sechecker + shell: bash + id: sechecker + run: sechecker testing/sechecker.ini ${{ steps.dl-refpolicy.outputs.download-path }}/sepolicy -o sechecker.log + env: + LD_LIBRARY_PATH: "${{ steps.dl-userspace.outputs.download-path }}/lib:${{ steps.dl-userspace.outputs.download-path }}/usr/lib" + + - name: Upload artifact + uses: actions/upload-artifact@v4 + if: ${{ always() }} + with: + name: validation-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }} + path: | + sechecker.log From cb68df0873fed36c028f019d23af80b7df6052c9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 27 Jun 2024 09:02:20 -0400 Subject: [PATCH 2/2] tests.yml: Add policy diff on PRs. Signed-off-by: Chris PeBenito --- .github/workflows/diff-policy.yml | 111 ++++++++++++++++++++++++++++++ .github/workflows/tests.yml | 17 +++++ 2 files changed, 128 insertions(+) create mode 100644 .github/workflows/diff-policy.yml diff --git a/.github/workflows/diff-policy.yml b/.github/workflows/diff-policy.yml new file mode 100644 index 0000000000..d88ae17c16 --- /dev/null +++ b/.github/workflows/diff-policy.yml @@ -0,0 +1,111 @@ +name: Diff policy + +on: + workflow_call: + inputs: + left: + description: "The left policy for the diff" + required: true + type: string + right: + description: "The right policy for the diff" + required: true + type: string + python-version: + description: "Python version to use" + required: true + type: string + +jobs: + sediff: + runs-on: ubuntu-22.04 + + strategy: + matrix: + distro: ["redhat", "debian", "gentoo"] + type: ["standard", "mcs", "mls"] + monolithic: ["y", "n"] + systemd: ["y", "n"] + direct_initrc: ["y", "n"] + apps-off: ["unconfined", ""] + exclude: + - { distro: "redhat", systemd: "n" } + - { distro: "redhat", direct_initrc: "y" } + - { distro: "debian", systemd: "n" } + - { distro: "debian", direct_initrc: "y" } + - { type: "mls", apps-off: "" } + - { systemd: "y", direct_initrc: "y" } + # above here, the matrix must be the same as in build-policy.yml. + # below here, remove duplicate analyses + - { monolithic: "n" } + - { type: "standard" } + - { apps-off: "" } + - { systemd: "n" } + + steps: + - name: Checkout testing dir of repo + uses: actions/checkout@v4 + with: + sparse-checkout: testing + + - name: Install dependencies + shell: bash + run: | + sudo apt-get update -q + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "${{ inputs.python-version }}" + + - name: Download userspace binary artifact + uses: actions/download-artifact@v4 + id: dl-userspace + with: + name: selinux-bin + + # actions/upload-artifact does not preserve permissions. + - name: Fix userspace file permissions + shell: bash + working-directory: "${{ steps.dl-userspace.outputs.download-path }}" + run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/* + + - name: Download left policy artifact + uses: actions/download-artifact@v4 + id: dl-left + with: + name: ${{ inputs.left }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }} + path: left + + - name: Download right policy artifact + uses: actions/download-artifact@v4 + id: dl-right + with: + name: ${{ inputs.right }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }} + path: right + + - name: Download setools artifact + uses: actions/download-artifact@v4 + id: dl-setools + with: + name: setools + + - name: Install setools + shell: bash + working-directory: ${{ steps.dl-setools.outputs.download-path }} + run: sudo pip install setools*.whl + + - name: Diff policies + shell: bash + id: sediff + run: sediff left/sepolicy right/sepolicy &> diff-${{ inputs.left }}-${{ inputs.right }}.log + env: + LD_LIBRARY_PATH: "${{ steps.dl-userspace.outputs.download-path }}/lib:${{ steps.dl-userspace.outputs.download-path }}/usr/lib" + + - name: Upload artifact + uses: actions/upload-artifact@v4 + if: ${{ always() }} + with: + name: diff-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }} + path: | + diff-${{ inputs.left }}-${{ inputs.right }}.log diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 5192a396ca..c9a5e3e2c6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -45,3 +45,20 @@ jobs: with: python-version: "3.10" + build_PRtarget_policy: + uses: ./.github/workflows/build-policy.yml + needs: build_userspace + if: ${{ github.event_name == 'pull_request' }} + with: + version: ${{ github.base_ref }} + artifact-name: "PRbase" + python-version: "3.10" + + diff_policy: + uses: ./.github/workflows/diff-policy.yml + needs: [build_branch_policy, build_PRtarget_policy, build_setools, build_userspace] + if: ${{ github.event_name == 'pull_request' }} + with: + left: "PRbase" + right: "refpolicy" + python-version: "3.10"