From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH testsuite 3/3] travis: test building the test policy package
Date: Mon, 30 Sep 2019 09:51:55 -0400 [thread overview]
Message-ID: <a94ca288-49a6-b985-03d3-8fa9fc5e7a11@tycho.nsa.gov> (raw)
In-Reply-To: <2dfde121-d786-6ba3-0820-953cfbba7033@tycho.nsa.gov>
On 9/30/19 9:43 AM, Stephen Smalley wrote:
> On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
>> Download, build, and install Fedora policy & refpolicy and try building
>> the test policy package against both of them.
>
> I guess this is a necessary first step to actually getting the testsuite
> to run on travis, which would be the more important goal. That
> obviously requires actually enabling SELinux on bionic, unless we could
> get travis-ci to offer fedora or centos images.
>
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>> ---
>> .travis.yml | 24 ++++++++++++++++++--
>> travis-ci/enable-policy.sh | 10 +++++++++
>> travis-ci/setup-policy-fedora.sh | 35 +++++++++++++++++++++++++++++
>> travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
>> 4 files changed, 89 insertions(+), 2 deletions(-)
>> create mode 100644 travis-ci/enable-policy.sh
>> create mode 100644 travis-ci/setup-policy-fedora.sh
>> create mode 100644 travis-ci/setup-policy-refpolicy.sh
>>
>> diff --git a/.travis.yml b/.travis.yml
>> index fbbe98d..c8cd44e 100644
>> --- a/.travis.yml
>> +++ b/.travis.yml
>> @@ -1,6 +1,6 @@
>> language: c
>> -dist: xenial
>> +dist: bionic
>> addons:
>> apt:
>> @@ -8,6 +8,14 @@ addons:
>> - astyle
>> - libselinux1-dev
>> - libsctp-dev
>> + - checkpolicy
>> + - semodule-utils
>> +
>> +cache:
>> + directories:
>> + - selinux-policy
>> + - container-selinux
>> + - refpolicy
>> before_install:
>> # FYI: known good with HEAD at
>> 8551fc60fc515cd290ba38ee8c758c1f4df52b56
>> @@ -17,7 +25,19 @@ before_install:
>> perl Makefile.PL &&
>> make &&
>> sudo make install)
>> + # install libbpf from sources
>> + - git clone https://github.com/libbpf/libbpf
>> + - (cd libbpf/src && make PREFIX=/usr/local)
>> + - (cd libbpf/src && sudo make install PREFIX=/usr/local)
>
> Not packaged on bionic or not recent enough?
>
>> + # install Fedora policy and refpolicy
>> + - bash travis-ci/setup-policy-fedora.sh
>> + - bash travis-ci/setup-policy-refpolicy.sh
>> + # establish a fake "selinuxfs" mount (policy/Makefile just greps
>> for selinuxfs)
>> + - sudo mkdir -p /tmp/fake-selinuxfs
>> + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
>> + - echo 31 >/tmp/fake-selinuxfs/policyvers
>
> Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?
Looks like the idiom we use in selinux-testsuite/policy/Makefile and
refpolicy/Rules.monolithic is checkpolicy -V | cut -f 1 -d ' '
>
>> script:
>> - tools/check-syntax -f && git diff --exit-code
>> - - make
>> + - bash travis-ci/enable-policy.sh targeted && make
>> POLDEV=/usr/share/selinux/targeted
>> + - bash travis-ci/enable-policy.sh refpolicy && make
>> POLDEV=/usr/share/selinux/refpolicy
>> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
>> new file mode 100644
>> index 0000000..ae53fbe
>> --- /dev/null
>> +++ b/travis-ci/enable-policy.sh
>> @@ -0,0 +1,10 @@
>> +#!/bin/bash
>> +
>> +set -e
>> +
>> +# create a dummy /etc/selinux/config
>> +sudo mkdir -p /etc/selinux
>> +sudo tee /etc/selinux/config >/dev/null <<EOF
>> +SELINUX=disabled
>> +SELINUXTYPE=$1
>> +EOF
>> diff --git a/travis-ci/setup-policy-fedora.sh
>> b/travis-ci/setup-policy-fedora.sh
>> new file mode 100644
>> index 0000000..192e234
>> --- /dev/null
>> +++ b/travis-ci/setup-policy-fedora.sh
>> @@ -0,0 +1,35 @@
>> +#!/bin/bash
>> +
>> +set -ex
>> +
>> +if ! [ -d selinux-policy/.git ]; then
>> + git clone --recursive
>> https://github.com/fedora-selinux/selinux-policy
>> + (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
>> +else
>> + (cd selinux-policy && git pull || { git checkout '*' && git pull; })
>> + (cd selinux-policy/policy/modules/contrib && git pull)
>> +fi
>> +
>> +if ! [ -d container-selinux/.git ]; then
>> + git clone https://github.com/containers/container-selinux.git
>> + for f in container.if container.te; do
>> + ln -s ../../../../container-selinux/$f \
>> + selinux-policy/policy/modules/contrib/$f
>> + done
>> +else
>> + (cd container-selinux && git pull)
>> +fi
>
> Seem brittle / tightly tied to fedora policy internals - is there some
> more general facility or perhaps they even provide a script for doing
> this that we could just reuse?
>
>> +
>> +cd selinux-policy
>> +
>> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/'
>> build.conf
>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
>> + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
>
> Is this a limitation of the checkpolicy packaged in bionic? If so,
> should we just grab the upstream selinux userspace and build it ourselves?
>
>> +
>> +[ -f policy/modules.conf ] || make conf
>> +
>> +make -j`nproc --all`
>> +sudo make install install-headers
>> +
>> +# workaround for different Makefile location in Fedora RPMs
>> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
>> diff --git a/travis-ci/setup-policy-refpolicy.sh
>> b/travis-ci/setup-policy-refpolicy.sh
>> new file mode 100644
>> index 0000000..d89b041
>> --- /dev/null
>> +++ b/travis-ci/setup-policy-refpolicy.sh
>> @@ -0,0 +1,22 @@
>> +#!/bin/bash
>> +
>> +set -ex
>> +
>> +if ! [ -d refpolicy/.git ]; then
>> + git clone https://github.com/SELinuxProject/refpolicy
>> +else
>> + git pull || { git checkout '*' && git pull; }
>> +fi
>> +
>> +cd refpolicy
>> +
>> +[ -f policy/modules.conf ] || make conf
>> +
>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
>> + sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
>> +
>> +make -j`nproc --all`
>> +sudo make install install-headers
>> +
>> +# workaround for different Makefile location in Fedora RPMs
>> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
>>
>
next prev parent reply other threads:[~2019-09-30 13:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-30 10:48 [PATCH testsuite 0/3] Fix refpolicy build & build test_policy.pp in Travis Ondrej Mosnacek
2019-09-30 10:48 ` [PATCH testsuite 1/3] policy: consolidate macros for home dirs access Ondrej Mosnacek
2019-09-30 13:24 ` Stephen Smalley
2019-09-30 13:56 ` Ondrej Mosnacek
2019-09-30 10:48 ` [PATCH testsuite 2/3] policy: add fallbacks for Fedora-specific macros Ondrej Mosnacek
2019-09-30 13:32 ` Stephen Smalley
2019-09-30 14:21 ` Ondrej Mosnacek
2019-09-30 10:48 ` [PATCH testsuite 3/3] travis: test building the test policy package Ondrej Mosnacek
2019-09-30 13:43 ` Stephen Smalley
2019-09-30 13:51 ` Stephen Smalley [this message]
2019-09-30 15:02 ` Ondrej Mosnacek
2019-09-30 18:05 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a94ca288-49a6-b985-03d3-8fa9fc5e7a11@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).