On 9/30/19 9:43 AM, Stephen Smalley wrote:
On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
Download, build, and install Fedora policy & refpolicy and try building
the test policy package against both of them.
I guess this is a necessary first step to actually getting the testsuite
to run on travis, which would be the more important goal. That
obviously requires actually enabling SELinux on bionic, unless we could
get travis-ci to offer fedora or centos images.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
.travis.yml | 24 ++++++++++++++++++--
travis-ci/enable-policy.sh | 10 +++++++++
travis-ci/setup-policy-fedora.sh | 35 +++++++++++++++++++++++++++++
travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
4 files changed, 89 insertions(+), 2 deletions(-)
create mode 100644 travis-ci/enable-policy.sh
create mode 100644 travis-ci/setup-policy-fedora.sh
create mode 100644 travis-ci/setup-policy-refpolicy.sh
diff --git a/.travis.yml b/.travis.yml
index fbbe98d..c8cd44e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
language: c
-dist: xenial
+dist: bionic
addons:
apt:
@@ -8,6 +8,14 @@ addons:
- astyle
- libselinux1-dev
- libsctp-dev
+ - checkpolicy
+ - semodule-utils
+
+cache:
+ directories:
+ - selinux-policy
+ - container-selinux
+ - refpolicy
before_install:
# FYI: known good with HEAD at
8551fc60fc515cd290ba38ee8c758c1f4df52b56
@@ -17,7 +25,19 @@ before_install:
perl Makefile.PL &&
make &&
sudo make install)
+ # install libbpf from sources
+ - git clone https://github.com/libbpf/libbpf
+ - (cd libbpf/src && make PREFIX=/usr/local)
+ - (cd libbpf/src && sudo make install PREFIX=/usr/local)
Not packaged on bionic or not recent enough?
+ # install Fedora policy and refpolicy
+ - bash travis-ci/setup-policy-fedora.sh
+ - bash travis-ci/setup-policy-refpolicy.sh
+ # establish a fake "selinuxfs" mount (policy/Makefile just greps
for selinuxfs)
+ - sudo mkdir -p /tmp/fake-selinuxfs
+ - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
+ - echo 31 >/tmp/fake-selinuxfs/policyvers
Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?
Looks like the idiom we use in selinux-testsuite/policy/Makefile and
refpolicy/Rules.monolithic is checkpolicy -V | cut -f 1 -d ' '
script:
- tools/check-syntax -f && git diff --exit-code
- - make
+ - bash travis-ci/enable-policy.sh targeted && make
POLDEV=/usr/share/selinux/targeted
+ - bash travis-ci/enable-policy.sh refpolicy && make
POLDEV=/usr/share/selinux/refpolicy
diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
new file mode 100644
index 0000000..ae53fbe
--- /dev/null
+++ b/travis-ci/enable-policy.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+# create a dummy /etc/selinux/config
+sudo mkdir -p /etc/selinux
+sudo tee /etc/selinux/config >/dev/null <<EOF
+SELINUX=disabled
+SELINUXTYPE=$1
+EOF
diff --git a/travis-ci/setup-policy-fedora.sh
b/travis-ci/setup-policy-fedora.sh
new file mode 100644
index 0000000..192e234
--- /dev/null
+++ b/travis-ci/setup-policy-fedora.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d selinux-policy/.git ]; then
+ git clone --recursive
https://github.com/fedora-selinux/selinux-policy
+ (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
+else
+ (cd selinux-policy && git pull || { git checkout '*' && git pull; })
+ (cd selinux-policy/policy/modules/contrib && git pull)
+fi
+
+if ! [ -d container-selinux/.git ]; then
+ git clone https://github.com/containers/container-selinux.git
+ for f in container.if container.te; do
+ ln -s ../../../../container-selinux/$f \
+ selinux-policy/policy/modules/contrib/$f
+ done
+else
+ (cd container-selinux && git pull)
+fi
Seem brittle / tightly tied to fedora policy internals - is there some
more general facility or perhaps they even provide a script for doing
this that we could just reuse?
+
+cd selinux-policy
+
+grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/'
build.conf
+grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
+ sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
Is this a limitation of the checkpolicy packaged in bionic? If so,
should we just grab the upstream selinux userspace and build it ourselves?
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all`
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
diff --git a/travis-ci/setup-policy-refpolicy.sh
b/travis-ci/setup-policy-refpolicy.sh
new file mode 100644
index 0000000..d89b041
--- /dev/null
+++ b/travis-ci/setup-policy-refpolicy.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d refpolicy/.git ]; then
+ git clone https://github.com/SELinuxProject/refpolicy
+else
+ git pull || { git checkout '*' && git pull; }
+fi
+
+cd refpolicy
+
+[ -f policy/modules.conf ] || make conf
+
+grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
+ sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
+
+make -j`nproc --all`
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
