checkpolicy: support CIDR notation for nodecon statements #18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run tests | |
on: [push, pull_request] | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
compiler: [gcc, clang] | |
python-ruby-version: | |
- {python: '3.12', ruby: '3.3'} | |
- {python: '3.12', ruby: '3.3', other: 'test-flags-override'} | |
- {python: '3.12', ruby: '3.3', other: 'test-debug'} | |
- {python: '3.12', ruby: '3.3', other: 'linker-bfd'} | |
- {python: '3.12', ruby: '3.3', other: 'linker-gold'} | |
# Test several Python versions with the latest Ruby version | |
- {python: '3.11', ruby: '3.3'} | |
- {python: '3.10', ruby: '3.3'} | |
- {python: '3.9', ruby: '3.3'} | |
- {python: '3.8', ruby: '3.3'} | |
- {python: '3.7', ruby: '3.3'} | |
- {python: 'pypy3.7', ruby: '3.3'} | |
# Test several Ruby versions with the latest Python version | |
- {python: '3.12', ruby: '3.2'} | |
- {python: '3.12', ruby: '3.1'} | |
- {python: '3.12', ruby: '3.0'} | |
- {python: '3.12', ruby: '2.7'} | |
- {python: '3.12', ruby: '2.6'} | |
- {python: '3.12', ruby: '2.5'} | |
exclude: | |
- compiler: clang | |
python-ruby-version: {python: '3.12', ruby: '3.3', other: 'linker-bfd'} | |
- compiler: clang | |
python-ruby-version: {python: '3.12', ruby: '3.3', other: 'linker-gold'} | |
include: | |
- compiler: gcc | |
python-ruby-version: {python: '3.12', ruby: '3.3', other: 'sanitizers'} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python ${{ matrix.python-ruby-version.python }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-ruby-version.python }} | |
- name: Set up Ruby ${{ matrix.python-ruby-version.ruby }} | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ matrix.python-ruby-version.ruby }} | |
bundler-cache: true | |
- name: Install dependencies | |
run: | | |
sudo apt-get update -q | |
sudo apt-get install -qy --no-install-recommends \ | |
bison \ | |
flex \ | |
gawk \ | |
gettext \ | |
libaudit-dev \ | |
libcap-dev \ | |
libcap-ng-dev \ | |
libcunit1-dev \ | |
libdbus-glib-1-dev \ | |
libpcre2-dev \ | |
ruby-dev \ | |
swig \ | |
xmlto | |
pip install flake8 | |
- name: Install Python setuptools | |
if: matrix.python-ruby-version.python == '3.12' | |
run: pip install setuptools | |
- name: Install Clang | |
if: ${{ matrix.compiler == 'clang' }} | |
run: sudo apt-get install -qqy clang | |
- name: Configure the environment | |
run: | | |
DESTDIR=/tmp/destdir | |
echo "PYTHON=python" >> $GITHUB_ENV | |
echo "RUBY=ruby" >> $GITHUB_ENV | |
echo "DESTDIR=$DESTDIR" >> $GITHUB_ENV | |
CC=${{ matrix.compiler }} | |
if [ "${{ matrix.python-ruby-version.other }}" = "linker-bfd" ] ; then | |
CC="$CC -fuse-ld=bfd" | |
elif [ "${{ matrix.python-ruby-version.other }}" = "linker-gold" ] ; then | |
CC="$CC -fuse-ld=gold" | |
fi | |
# https://bugs.ruby-lang.org/issues/18616 | |
# https://github.com/llvm/llvm-project/issues/49958 | |
if [ "${{ matrix.compiler }}" = "clang" ] && [[ "${{ matrix.python-ruby-version.ruby }}" = 3* ]] ; then | |
CC="$CC -fdeclspec" | |
fi | |
echo "CC=$CC" >> $GITHUB_ENV | |
EXPLICIT_MAKE_VARS= | |
if [ "${{ matrix.python-ruby-version.other }}" = "test-flags-override" ] ; then | |
# Test that overriding CFLAGS, LDFLAGS and other variables works fine | |
EXPLICIT_MAKE_VARS="CFLAGS=-I$DESTDIR/usr/include LDFLAGS=-L$DESTDIR/usr/lib LDLIBS= CPPFLAGS=" | |
elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then | |
# Test hat debug build works fine | |
EXPLICIT_MAKE_VARS="DEBUG=1" | |
elif [ "${{ matrix.python-ruby-version.other }}" = "sanitizers" ] ; then | |
sanitizers='-fsanitize=address,undefined' | |
EXPLICIT_MAKE_VARS="CFLAGS='-g -I$DESTDIR/usr/include $sanitizers' LDFLAGS='-L$DESTDIR/usr/lib $sanitizers' LDLIBS= CPPFLAGS= OPT_SUBDIRS=" | |
echo "ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1" >> $GITHUB_ENV | |
echo "UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1" >> $GITHUB_ENV | |
else | |
EXPLICIT_MAKE_VARS= | |
fi | |
echo "EXPLICIT_MAKE_VARS=${EXPLICIT_MAKE_VARS}" >> $GITHUB_ENV | |
# Find files in order of pkgconf to be able to find Python.h | |
# For example with Python 3.5: | |
# * python is located at /opt/hostedtoolcache/Python/3.5.10/x64/bin/python | |
# * sys.prefix is /opt/hostedtoolcache/Python/3.5.10/x64 | |
# * Python.h is located at /opt/hostedtoolcache/Python/3.5.10/x64/include/python3.5m/Python.h | |
# * python-3.5.pc is located at /opt/hostedtoolcache/Python/3.5.10/x64/lib/pkgconfig/python-3.5.pc | |
PYTHON_SYS_PREFIX="$(python -c 'import sys;print(sys.prefix)')" | |
echo "PKG_CONFIG_PATH=${PYTHON_SYS_PREFIX}/lib/pkgconfig" >> $GITHUB_ENV | |
if [[ "${{ matrix.python-ruby-version.python }}" = pypy* ]] ; then | |
# PyPy does not provide a config file for pkg-config | |
# libpypy-c.so is provided in bin/libpypy-c.so for PyPy and bin/libpypy3-c.so for PyPy3 | |
echo "PYINC=-I${PYTHON_SYS_PREFIX}/include" >> $GITHUB_ENV | |
echo "PYLIBS=-L${PYTHON_SYS_PREFIX}/bin -lpypy3-c" >> $GITHUB_ENV | |
fi | |
# Display the final environment file, for debugging purpose | |
cat $GITHUB_ENV | |
- name: Download and install refpolicy headers for sepolgen tests | |
run: | | |
curl --location --retry 10 -o refpolicy.tar.bz2 https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20220520/refpolicy-2.20220520.tar.bz2 | |
tar -xvjf refpolicy.tar.bz2 | |
sed -e "s,^PREFIX :=.*,PREFIX := $DESTDIR/usr," -i refpolicy/support/Makefile.devel | |
sudo make -C refpolicy install-headers bare | |
sudo mkdir -p /etc/selinux | |
echo 'SELINUXTYPE=refpolicy' | sudo tee /etc/selinux/config | |
echo 'SELINUX_DEVEL_PATH = /usr/share/selinux/refpolicy' | sudo tee /etc/selinux/sepolgen.conf | |
sed -e "s,\"\(/usr/bin/[cs]\),\"$DESTDIR\1," -i python/sepolgen/src/sepolgen/module.py | |
rm -r refpolicy refpolicy.tar.bz2 | |
- name: Display versions | |
run: | | |
echo "::group::Compiler ($CC):" | |
$CC --version | |
echo "::endgroup::" | |
echo "::group::Python ($(which "$PYTHON")):" | |
$PYTHON --version | |
echo "::endgroup::" | |
echo "::group::Ruby ($(which "$RUBY")):" | |
$RUBY --version | |
echo "::endgroup::" | |
- name: Run tests | |
run: | | |
echo "::group::make install" | |
eval make -j$(nproc) install $EXPLICIT_MAKE_VARS -k | |
echo "::endgroup::" | |
echo "::group::make install-pywrap" | |
eval make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k | |
echo "::endgroup::" | |
echo "::group::make install-rubywrap" | |
eval make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k | |
echo "::endgroup::" | |
# Now that everything is installed, run "make all" to build everything which may have not been built | |
echo "::group::make all" | |
eval make -j$(nproc) all $EXPLICIT_MAKE_VARS -k | |
echo "::endgroup::" | |
# Set up environment variables for the tests and show variables (to help debugging issues) | |
echo "::group::Environment variables" | |
. ./scripts/env_use_destdir | |
echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" | |
echo "PATH=$PATH" | |
echo "PYTHONPATH=$PYTHONPATH" | |
echo "RUBYLIB=$RUBYLIB" | |
echo "::endgroup::" | |
# Run tests | |
echo "::group::make test" | |
eval make test $EXPLICIT_MAKE_VARS | |
echo "::endgroup::" | |
if [ "${{ matrix.python-ruby-version.other }}" != "sanitizers" ] ; then | |
# Test Python and Ruby wrappers | |
echo "::group::Test Python and Ruby wrappers" | |
$PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())' | |
$RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()' | |
echo "::endgroup::" | |
# Run Python linter, but not on the downloaded refpolicy | |
echo "::group::scripts/run-flake8" | |
./scripts/run-flake8 | |
echo "::endgroup::" | |
fi | |
echo "::group::Test .gitignore and make clean distclean" | |
# Remove every installed files | |
rm -rf "$DESTDIR" | |
# Test that "git status" looks clean, or print a clear error message | |
git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^') | |
# Clean up everything and show which file needs to be added to "make clean" | |
eval make clean distclean $EXPLICIT_MAKE_VARS | |
git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^') | |
echo "::endgroup::" |