| Message ID | 20190930104850.5482-4-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Fix refpolicy build & build test_policy.pp in Travis | expand |
On 9/30/19 6:48 AM, Ondrej Mosnacek wrote: > Download, build, and install Fedora policy & refpolicy and try building > the test policy package against both of them. I guess this is a necessary first step to actually getting the testsuite to run on travis, which would be the more important goal. That obviously requires actually enabling SELinux on bionic, unless we could get travis-ci to offer fedora or centos images. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > .travis.yml | 24 ++++++++++++++++++-- > travis-ci/enable-policy.sh | 10 +++++++++ > travis-ci/setup-policy-fedora.sh | 35 +++++++++++++++++++++++++++++ > travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++ > 4 files changed, 89 insertions(+), 2 deletions(-) > create mode 100644 travis-ci/enable-policy.sh > create mode 100644 travis-ci/setup-policy-fedora.sh > create mode 100644 travis-ci/setup-policy-refpolicy.sh > > diff --git a/.travis.yml b/.travis.yml > index fbbe98d..c8cd44e 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -1,6 +1,6 @@ > language: c > > -dist: xenial > +dist: bionic > > addons: > apt: > @@ -8,6 +8,14 @@ addons: > - astyle > - libselinux1-dev > - libsctp-dev > + - checkpolicy > + - semodule-utils > + > +cache: > + directories: > + - selinux-policy > + - container-selinux > + - refpolicy > > before_install: > # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56 > @@ -17,7 +25,19 @@ before_install: > perl Makefile.PL && > make && > sudo make install) > + # install libbpf from sources > + - git clone https://github.com/libbpf/libbpf > + - (cd libbpf/src && make PREFIX=/usr/local) > + - (cd libbpf/src && sudo make install PREFIX=/usr/local) Not packaged on bionic or not recent enough? > + # install Fedora policy and refpolicy > + - bash travis-ci/setup-policy-fedora.sh > + - bash travis-ci/setup-policy-refpolicy.sh > + # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs) > + - sudo mkdir -p /tmp/fake-selinuxfs > + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs > + - echo 31 >/tmp/fake-selinuxfs/policyvers Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent? > > script: > - tools/check-syntax -f && git diff --exit-code > - - make > + - bash travis-ci/enable-policy.sh targeted && make POLDEV=/usr/share/selinux/targeted > + - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy > diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh > new file mode 100644 > index 0000000..ae53fbe > --- /dev/null > +++ b/travis-ci/enable-policy.sh > @@ -0,0 +1,10 @@ > +#!/bin/bash > + > +set -e > + > +# create a dummy /etc/selinux/config > +sudo mkdir -p /etc/selinux > +sudo tee /etc/selinux/config >/dev/null <<EOF > +SELINUX=disabled > +SELINUXTYPE=$1 > +EOF > diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh > new file mode 100644 > index 0000000..192e234 > --- /dev/null > +++ b/travis-ci/setup-policy-fedora.sh > @@ -0,0 +1,35 @@ > +#!/bin/bash > + > +set -ex > + > +if ! [ -d selinux-policy/.git ]; then > + git clone --recursive https://github.com/fedora-selinux/selinux-policy > + (cd selinux-policy/policy/modules/contrib && git checkout rawhide) > +else > + (cd selinux-policy && git pull || { git checkout '*' && git pull; }) > + (cd selinux-policy/policy/modules/contrib && git pull) > +fi > + > +if ! [ -d container-selinux/.git ]; then > + git clone https://github.com/containers/container-selinux.git > + for f in container.if container.te; do > + ln -s ../../../../container-selinux/$f \ > + selinux-policy/policy/modules/contrib/$f > + done > +else > + (cd container-selinux && git pull) > +fi Seem brittle / tightly tied to fedora policy internals - is there some more general facility or perhaps they even provide a script for doing this that we could just reuse? > + > +cd selinux-policy > + > +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf > +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ > + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in Is this a limitation of the checkpolicy packaged in bionic? If so, should we just grab the upstream selinux userspace and build it ourselves? > + > +[ -f policy/modules.conf ] || make conf > + > +make -j`nproc --all` > +sudo make install install-headers > + > +# workaround for different Makefile location in Fedora RPMs > +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile > diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh > new file mode 100644 > index 0000000..d89b041 > --- /dev/null > +++ b/travis-ci/setup-policy-refpolicy.sh > @@ -0,0 +1,22 @@ > +#!/bin/bash > + > +set -ex > + > +if ! [ -d refpolicy/.git ]; then > + git clone https://github.com/SELinuxProject/refpolicy > +else > + git pull || { git checkout '*' && git pull; } > +fi > + > +cd refpolicy > + > +[ -f policy/modules.conf ] || make conf > + > +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ > + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in > + > +make -j`nproc --all` > +sudo make install install-headers > + > +# workaround for different Makefile location in Fedora RPMs > +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile >
On 9/30/19 9:43 AM, Stephen Smalley wrote: > On 9/30/19 6:48 AM, Ondrej Mosnacek wrote: >> Download, build, and install Fedora policy & refpolicy and try building >> the test policy package against both of them. > > I guess this is a necessary first step to actually getting the testsuite > to run on travis, which would be the more important goal. That > obviously requires actually enabling SELinux on bionic, unless we could > get travis-ci to offer fedora or centos images. > >> >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> >> --- >> .travis.yml | 24 ++++++++++++++++++-- >> travis-ci/enable-policy.sh | 10 +++++++++ >> travis-ci/setup-policy-fedora.sh | 35 +++++++++++++++++++++++++++++ >> travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++ >> 4 files changed, 89 insertions(+), 2 deletions(-) >> create mode 100644 travis-ci/enable-policy.sh >> create mode 100644 travis-ci/setup-policy-fedora.sh >> create mode 100644 travis-ci/setup-policy-refpolicy.sh >> >> diff --git a/.travis.yml b/.travis.yml >> index fbbe98d..c8cd44e 100644 >> --- a/.travis.yml >> +++ b/.travis.yml >> @@ -1,6 +1,6 @@ >> language: c >> -dist: xenial >> +dist: bionic >> addons: >> apt: >> @@ -8,6 +8,14 @@ addons: >> - astyle >> - libselinux1-dev >> - libsctp-dev >> + - checkpolicy >> + - semodule-utils >> + >> +cache: >> + directories: >> + - selinux-policy >> + - container-selinux >> + - refpolicy >> before_install: >> # FYI: known good with HEAD at >> 8551fc60fc515cd290ba38ee8c758c1f4df52b56 >> @@ -17,7 +25,19 @@ before_install: >> perl Makefile.PL && >> make && >> sudo make install) >> + # install libbpf from sources >> + - git clone https://github.com/libbpf/libbpf >> + - (cd libbpf/src && make PREFIX=/usr/local) >> + - (cd libbpf/src && sudo make install PREFIX=/usr/local) > > Not packaged on bionic or not recent enough? > >> + # install Fedora policy and refpolicy >> + - bash travis-ci/setup-policy-fedora.sh >> + - bash travis-ci/setup-policy-refpolicy.sh >> + # establish a fake "selinuxfs" mount (policy/Makefile just greps >> for selinuxfs) >> + - sudo mkdir -p /tmp/fake-selinuxfs >> + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs >> + - echo 31 >/tmp/fake-selinuxfs/policyvers > > Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent? Looks like the idiom we use in selinux-testsuite/policy/Makefile and refpolicy/Rules.monolithic is checkpolicy -V | cut -f 1 -d ' ' > >> script: >> - tools/check-syntax -f && git diff --exit-code >> - - make >> + - bash travis-ci/enable-policy.sh targeted && make >> POLDEV=/usr/share/selinux/targeted >> + - bash travis-ci/enable-policy.sh refpolicy && make >> POLDEV=/usr/share/selinux/refpolicy >> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh >> new file mode 100644 >> index 0000000..ae53fbe >> --- /dev/null >> +++ b/travis-ci/enable-policy.sh >> @@ -0,0 +1,10 @@ >> +#!/bin/bash >> + >> +set -e >> + >> +# create a dummy /etc/selinux/config >> +sudo mkdir -p /etc/selinux >> +sudo tee /etc/selinux/config >/dev/null <<EOF >> +SELINUX=disabled >> +SELINUXTYPE=$1 >> +EOF >> diff --git a/travis-ci/setup-policy-fedora.sh >> b/travis-ci/setup-policy-fedora.sh >> new file mode 100644 >> index 0000000..192e234 >> --- /dev/null >> +++ b/travis-ci/setup-policy-fedora.sh >> @@ -0,0 +1,35 @@ >> +#!/bin/bash >> + >> +set -ex >> + >> +if ! [ -d selinux-policy/.git ]; then >> + git clone --recursive >> https://github.com/fedora-selinux/selinux-policy >> + (cd selinux-policy/policy/modules/contrib && git checkout rawhide) >> +else >> + (cd selinux-policy && git pull || { git checkout '*' && git pull; }) >> + (cd selinux-policy/policy/modules/contrib && git pull) >> +fi >> + >> +if ! [ -d container-selinux/.git ]; then >> + git clone https://github.com/containers/container-selinux.git >> + for f in container.if container.te; do >> + ln -s ../../../../container-selinux/$f \ >> + selinux-policy/policy/modules/contrib/$f >> + done >> +else >> + (cd container-selinux && git pull) >> +fi > > Seem brittle / tightly tied to fedora policy internals - is there some > more general facility or perhaps they even provide a script for doing > this that we could just reuse? > >> + >> +cd selinux-policy >> + >> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' >> build.conf >> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ >> + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in > > Is this a limitation of the checkpolicy packaged in bionic? If so, > should we just grab the upstream selinux userspace and build it ourselves? > >> + >> +[ -f policy/modules.conf ] || make conf >> + >> +make -j`nproc --all` >> +sudo make install install-headers >> + >> +# workaround for different Makefile location in Fedora RPMs >> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile >> diff --git a/travis-ci/setup-policy-refpolicy.sh >> b/travis-ci/setup-policy-refpolicy.sh >> new file mode 100644 >> index 0000000..d89b041 >> --- /dev/null >> +++ b/travis-ci/setup-policy-refpolicy.sh >> @@ -0,0 +1,22 @@ >> +#!/bin/bash >> + >> +set -ex >> + >> +if ! [ -d refpolicy/.git ]; then >> + git clone https://github.com/SELinuxProject/refpolicy >> +else >> + git pull || { git checkout '*' && git pull; } >> +fi >> + >> +cd refpolicy >> + >> +[ -f policy/modules.conf ] || make conf >> + >> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ >> + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in >> + >> +make -j`nproc --all` >> +sudo make install install-headers >> + >> +# workaround for different Makefile location in Fedora RPMs >> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile >> >
On Mon, Sep 30, 2019 at 3:44 PM Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 9/30/19 6:48 AM, Ondrej Mosnacek wrote: > > Download, build, and install Fedora policy & refpolicy and try building > > the test policy package against both of them. > > I guess this is a necessary first step to actually getting the testsuite > to run on travis, which would be the more important goal. That > obviously requires actually enabling SELinux on bionic, unless we could > get travis-ci to offer fedora or centos images. > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > .travis.yml | 24 ++++++++++++++++++-- > > travis-ci/enable-policy.sh | 10 +++++++++ > > travis-ci/setup-policy-fedora.sh | 35 +++++++++++++++++++++++++++++ > > travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++ > > 4 files changed, 89 insertions(+), 2 deletions(-) > > create mode 100644 travis-ci/enable-policy.sh > > create mode 100644 travis-ci/setup-policy-fedora.sh > > create mode 100644 travis-ci/setup-policy-refpolicy.sh > > > > diff --git a/.travis.yml b/.travis.yml > > index fbbe98d..c8cd44e 100644 > > --- a/.travis.yml > > +++ b/.travis.yml > > @@ -1,6 +1,6 @@ > > language: c > > > > -dist: xenial > > +dist: bionic > > > > addons: > > apt: > > @@ -8,6 +8,14 @@ addons: > > - astyle > > - libselinux1-dev > > - libsctp-dev > > + - checkpolicy > > + - semodule-utils > > + > > +cache: > > + directories: > > + - selinux-policy > > + - container-selinux > > + - refpolicy > > > > before_install: > > # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56 > > @@ -17,7 +25,19 @@ before_install: > > perl Makefile.PL && > > make && > > sudo make install) > > + # install libbpf from sources > > + - git clone https://github.com/libbpf/libbpf > > + - (cd libbpf/src && make PREFIX=/usr/local) > > + - (cd libbpf/src && sudo make install PREFIX=/usr/local) > > Not packaged on bionic or not recent enough? Not packaged, AFAICT. > > > + # install Fedora policy and refpolicy > > + - bash travis-ci/setup-policy-fedora.sh > > + - bash travis-ci/setup-policy-refpolicy.sh > > + # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs) > > + - sudo mkdir -p /tmp/fake-selinuxfs > > + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs > > + - echo 31 >/tmp/fake-selinuxfs/policyvers > > Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent? This will get the policy version that checkpolicy supports, but the policy Makefile also checks the version supported by the running kernel. Since the policy won't actually be loaded in this case, it makes sense to just report the highest known version so that the Makefile tries to build as much as it can with the checkpolicy it has. On second thought, we might even put in just some "infinity" number (e.g. 999), since it should be just an additional upper bound to the checkpolicy upper bound. > > > > > script: > > - tools/check-syntax -f && git diff --exit-code > > - - make > > + - bash travis-ci/enable-policy.sh targeted && make POLDEV=/usr/share/selinux/targeted > > + - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy > > diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh > > new file mode 100644 > > index 0000000..ae53fbe > > --- /dev/null > > +++ b/travis-ci/enable-policy.sh > > @@ -0,0 +1,10 @@ > > +#!/bin/bash > > + > > +set -e > > + > > +# create a dummy /etc/selinux/config > > +sudo mkdir -p /etc/selinux > > +sudo tee /etc/selinux/config >/dev/null <<EOF > > +SELINUX=disabled > > +SELINUXTYPE=$1 > > +EOF > > diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh > > new file mode 100644 > > index 0000000..192e234 > > --- /dev/null > > +++ b/travis-ci/setup-policy-fedora.sh > > @@ -0,0 +1,35 @@ > > +#!/bin/bash > > + > > +set -ex > > + > > +if ! [ -d selinux-policy/.git ]; then > > + git clone --recursive https://github.com/fedora-selinux/selinux-policy > > + (cd selinux-policy/policy/modules/contrib && git checkout rawhide) > > +else > > + (cd selinux-policy && git pull || { git checkout '*' && git pull; }) > > + (cd selinux-policy/policy/modules/contrib && git pull) > > +fi > > + > > +if ! [ -d container-selinux/.git ]; then > > + git clone https://github.com/containers/container-selinux.git > > + for f in container.if container.te; do > > + ln -s ../../../../container-selinux/$f \ > > + selinux-policy/policy/modules/contrib/$f > > + done > > +else > > + (cd container-selinux && git pull) > > +fi > > Seem brittle / tightly tied to fedora policy internals - is there some > more general facility or perhaps they even provide a script for doing > this that we could just reuse? No, this is simply how the Fedora policy repos are structured. I mostly mirrored the logic of .travis.yml from the main repo [1] I don't think there's a better way to do this. [1] https://github.com/fedora-selinux/selinux-policy/ > > > + > > +cd selinux-policy > > + > > +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf > > +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ > > + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in > > Is this a limitation of the checkpolicy packaged in bionic? If so, Yes, I think it is due to checkpolicy/-module being too old. Maybe it should actually be handled in policy/Makefile with a [MOD_]POL_VERS check... I'll need to look more carefully into this. > should we just grab the upstream selinux userspace and build it ourselves? I tried to keep the number of dynamic dependencies on the minimum, but perhaps that's indeed the better way to go here... > > > + > > +[ -f policy/modules.conf ] || make conf > > + > > +make -j`nproc --all` > > +sudo make install install-headers > > + > > +# workaround for different Makefile location in Fedora RPMs > > +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile > > diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh > > new file mode 100644 > > index 0000000..d89b041 > > --- /dev/null > > +++ b/travis-ci/setup-policy-refpolicy.sh > > @@ -0,0 +1,22 @@ > > +#!/bin/bash > > + > > +set -ex > > + > > +if ! [ -d refpolicy/.git ]; then > > + git clone https://github.com/SELinuxProject/refpolicy > > +else > > + git pull || { git checkout '*' && git pull; } > > +fi > > + > > +cd refpolicy > > + > > +[ -f policy/modules.conf ] || make conf > > + > > +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ > > + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in > > + > > +make -j`nproc --all` > > +sudo make install install-headers > > + > > +# workaround for different Makefile location in Fedora RPMs > > +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile > > >
On 9/30/19 11:02 AM, Ondrej Mosnacek wrote: > On Mon, Sep 30, 2019 at 3:44 PM Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 9/30/19 6:48 AM, Ondrej Mosnacek wrote: >>> Download, build, and install Fedora policy & refpolicy and try building >>> the test policy package against both of them. >> >> I guess this is a necessary first step to actually getting the testsuite >> to run on travis, which would be the more important goal. That >> obviously requires actually enabling SELinux on bionic, unless we could >> get travis-ci to offer fedora or centos images. >> >>> >>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> >>> --- >>> .travis.yml | 24 ++++++++++++++++++-- >>> travis-ci/enable-policy.sh | 10 +++++++++ >>> travis-ci/setup-policy-fedora.sh | 35 +++++++++++++++++++++++++++++ >>> travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++ >>> 4 files changed, 89 insertions(+), 2 deletions(-) >>> create mode 100644 travis-ci/enable-policy.sh >>> create mode 100644 travis-ci/setup-policy-fedora.sh >>> create mode 100644 travis-ci/setup-policy-refpolicy.sh >>> >>> diff --git a/.travis.yml b/.travis.yml >>> index fbbe98d..c8cd44e 100644 >>> --- a/.travis.yml >>> +++ b/.travis.yml >>> @@ -1,6 +1,6 @@ >>> language: c >>> >>> -dist: xenial >>> +dist: bionic >>> >>> addons: >>> apt: >>> @@ -8,6 +8,14 @@ addons: >>> - astyle >>> - libselinux1-dev >>> - libsctp-dev >>> + - checkpolicy >>> + - semodule-utils >>> + >>> +cache: >>> + directories: >>> + - selinux-policy >>> + - container-selinux >>> + - refpolicy >>> >>> before_install: >>> # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56 >>> @@ -17,7 +25,19 @@ before_install: >>> perl Makefile.PL && >>> make && >>> sudo make install) >>> + # install libbpf from sources >>> + - git clone https://github.com/libbpf/libbpf >>> + - (cd libbpf/src && make PREFIX=/usr/local) >>> + - (cd libbpf/src && sudo make install PREFIX=/usr/local) >> >> Not packaged on bionic or not recent enough? > > Not packaged, AFAICT. > >> >>> + # install Fedora policy and refpolicy >>> + - bash travis-ci/setup-policy-fedora.sh >>> + - bash travis-ci/setup-policy-refpolicy.sh >>> + # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs) >>> + - sudo mkdir -p /tmp/fake-selinuxfs >>> + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs >>> + - echo 31 >/tmp/fake-selinuxfs/policyvers >> >> Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent? > > This will get the policy version that checkpolicy supports, but the > policy Makefile also checks the version supported by the running > kernel. Since the policy won't actually be loaded in this case, it > makes sense to just report the highest known version so that the > Makefile tries to build as much as it can with the checkpolicy it has. > On second thought, we might even put in just some "infinity" number > (e.g. 999), since it should be just an additional upper bound to the > checkpolicy upper bound. When building policies, we should always build the highest version supported by checkpolicy. libselinux will downgrade automatically at load time if necessary to the kernel's version. > >> >>> >>> script: >>> - tools/check-syntax -f && git diff --exit-code >>> - - make >>> + - bash travis-ci/enable-policy.sh targeted && make POLDEV=/usr/share/selinux/targeted >>> + - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy >>> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh >>> new file mode 100644 >>> index 0000000..ae53fbe >>> --- /dev/null >>> +++ b/travis-ci/enable-policy.sh >>> @@ -0,0 +1,10 @@ >>> +#!/bin/bash >>> + >>> +set -e >>> + >>> +# create a dummy /etc/selinux/config >>> +sudo mkdir -p /etc/selinux >>> +sudo tee /etc/selinux/config >/dev/null <<EOF >>> +SELINUX=disabled >>> +SELINUXTYPE=$1 >>> +EOF >>> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh >>> new file mode 100644 >>> index 0000000..192e234 >>> --- /dev/null >>> +++ b/travis-ci/setup-policy-fedora.sh >>> @@ -0,0 +1,35 @@ >>> +#!/bin/bash >>> + >>> +set -ex >>> + >>> +if ! [ -d selinux-policy/.git ]; then >>> + git clone --recursive https://github.com/fedora-selinux/selinux-policy >>> + (cd selinux-policy/policy/modules/contrib && git checkout rawhide) >>> +else >>> + (cd selinux-policy && git pull || { git checkout '*' && git pull; }) >>> + (cd selinux-policy/policy/modules/contrib && git pull) >>> +fi >>> + >>> +if ! [ -d container-selinux/.git ]; then >>> + git clone https://github.com/containers/container-selinux.git >>> + for f in container.if container.te; do >>> + ln -s ../../../../container-selinux/$f \ >>> + selinux-policy/policy/modules/contrib/$f >>> + done >>> +else >>> + (cd container-selinux && git pull) >>> +fi >> >> Seem brittle / tightly tied to fedora policy internals - is there some >> more general facility or perhaps they even provide a script for doing >> this that we could just reuse? > > No, this is simply how the Fedora policy repos are structured. I > mostly mirrored the logic of .travis.yml from the main repo [1] I > don't think there's a better way to do this. > > [1] https://github.com/fedora-selinux/selinux-policy/ > >> >>> + >>> +cd selinux-policy >>> + >>> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf >>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ >>> + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in >> >> Is this a limitation of the checkpolicy packaged in bionic? If so, > > Yes, I think it is due to checkpolicy/-module being too old. Maybe it > should actually be handled in policy/Makefile with a [MOD_]POL_VERS > check... I'll need to look more carefully into this. > >> should we just grab the upstream selinux userspace and build it ourselves? > > I tried to keep the number of dynamic dependencies on the minimum, but > perhaps that's indeed the better way to go here... > >> >>> + >>> +[ -f policy/modules.conf ] || make conf >>> + >>> +make -j`nproc --all` >>> +sudo make install install-headers >>> + >>> +# workaround for different Makefile location in Fedora RPMs >>> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile >>> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh >>> new file mode 100644 >>> index 0000000..d89b041 >>> --- /dev/null >>> +++ b/travis-ci/setup-policy-refpolicy.sh >>> @@ -0,0 +1,22 @@ >>> +#!/bin/bash >>> + >>> +set -ex >>> + >>> +if ! [ -d refpolicy/.git ]; then >>> + git clone https://github.com/SELinuxProject/refpolicy >>> +else >>> + git pull || { git checkout '*' && git pull; } >>> +fi >>> + >>> +cd refpolicy >>> + >>> +[ -f policy/modules.conf ] || make conf >>> + >>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ >>> + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in >>> + >>> +make -j`nproc --all` >>> +sudo make install install-headers >>> + >>> +# workaround for different Makefile location in Fedora RPMs >>> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile >>> >> >
diff --git a/.travis.yml b/.travis.yml index fbbe98d..c8cd44e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: c -dist: xenial +dist: bionic addons: apt: @@ -8,6 +8,14 @@ addons: - astyle - libselinux1-dev - libsctp-dev + - checkpolicy + - semodule-utils + +cache: + directories: + - selinux-policy + - container-selinux + - refpolicy before_install: # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56 @@ -17,7 +25,19 @@ before_install: perl Makefile.PL && make && sudo make install) + # install libbpf from sources + - git clone https://github.com/libbpf/libbpf + - (cd libbpf/src && make PREFIX=/usr/local) + - (cd libbpf/src && sudo make install PREFIX=/usr/local) + # install Fedora policy and refpolicy + - bash travis-ci/setup-policy-fedora.sh + - bash travis-ci/setup-policy-refpolicy.sh + # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs) + - sudo mkdir -p /tmp/fake-selinuxfs + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs + - echo 31 >/tmp/fake-selinuxfs/policyvers script: - tools/check-syntax -f && git diff --exit-code - - make + - bash travis-ci/enable-policy.sh targeted && make POLDEV=/usr/share/selinux/targeted + - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh new file mode 100644 index 0000000..ae53fbe --- /dev/null +++ b/travis-ci/enable-policy.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +set -e + +# create a dummy /etc/selinux/config +sudo mkdir -p /etc/selinux +sudo tee /etc/selinux/config >/dev/null <<EOF +SELINUX=disabled +SELINUXTYPE=$1 +EOF diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh new file mode 100644 index 0000000..192e234 --- /dev/null +++ b/travis-ci/setup-policy-fedora.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -ex + +if ! [ -d selinux-policy/.git ]; then + git clone --recursive https://github.com/fedora-selinux/selinux-policy + (cd selinux-policy/policy/modules/contrib && git checkout rawhide) +else + (cd selinux-policy && git pull || { git checkout '*' && git pull; }) + (cd selinux-policy/policy/modules/contrib && git pull) +fi + +if ! [ -d container-selinux/.git ]; then + git clone https://github.com/containers/container-selinux.git + for f in container.if container.te; do + ln -s ../../../../container-selinux/$f \ + selinux-policy/policy/modules/contrib/$f + done +else + (cd container-selinux && git pull) +fi + +cd selinux-policy + +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in + +[ -f policy/modules.conf ] || make conf + +make -j`nproc --all` +sudo make install install-headers + +# workaround for different Makefile location in Fedora RPMs +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh new file mode 100644 index 0000000..d89b041 --- /dev/null +++ b/travis-ci/setup-policy-refpolicy.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -ex + +if ! [ -d refpolicy/.git ]; then + git clone https://github.com/SELinuxProject/refpolicy +else + git pull || { git checkout '*' && git pull; } +fi + +cd refpolicy + +[ -f policy/modules.conf ] || make conf + +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \ + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in + +make -j`nproc --all` +sudo make install install-headers + +# workaround for different Makefile location in Fedora RPMs +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
Download, build, and install Fedora policy & refpolicy and try building the test policy package against both of them. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- .travis.yml | 24 ++++++++++++++++++-- travis-ci/enable-policy.sh | 10 +++++++++ travis-ci/setup-policy-fedora.sh | 35 +++++++++++++++++++++++++++++ travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++ 4 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 travis-ci/enable-policy.sh create mode 100644 travis-ci/setup-policy-fedora.sh create mode 100644 travis-ci/setup-policy-refpolicy.sh