[PATCH testsuite v4 0/3] Fix refpolicy build & build test_policy.pp in Travis

[PATCH testsuite v4 0/3] Fix refpolicy build & build test_policy.pp in Travis

[Ondrej Mosnacek]

This series fixes the remaining test_policy.pp build errors under
refpolicy and enables building the test policy under both Fedora policy
and refpolicy in Travis CI.

Passed Travis run: https://travis-ci.org/WOnder93/selinux-testsuite/builds/613536331

Changes in v4:
 - more fine-grained dev_rw_infiniband_dev() fallback as suggested by
   Stephen Smalley

Changes in v3:
 - drop the first patch, replace with the following:
 - add patch to replace userdom_search_generic_user_home_dirs()
   directly with userdom_search_user_home_dirs()
 - add a fallback for userdom_search_admin_dir()

Changes in v2:
 - report policy version 999 in the fake selinuxfs to force building
   latest version
 - install userspace tools and libraries straight from source instead
   of working around missing features in the Ubuntu builds
 - install also latest keyutils from source to allow the new 'keys'
   subtest helpers to build

Ondrej Mosnacek (3):
  policy: drop the unneeded userdom_search_generic_user_home_dirs()
  policy: add fallbacks for Fedora-specific macros
  travis: test building the test policy package

 .travis.yml                         | 48 ++++++++++++++++++++++++++---
 policy/Makefile                     | 11 ++++---
 policy/test_ipc.te                  |  2 +-
 policy/test_policy.if               | 22 +++++++++++--
 policy/test_ptrace.te               |  2 +-
 travis-ci/enable-policy.sh          | 10 ++++++
 travis-ci/setup-policy-fedora.sh    | 33 ++++++++++++++++++++
 travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
 8 files changed, 134 insertions(+), 13 deletions(-)
 create mode 100644 travis-ci/enable-policy.sh
 create mode 100644 travis-ci/setup-policy-fedora.sh
 create mode 100644 travis-ci/setup-policy-refpolicy.sh

-- 
2.23.0

[PATCH testsuite v4 1/3] policy: drop the unneeded userdom_search_generic_user_home_dirs()

[Ondrej Mosnacek]

userdom_search_generic_user_home_dirs() is not defined in neither Fedora
policy nor refpolicy. userdom_search_user_home_dirs() is already defined
in both, so just use that directly.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_ipc.te    | 2 +-
 policy/test_policy.if | 6 ------
 policy/test_ptrace.te | 2 +-
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/policy/test_ipc.te b/policy/test_ipc.te
index baa7bda..324b690 100644
--- a/policy/test_ipc.te
+++ b/policy/test_ipc.te
@@ -83,4 +83,4 @@ sysadm_bin_spec_domtrans_to(ipcdomain)
 allow test_ipc_base_t self:sem create_sem_perms;
 allow test_ipc_base_t self:shm create_shm_perms;
 # ipcrm needs this... 
-userdom_search_generic_user_home_dirs(test_ipc_base_t)
+userdom_search_user_home_dirs(test_ipc_base_t)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 5f4000f..939cd7e 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -60,9 +60,3 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
         allow $1 sysadm_t:process sigchld;
 ')
 ')
-
-ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl
-interface(`userdom_search_generic_user_home_dirs', `
-    userdom_search_user_home_dirs($1)
-')
-')
diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
index 0d10e85..b5f9995 100644
--- a/policy/test_ptrace.te
+++ b/policy/test_ptrace.te
@@ -34,7 +34,7 @@ allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms;
 
 # Allow the tracer domain to trace the traced domain.
 allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
-userdom_search_generic_user_home_dirs(test_ptrace_traced_t)
+userdom_search_user_home_dirs(test_ptrace_traced_t)
 
 # Let the tracer wait on the traced domain.
 allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
-- 
2.23.0

[PATCH testsuite v4 2/3] policy: add fallbacks for Fedora-specific macros

[Ondrej Mosnacek]

dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
refpolicy. Fall back to dev_rw_generic_{blk|chr}_files() and
mount_rw_runtime_files() if they are not defined.

Also, userdom_search_admin_dir() is not defined in refpolicy because it
doesn't have admin_home_t. Fall back to
userdom_search_user_home_content(), which should apply for root's home
directory under refpolicy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_policy.if | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/policy/test_policy.if b/policy/test_policy.if
index 939cd7e..e1175e8 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -60,3 +60,25 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
         allow $1 sysadm_t:process sigchld;
 ')
 ')
+
+# Workarounds for refpolicy:
+
+ifdef(`dev_rw_infiniband_dev', `', ` dnl
+interface(`dev_rw_infiniband_dev', `
+    dev_rw_generic_blk_files($1)
+    dev_rw_generic_chr_files($1)
+')
+')
+
+ifdef(`mount_rw_pid_files', `', ` dnl
+interface(`mount_rw_pid_files', `
+    mount_rw_runtime_files($1)
+')
+')
+
+# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
+ifdef(`userdom_search_admin_dir', `', ` dnl
+interface(`userdom_search_admin_dir', `
+    userdom_search_user_home_content($1)
+')
+')
-- 
2.23.0

[PATCH testsuite v4 3/3] travis: test building the test policy package

[Ondrej Mosnacek]

Download, build, and install Fedora policy & refpolicy and try building
the test policy package against both of them.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .travis.yml                         | 48 ++++++++++++++++++++++++++---
 policy/Makefile                     | 11 ++++---
 travis-ci/enable-policy.sh          | 10 ++++++
 travis-ci/setup-policy-fedora.sh    | 33 ++++++++++++++++++++
 travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
 5 files changed, 113 insertions(+), 8 deletions(-)
 create mode 100644 travis-ci/enable-policy.sh
 create mode 100644 travis-ci/setup-policy-fedora.sh
 create mode 100644 travis-ci/setup-policy-refpolicy.sh

diff --git a/.travis.yml b/.travis.yml
index fbbe98d..42b2490 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
 language: c
 
-dist: xenial
+dist: bionic
 
 addons:
   apt:
@@ -8,16 +8,56 @@ addons:
       - astyle
       - libselinux1-dev
       - libsctp-dev
+      - libaudit-dev
+      - libcap-dev
+      - libdbus-glib-1-dev
+      - xmlto
+
+cache:
+  directories:
+    - selinux-policy
+    - container-selinux
+    - refpolicy
 
 before_install:
+  - export LIBRARY_PATH=/usr/local/lib
+  - export LD_LIBRARY_PATH=/usr/local/lib
   # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
   - git clone https://github.com/perltidy/perltidy.git perltidy
   - |
     (cd perltidy &&
      perl Makefile.PL &&
-     make &&
-     sudo make install)
+     make PREFIX=/usr/local &&
+     sudo make install PREFIX=/usr/local)
+  # install libbpf from sources
+  - git clone https://github.com/libbpf/libbpf
+  - (cd libbpf/src && make PREFIX=/usr/local)
+  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
+  # install keyutils from sources
+  - git clone https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
+  - KEYUTILS_OPTS=""
+  - KEYUTILS_OPTS+="BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin "
+  - KEYUTILS_OPTS+="LIBDIR=/usr/local/lib USRLIBDIR=/usr/local/lib "
+  - KEYUTILS_OPTS+="INCLUDEDIR=/usr/local/include "
+  - KEYUTILS_OPTS+="SHAREDIR=/usr/local/share/keyutils MANDIR=/usr/local/share/man"
+  - (cd keyutils && make $KEYUTILS_OPTS)
+  - (cd keyutils && sudo make install $KEYUTILS_OPTS)
+  # install SELinux userspace from source
+  - git clone https://github.com/SELinuxProject/selinux
+  - (cd selinux && sudo make install PREFIX=/usr/local SHLIBDIR=/usr/local/lib)
+  # install Fedora policy and refpolicy
+  - bash travis-ci/setup-policy-fedora.sh
+  - bash travis-ci/setup-policy-refpolicy.sh
+  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
+  - sudo mkdir -p /tmp/fake-selinuxfs
+  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
+  - echo 999 >/tmp/fake-selinuxfs/policyvers
 
 script:
   - tools/check-syntax -f && git diff --exit-code
-  - make
+  - |
+    bash travis-ci/enable-policy.sh targeted &&
+    make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
+  - |
+    bash travis-ci/enable-policy.sh refpolicy &&
+    make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
diff --git a/policy/Makefile b/policy/Makefile
index ff65153..39ae84a 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -1,8 +1,11 @@
 
-POLDEV ?= /usr/share/selinux/devel
-SEMODULE = /usr/sbin/semodule
-CHECKPOLICY = /usr/bin/checkpolicy
-CHECKMODULE = /usr/bin/checkmodule
+PREFIX ?= /usr
+BINDIR ?= $(PREFIX)/bin
+SBINDIR ?= $(PREFIX)/sbin
+POLDEV ?= $(PREFIX)/share/selinux/devel
+SEMODULE = $(SBINDIR)/semodule
+CHECKPOLICY = $(BINDIR)/checkpolicy
+CHECKMODULE = $(BINDIR)/checkmodule
 
 DISTRO=$(shell ../tests/os_detect)
 
diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
new file mode 100644
index 0000000..ae53fbe
--- /dev/null
+++ b/travis-ci/enable-policy.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+# create a dummy /etc/selinux/config
+sudo mkdir -p /etc/selinux
+sudo tee /etc/selinux/config >/dev/null <<EOF
+SELINUX=disabled
+SELINUXTYPE=$1
+EOF
diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
new file mode 100644
index 0000000..d2793f0
--- /dev/null
+++ b/travis-ci/setup-policy-fedora.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d selinux-policy/.git ]; then
+	git clone --recursive https://github.com/fedora-selinux/selinux-policy
+	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
+else
+	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
+	(cd selinux-policy/policy/modules/contrib && git pull)
+fi
+
+if ! [ -d container-selinux/.git ]; then
+	git clone https://github.com/containers/container-selinux.git
+	for f in container.if container.te; do
+		ln -s ../../../../container-selinux/$f \
+			selinux-policy/policy/modules/contrib/$f
+	done
+else
+	(cd container-selinux && git pull)
+fi
+
+cd selinux-policy
+
+grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
new file mode 100644
index 0000000..abd4ca4
--- /dev/null
+++ b/travis-ci/setup-policy-refpolicy.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d refpolicy/.git ]; then
+	git clone https://github.com/SELinuxProject/refpolicy
+else
+	git pull || { git checkout '*' && git pull; }
+fi
+
+cd refpolicy
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
-- 
2.23.0

Re: [PATCH testsuite v4 3/3] travis: test building the test policy package

[Stephen Smalley]

On 11/18/19 9:52 AM, Ondrej Mosnacek wrote:
> Download, build, and install Fedora policy & refpolicy and try building
> the test policy package against both of them.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

For all 3,
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   .travis.yml                         | 48 ++++++++++++++++++++++++++---
>   policy/Makefile                     | 11 ++++---
>   travis-ci/enable-policy.sh          | 10 ++++++
>   travis-ci/setup-policy-fedora.sh    | 33 ++++++++++++++++++++
>   travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
>   5 files changed, 113 insertions(+), 8 deletions(-)
>   create mode 100644 travis-ci/enable-policy.sh
>   create mode 100644 travis-ci/setup-policy-fedora.sh
>   create mode 100644 travis-ci/setup-policy-refpolicy.sh
> 
> diff --git a/.travis.yml b/.travis.yml
> index fbbe98d..42b2490 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -1,6 +1,6 @@
>   language: c
>   
> -dist: xenial
> +dist: bionic
>   
>   addons:
>     apt:
> @@ -8,16 +8,56 @@ addons:
>         - astyle
>         - libselinux1-dev
>         - libsctp-dev
> +      - libaudit-dev
> +      - libcap-dev
> +      - libdbus-glib-1-dev
> +      - xmlto
> +
> +cache:
> +  directories:
> +    - selinux-policy
> +    - container-selinux
> +    - refpolicy
>   
>   before_install:
> +  - export LIBRARY_PATH=/usr/local/lib
> +  - export LD_LIBRARY_PATH=/usr/local/lib
>     # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
>     - git clone https://github.com/perltidy/perltidy.git perltidy
>     - |
>       (cd perltidy &&
>        perl Makefile.PL &&
> -     make &&
> -     sudo make install)
> +     make PREFIX=/usr/local &&
> +     sudo make install PREFIX=/usr/local)
> +  # install libbpf from sources
> +  - git clone https://github.com/libbpf/libbpf
> +  - (cd libbpf/src && make PREFIX=/usr/local)
> +  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
> +  # install keyutils from sources
> +  - git clone https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
> +  - KEYUTILS_OPTS=""
> +  - KEYUTILS_OPTS+="BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin "
> +  - KEYUTILS_OPTS+="LIBDIR=/usr/local/lib USRLIBDIR=/usr/local/lib "
> +  - KEYUTILS_OPTS+="INCLUDEDIR=/usr/local/include "
> +  - KEYUTILS_OPTS+="SHAREDIR=/usr/local/share/keyutils MANDIR=/usr/local/share/man"
> +  - (cd keyutils && make $KEYUTILS_OPTS)
> +  - (cd keyutils && sudo make install $KEYUTILS_OPTS)
> +  # install SELinux userspace from source
> +  - git clone https://github.com/SELinuxProject/selinux
> +  - (cd selinux && sudo make install PREFIX=/usr/local SHLIBDIR=/usr/local/lib)
> +  # install Fedora policy and refpolicy
> +  - bash travis-ci/setup-policy-fedora.sh
> +  - bash travis-ci/setup-policy-refpolicy.sh
> +  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> +  - sudo mkdir -p /tmp/fake-selinuxfs
> +  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> +  - echo 999 >/tmp/fake-selinuxfs/policyvers
>   
>   script:
>     - tools/check-syntax -f && git diff --exit-code
> -  - make
> +  - |
> +    bash travis-ci/enable-policy.sh targeted &&
> +    make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
> +  - |
> +    bash travis-ci/enable-policy.sh refpolicy &&
> +    make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> diff --git a/policy/Makefile b/policy/Makefile
> index ff65153..39ae84a 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -1,8 +1,11 @@
>   
> -POLDEV ?= /usr/share/selinux/devel
> -SEMODULE = /usr/sbin/semodule
> -CHECKPOLICY = /usr/bin/checkpolicy
> -CHECKMODULE = /usr/bin/checkmodule
> +PREFIX ?= /usr
> +BINDIR ?= $(PREFIX)/bin
> +SBINDIR ?= $(PREFIX)/sbin
> +POLDEV ?= $(PREFIX)/share/selinux/devel
> +SEMODULE = $(SBINDIR)/semodule
> +CHECKPOLICY = $(BINDIR)/checkpolicy
> +CHECKMODULE = $(BINDIR)/checkmodule
>   
>   DISTRO=$(shell ../tests/os_detect)
>   
> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
> new file mode 100644
> index 0000000..ae53fbe
> --- /dev/null
> +++ b/travis-ci/enable-policy.sh
> @@ -0,0 +1,10 @@
> +#!/bin/bash
> +
> +set -e
> +
> +# create a dummy /etc/selinux/config
> +sudo mkdir -p /etc/selinux
> +sudo tee /etc/selinux/config >/dev/null <<EOF
> +SELINUX=disabled
> +SELINUXTYPE=$1
> +EOF
> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
> new file mode 100644
> index 0000000..d2793f0
> --- /dev/null
> +++ b/travis-ci/setup-policy-fedora.sh
> @@ -0,0 +1,33 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d selinux-policy/.git ]; then
> +	git clone --recursive https://github.com/fedora-selinux/selinux-policy
> +	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
> +else
> +	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
> +	(cd selinux-policy/policy/modules/contrib && git pull)
> +fi
> +
> +if ! [ -d container-selinux/.git ]; then
> +	git clone https://github.com/containers/container-selinux.git
> +	for f in container.if container.te; do
> +		ln -s ../../../../container-selinux/$f \
> +			selinux-policy/policy/modules/contrib/$f
> +	done
> +else
> +	(cd container-selinux && git pull)
> +fi
> +
> +cd selinux-policy
> +
> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
> new file mode 100644
> index 0000000..abd4ca4
> --- /dev/null
> +++ b/travis-ci/setup-policy-refpolicy.sh
> @@ -0,0 +1,19 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d refpolicy/.git ]; then
> +	git clone https://github.com/SELinuxProject/refpolicy
> +else
> +	git pull || { git checkout '*' && git pull; }
> +fi
> +
> +cd refpolicy
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
> 

Re: [PATCH testsuite v4 3/3] travis: test building the test policy package

[Stephen Smalley]

On 11/18/19 9:52 AM, Ondrej Mosnacek wrote:
> Download, build, and install Fedora policy & refpolicy and try building
> the test policy package against both of them.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Thanks, all 3 patches applied.

> ---
>   .travis.yml                         | 48 ++++++++++++++++++++++++++---
>   policy/Makefile                     | 11 ++++---
>   travis-ci/enable-policy.sh          | 10 ++++++
>   travis-ci/setup-policy-fedora.sh    | 33 ++++++++++++++++++++
>   travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
>   5 files changed, 113 insertions(+), 8 deletions(-)
>   create mode 100644 travis-ci/enable-policy.sh
>   create mode 100644 travis-ci/setup-policy-fedora.sh
>   create mode 100644 travis-ci/setup-policy-refpolicy.sh
> 
> diff --git a/.travis.yml b/.travis.yml
> index fbbe98d..42b2490 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -1,6 +1,6 @@
>   language: c
>   
> -dist: xenial
> +dist: bionic
>   
>   addons:
>     apt:
> @@ -8,16 +8,56 @@ addons:
>         - astyle
>         - libselinux1-dev
>         - libsctp-dev
> +      - libaudit-dev
> +      - libcap-dev
> +      - libdbus-glib-1-dev
> +      - xmlto
> +
> +cache:
> +  directories:
> +    - selinux-policy
> +    - container-selinux
> +    - refpolicy
>   
>   before_install:
> +  - export LIBRARY_PATH=/usr/local/lib
> +  - export LD_LIBRARY_PATH=/usr/local/lib
>     # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
>     - git clone https://github.com/perltidy/perltidy.git perltidy
>     - |
>       (cd perltidy &&
>        perl Makefile.PL &&
> -     make &&
> -     sudo make install)
> +     make PREFIX=/usr/local &&
> +     sudo make install PREFIX=/usr/local)
> +  # install libbpf from sources
> +  - git clone https://github.com/libbpf/libbpf
> +  - (cd libbpf/src && make PREFIX=/usr/local)
> +  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
> +  # install keyutils from sources
> +  - git clone https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
> +  - KEYUTILS_OPTS=""
> +  - KEYUTILS_OPTS+="BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin "
> +  - KEYUTILS_OPTS+="LIBDIR=/usr/local/lib USRLIBDIR=/usr/local/lib "
> +  - KEYUTILS_OPTS+="INCLUDEDIR=/usr/local/include "
> +  - KEYUTILS_OPTS+="SHAREDIR=/usr/local/share/keyutils MANDIR=/usr/local/share/man"
> +  - (cd keyutils && make $KEYUTILS_OPTS)
> +  - (cd keyutils && sudo make install $KEYUTILS_OPTS)
> +  # install SELinux userspace from source
> +  - git clone https://github.com/SELinuxProject/selinux
> +  - (cd selinux && sudo make install PREFIX=/usr/local SHLIBDIR=/usr/local/lib)
> +  # install Fedora policy and refpolicy
> +  - bash travis-ci/setup-policy-fedora.sh
> +  - bash travis-ci/setup-policy-refpolicy.sh
> +  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> +  - sudo mkdir -p /tmp/fake-selinuxfs
> +  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> +  - echo 999 >/tmp/fake-selinuxfs/policyvers
>   
>   script:
>     - tools/check-syntax -f && git diff --exit-code
> -  - make
> +  - |
> +    bash travis-ci/enable-policy.sh targeted &&
> +    make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
> +  - |
> +    bash travis-ci/enable-policy.sh refpolicy &&
> +    make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> diff --git a/policy/Makefile b/policy/Makefile
> index ff65153..39ae84a 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -1,8 +1,11 @@
>   
> -POLDEV ?= /usr/share/selinux/devel
> -SEMODULE = /usr/sbin/semodule
> -CHECKPOLICY = /usr/bin/checkpolicy
> -CHECKMODULE = /usr/bin/checkmodule
> +PREFIX ?= /usr
> +BINDIR ?= $(PREFIX)/bin
> +SBINDIR ?= $(PREFIX)/sbin
> +POLDEV ?= $(PREFIX)/share/selinux/devel
> +SEMODULE = $(SBINDIR)/semodule
> +CHECKPOLICY = $(BINDIR)/checkpolicy
> +CHECKMODULE = $(BINDIR)/checkmodule
>   
>   DISTRO=$(shell ../tests/os_detect)
>   
> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
> new file mode 100644
> index 0000000..ae53fbe
> --- /dev/null
> +++ b/travis-ci/enable-policy.sh
> @@ -0,0 +1,10 @@
> +#!/bin/bash
> +
> +set -e
> +
> +# create a dummy /etc/selinux/config
> +sudo mkdir -p /etc/selinux
> +sudo tee /etc/selinux/config >/dev/null <<EOF
> +SELINUX=disabled
> +SELINUXTYPE=$1
> +EOF
> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
> new file mode 100644
> index 0000000..d2793f0
> --- /dev/null
> +++ b/travis-ci/setup-policy-fedora.sh
> @@ -0,0 +1,33 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d selinux-policy/.git ]; then
> +	git clone --recursive https://github.com/fedora-selinux/selinux-policy
> +	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
> +else
> +	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
> +	(cd selinux-policy/policy/modules/contrib && git pull)
> +fi
> +
> +if ! [ -d container-selinux/.git ]; then
> +	git clone https://github.com/containers/container-selinux.git
> +	for f in container.if container.te; do
> +		ln -s ../../../../container-selinux/$f \
> +			selinux-policy/policy/modules/contrib/$f
> +	done
> +else
> +	(cd container-selinux && git pull)
> +fi
> +
> +cd selinux-policy
> +
> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
> new file mode 100644
> index 0000000..abd4ca4
> --- /dev/null
> +++ b/travis-ci/setup-policy-refpolicy.sh
> @@ -0,0 +1,19 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d refpolicy/.git ]; then
> +	git clone https://github.com/SELinuxProject/refpolicy
> +else
> +	git pull || { git checkout '*' && git pull; }
> +fi
> +
> +cd refpolicy
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
>