Re: [PATCH testsuite 3/3] travis: test building the test policy package

Stephen Smalley <sds@xxxxxxxxxxxxx> · Mon, 30 Sep 2019 09:43:58 -0400

On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
Download, build, and install Fedora policy & refpolicy and try building
the test policy package against both of them.

I guess this is a necessary first step to actually getting the testsuite 
to run on travis, which would be the more important goal.  That 
obviously requires actually enabling SELinux on bionic, unless we could 
get travis-ci to offer fedora or centos images.


Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
  .travis.yml                         | 24 ++++++++++++++++++--
  travis-ci/enable-policy.sh          | 10 +++++++++
  travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
  travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
  4 files changed, 89 insertions(+), 2 deletions(-)
  create mode 100644 travis-ci/enable-policy.sh
  create mode 100644 travis-ci/setup-policy-fedora.sh
  create mode 100644 travis-ci/setup-policy-refpolicy.sh

diff --git a/.travis.yml b/.travis.yml
index fbbe98d..c8cd44e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
  language: c
  
-dist: xenial
+dist: bionic
  
  addons:
    apt:
@@ -8,6 +8,14 @@ addons:
        - astyle
        - libselinux1-dev
        - libsctp-dev
+      - checkpolicy
+      - semodule-utils
+
+cache:
+  directories:
+    - selinux-policy
+    - container-selinux
+    - refpolicy
  
  before_install:
    # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
@@ -17,7 +25,19 @@ before_install:
       perl Makefile.PL &&
       make &&
       sudo make install)
+  # install libbpf from sources
+  - git clone https://github.com/libbpf/libbpf
+  - (cd libbpf/src && make PREFIX=/usr/local)
+  - (cd libbpf/src && sudo make install PREFIX=/usr/local)

Not packaged on bionic or not recent enough?

+  # install Fedora policy and refpolicy
+  - bash travis-ci/setup-policy-fedora.sh
+  - bash travis-ci/setup-policy-refpolicy.sh
+  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
+  - sudo mkdir -p /tmp/fake-selinuxfs
+  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
+  - echo 31 >/tmp/fake-selinuxfs/policyvers

Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?

  
  script:
    - tools/check-syntax -f && git diff --exit-code
-  - make
+  - bash travis-ci/enable-policy.sh targeted  && make POLDEV=/usr/share/selinux/targeted
+  - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy
diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
new file mode 100644
index 0000000..ae53fbe
--- /dev/null
+++ b/travis-ci/enable-policy.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+# create a dummy /etc/selinux/config
+sudo mkdir -p /etc/selinux
+sudo tee /etc/selinux/config >/dev/null <<EOF
+SELINUX=disabled
+SELINUXTYPE=$1
+EOF
diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
new file mode 100644
index 0000000..192e234
--- /dev/null
+++ b/travis-ci/setup-policy-fedora.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d selinux-policy/.git ]; then
+	git clone --recursive https://github.com/fedora-selinux/selinux-policy
+	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
+else
+	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
+	(cd selinux-policy/policy/modules/contrib && git pull)
+fi
+
+if ! [ -d container-selinux/.git ]; then
+	git clone https://github.com/containers/container-selinux.git
+	for f in container.if container.te; do
+		ln -s ../../../../container-selinux/$f \
+			selinux-policy/policy/modules/contrib/$f
+	done
+else
+	(cd container-selinux && git pull)
+fi

Seem brittle / tightly tied to fedora policy internals - is there some 
more general facility or perhaps they even provide a script for doing 
this that we could just reuse?

+
+cd selinux-policy
+
+grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
+grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
+	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in

Is this a limitation of the checkpolicy packaged in bionic?  If so, 
should we just grab the upstream selinux userspace and build it ourselves?

+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all`
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
new file mode 100644
index 0000000..d89b041
--- /dev/null
+++ b/travis-ci/setup-policy-refpolicy.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d refpolicy/.git ]; then
+	git clone https://github.com/SELinuxProject/refpolicy
+else
+	git pull || { git checkout '*' && git pull; }
+fi
+
+cd refpolicy
+
+[ -f policy/modules.conf ] || make conf
+
+grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
+	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
+
+make -j`nproc --all`
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile








