* [PATCH testsuite v4 0/3] Fix refpolicy build & build test_policy.pp in Travis
@ 2019-11-18 14:52 Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 1/3] policy: drop the unneeded userdom_search_generic_user_home_dirs() Ondrej Mosnacek
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-11-18 14:52 UTC (permalink / raw)
To: selinux
This series fixes the remaining test_policy.pp build errors under
refpolicy and enables building the test policy under both Fedora policy
and refpolicy in Travis CI.
Passed Travis run: https://travis-ci.org/WOnder93/selinux-testsuite/builds/613536331
Changes in v4:
- more fine-grained dev_rw_infiniband_dev() fallback as suggested by
Stephen Smalley
Changes in v3:
- drop the first patch, replace with the following:
- add patch to replace userdom_search_generic_user_home_dirs()
directly with userdom_search_user_home_dirs()
- add a fallback for userdom_search_admin_dir()
Changes in v2:
- report policy version 999 in the fake selinuxfs to force building
latest version
- install userspace tools and libraries straight from source instead
of working around missing features in the Ubuntu builds
- install also latest keyutils from source to allow the new 'keys'
subtest helpers to build
Ondrej Mosnacek (3):
policy: drop the unneeded userdom_search_generic_user_home_dirs()
policy: add fallbacks for Fedora-specific macros
travis: test building the test policy package
.travis.yml | 48 ++++++++++++++++++++++++++---
policy/Makefile | 11 ++++---
policy/test_ipc.te | 2 +-
policy/test_policy.if | 22 +++++++++++--
policy/test_ptrace.te | 2 +-
travis-ci/enable-policy.sh | 10 ++++++
travis-ci/setup-policy-fedora.sh | 33 ++++++++++++++++++++
travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
8 files changed, 134 insertions(+), 13 deletions(-)
create mode 100644 travis-ci/enable-policy.sh
create mode 100644 travis-ci/setup-policy-fedora.sh
create mode 100644 travis-ci/setup-policy-refpolicy.sh
--
2.23.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH testsuite v4 1/3] policy: drop the unneeded userdom_search_generic_user_home_dirs()
2019-11-18 14:52 [PATCH testsuite v4 0/3] Fix refpolicy build & build test_policy.pp in Travis Ondrej Mosnacek
@ 2019-11-18 14:52 ` Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 2/3] policy: add fallbacks for Fedora-specific macros Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 3/3] travis: test building the test policy package Ondrej Mosnacek
2 siblings, 0 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-11-18 14:52 UTC (permalink / raw)
To: selinux
userdom_search_generic_user_home_dirs() is not defined in neither Fedora
policy nor refpolicy. userdom_search_user_home_dirs() is already defined
in both, so just use that directly.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/test_ipc.te | 2 +-
policy/test_policy.if | 6 ------
policy/test_ptrace.te | 2 +-
3 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/policy/test_ipc.te b/policy/test_ipc.te
index baa7bda..324b690 100644
--- a/policy/test_ipc.te
+++ b/policy/test_ipc.te
@@ -83,4 +83,4 @@ sysadm_bin_spec_domtrans_to(ipcdomain)
allow test_ipc_base_t self:sem create_sem_perms;
allow test_ipc_base_t self:shm create_shm_perms;
# ipcrm needs this...
-userdom_search_generic_user_home_dirs(test_ipc_base_t)
+userdom_search_user_home_dirs(test_ipc_base_t)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 5f4000f..939cd7e 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -60,9 +60,3 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
allow $1 sysadm_t:process sigchld;
')
')
-
-ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl
-interface(`userdom_search_generic_user_home_dirs', `
- userdom_search_user_home_dirs($1)
-')
-')
diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
index 0d10e85..b5f9995 100644
--- a/policy/test_ptrace.te
+++ b/policy/test_ptrace.te
@@ -34,7 +34,7 @@ allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms;
# Allow the tracer domain to trace the traced domain.
allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
-userdom_search_generic_user_home_dirs(test_ptrace_traced_t)
+userdom_search_user_home_dirs(test_ptrace_traced_t)
# Let the tracer wait on the traced domain.
allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH testsuite v4 2/3] policy: add fallbacks for Fedora-specific macros
2019-11-18 14:52 [PATCH testsuite v4 0/3] Fix refpolicy build & build test_policy.pp in Travis Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 1/3] policy: drop the unneeded userdom_search_generic_user_home_dirs() Ondrej Mosnacek
@ 2019-11-18 14:52 ` Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 3/3] travis: test building the test policy package Ondrej Mosnacek
2 siblings, 0 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-11-18 14:52 UTC (permalink / raw)
To: selinux
dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
refpolicy. Fall back to dev_rw_generic_{blk|chr}_files() and
mount_rw_runtime_files() if they are not defined.
Also, userdom_search_admin_dir() is not defined in refpolicy because it
doesn't have admin_home_t. Fall back to
userdom_search_user_home_content(), which should apply for root's home
directory under refpolicy.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/test_policy.if | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 939cd7e..e1175e8 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -60,3 +60,25 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
allow $1 sysadm_t:process sigchld;
')
')
+
+# Workarounds for refpolicy:
+
+ifdef(`dev_rw_infiniband_dev', `', ` dnl
+interface(`dev_rw_infiniband_dev', `
+ dev_rw_generic_blk_files($1)
+ dev_rw_generic_chr_files($1)
+')
+')
+
+ifdef(`mount_rw_pid_files', `', ` dnl
+interface(`mount_rw_pid_files', `
+ mount_rw_runtime_files($1)
+')
+')
+
+# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
+ifdef(`userdom_search_admin_dir', `', ` dnl
+interface(`userdom_search_admin_dir', `
+ userdom_search_user_home_content($1)
+')
+')
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH testsuite v4 3/3] travis: test building the test policy package
2019-11-18 14:52 [PATCH testsuite v4 0/3] Fix refpolicy build & build test_policy.pp in Travis Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 1/3] policy: drop the unneeded userdom_search_generic_user_home_dirs() Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 2/3] policy: add fallbacks for Fedora-specific macros Ondrej Mosnacek
@ 2019-11-18 14:52 ` Ondrej Mosnacek
2019-11-18 15:09 ` Stephen Smalley
2019-11-21 17:02 ` Stephen Smalley
2 siblings, 2 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-11-18 14:52 UTC (permalink / raw)
To: selinux
Download, build, and install Fedora policy & refpolicy and try building
the test policy package against both of them.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
.travis.yml | 48 ++++++++++++++++++++++++++---
policy/Makefile | 11 ++++---
travis-ci/enable-policy.sh | 10 ++++++
travis-ci/setup-policy-fedora.sh | 33 ++++++++++++++++++++
travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
5 files changed, 113 insertions(+), 8 deletions(-)
create mode 100644 travis-ci/enable-policy.sh
create mode 100644 travis-ci/setup-policy-fedora.sh
create mode 100644 travis-ci/setup-policy-refpolicy.sh
diff --git a/.travis.yml b/.travis.yml
index fbbe98d..42b2490 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
language: c
-dist: xenial
+dist: bionic
addons:
apt:
@@ -8,16 +8,56 @@ addons:
- astyle
- libselinux1-dev
- libsctp-dev
+ - libaudit-dev
+ - libcap-dev
+ - libdbus-glib-1-dev
+ - xmlto
+
+cache:
+ directories:
+ - selinux-policy
+ - container-selinux
+ - refpolicy
before_install:
+ - export LIBRARY_PATH=/usr/local/lib
+ - export LD_LIBRARY_PATH=/usr/local/lib
# FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
- git clone https://github.com/perltidy/perltidy.git perltidy
- |
(cd perltidy &&
perl Makefile.PL &&
- make &&
- sudo make install)
+ make PREFIX=/usr/local &&
+ sudo make install PREFIX=/usr/local)
+ # install libbpf from sources
+ - git clone https://github.com/libbpf/libbpf
+ - (cd libbpf/src && make PREFIX=/usr/local)
+ - (cd libbpf/src && sudo make install PREFIX=/usr/local)
+ # install keyutils from sources
+ - git clone https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
+ - KEYUTILS_OPTS=""
+ - KEYUTILS_OPTS+="BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin "
+ - KEYUTILS_OPTS+="LIBDIR=/usr/local/lib USRLIBDIR=/usr/local/lib "
+ - KEYUTILS_OPTS+="INCLUDEDIR=/usr/local/include "
+ - KEYUTILS_OPTS+="SHAREDIR=/usr/local/share/keyutils MANDIR=/usr/local/share/man"
+ - (cd keyutils && make $KEYUTILS_OPTS)
+ - (cd keyutils && sudo make install $KEYUTILS_OPTS)
+ # install SELinux userspace from source
+ - git clone https://github.com/SELinuxProject/selinux
+ - (cd selinux && sudo make install PREFIX=/usr/local SHLIBDIR=/usr/local/lib)
+ # install Fedora policy and refpolicy
+ - bash travis-ci/setup-policy-fedora.sh
+ - bash travis-ci/setup-policy-refpolicy.sh
+ # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
+ - sudo mkdir -p /tmp/fake-selinuxfs
+ - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
+ - echo 999 >/tmp/fake-selinuxfs/policyvers
script:
- tools/check-syntax -f && git diff --exit-code
- - make
+ - |
+ bash travis-ci/enable-policy.sh targeted &&
+ make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
+ - |
+ bash travis-ci/enable-policy.sh refpolicy &&
+ make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
diff --git a/policy/Makefile b/policy/Makefile
index ff65153..39ae84a 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -1,8 +1,11 @@
-POLDEV ?= /usr/share/selinux/devel
-SEMODULE = /usr/sbin/semodule
-CHECKPOLICY = /usr/bin/checkpolicy
-CHECKMODULE = /usr/bin/checkmodule
+PREFIX ?= /usr
+BINDIR ?= $(PREFIX)/bin
+SBINDIR ?= $(PREFIX)/sbin
+POLDEV ?= $(PREFIX)/share/selinux/devel
+SEMODULE = $(SBINDIR)/semodule
+CHECKPOLICY = $(BINDIR)/checkpolicy
+CHECKMODULE = $(BINDIR)/checkmodule
DISTRO=$(shell ../tests/os_detect)
diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
new file mode 100644
index 0000000..ae53fbe
--- /dev/null
+++ b/travis-ci/enable-policy.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+# create a dummy /etc/selinux/config
+sudo mkdir -p /etc/selinux
+sudo tee /etc/selinux/config >/dev/null <<EOF
+SELINUX=disabled
+SELINUXTYPE=$1
+EOF
diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
new file mode 100644
index 0000000..d2793f0
--- /dev/null
+++ b/travis-ci/setup-policy-fedora.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d selinux-policy/.git ]; then
+ git clone --recursive https://github.com/fedora-selinux/selinux-policy
+ (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
+else
+ (cd selinux-policy && git pull || { git checkout '*' && git pull; })
+ (cd selinux-policy/policy/modules/contrib && git pull)
+fi
+
+if ! [ -d container-selinux/.git ]; then
+ git clone https://github.com/containers/container-selinux.git
+ for f in container.if container.te; do
+ ln -s ../../../../container-selinux/$f \
+ selinux-policy/policy/modules/contrib/$f
+ done
+else
+ (cd container-selinux && git pull)
+fi
+
+cd selinux-policy
+
+grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
new file mode 100644
index 0000000..abd4ca4
--- /dev/null
+++ b/travis-ci/setup-policy-refpolicy.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d refpolicy/.git ]; then
+ git clone https://github.com/SELinuxProject/refpolicy
+else
+ git pull || { git checkout '*' && git pull; }
+fi
+
+cd refpolicy
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH testsuite v4 3/3] travis: test building the test policy package
2019-11-18 14:52 ` [PATCH testsuite v4 3/3] travis: test building the test policy package Ondrej Mosnacek
@ 2019-11-18 15:09 ` Stephen Smalley
2019-11-21 17:02 ` Stephen Smalley
1 sibling, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2019-11-18 15:09 UTC (permalink / raw)
To: Ondrej Mosnacek, selinux
On 11/18/19 9:52 AM, Ondrej Mosnacek wrote:
> Download, build, and install Fedora policy & refpolicy and try building
> the test policy package against both of them.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
For all 3,
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> .travis.yml | 48 ++++++++++++++++++++++++++---
> policy/Makefile | 11 ++++---
> travis-ci/enable-policy.sh | 10 ++++++
> travis-ci/setup-policy-fedora.sh | 33 ++++++++++++++++++++
> travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
> 5 files changed, 113 insertions(+), 8 deletions(-)
> create mode 100644 travis-ci/enable-policy.sh
> create mode 100644 travis-ci/setup-policy-fedora.sh
> create mode 100644 travis-ci/setup-policy-refpolicy.sh
>
> diff --git a/.travis.yml b/.travis.yml
> index fbbe98d..42b2490 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -1,6 +1,6 @@
> language: c
>
> -dist: xenial
> +dist: bionic
>
> addons:
> apt:
> @@ -8,16 +8,56 @@ addons:
> - astyle
> - libselinux1-dev
> - libsctp-dev
> + - libaudit-dev
> + - libcap-dev
> + - libdbus-glib-1-dev
> + - xmlto
> +
> +cache:
> + directories:
> + - selinux-policy
> + - container-selinux
> + - refpolicy
>
> before_install:
> + - export LIBRARY_PATH=/usr/local/lib
> + - export LD_LIBRARY_PATH=/usr/local/lib
> # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
> - git clone https://github.com/perltidy/perltidy.git perltidy
> - |
> (cd perltidy &&
> perl Makefile.PL &&
> - make &&
> - sudo make install)
> + make PREFIX=/usr/local &&
> + sudo make install PREFIX=/usr/local)
> + # install libbpf from sources
> + - git clone https://github.com/libbpf/libbpf
> + - (cd libbpf/src && make PREFIX=/usr/local)
> + - (cd libbpf/src && sudo make install PREFIX=/usr/local)
> + # install keyutils from sources
> + - git clone https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
> + - KEYUTILS_OPTS=""
> + - KEYUTILS_OPTS+="BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin "
> + - KEYUTILS_OPTS+="LIBDIR=/usr/local/lib USRLIBDIR=/usr/local/lib "
> + - KEYUTILS_OPTS+="INCLUDEDIR=/usr/local/include "
> + - KEYUTILS_OPTS+="SHAREDIR=/usr/local/share/keyutils MANDIR=/usr/local/share/man"
> + - (cd keyutils && make $KEYUTILS_OPTS)
> + - (cd keyutils && sudo make install $KEYUTILS_OPTS)
> + # install SELinux userspace from source
> + - git clone https://github.com/SELinuxProject/selinux
> + - (cd selinux && sudo make install PREFIX=/usr/local SHLIBDIR=/usr/local/lib)
> + # install Fedora policy and refpolicy
> + - bash travis-ci/setup-policy-fedora.sh
> + - bash travis-ci/setup-policy-refpolicy.sh
> + # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> + - sudo mkdir -p /tmp/fake-selinuxfs
> + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> + - echo 999 >/tmp/fake-selinuxfs/policyvers
>
> script:
> - tools/check-syntax -f && git diff --exit-code
> - - make
> + - |
> + bash travis-ci/enable-policy.sh targeted &&
> + make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
> + - |
> + bash travis-ci/enable-policy.sh refpolicy &&
> + make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> diff --git a/policy/Makefile b/policy/Makefile
> index ff65153..39ae84a 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -1,8 +1,11 @@
>
> -POLDEV ?= /usr/share/selinux/devel
> -SEMODULE = /usr/sbin/semodule
> -CHECKPOLICY = /usr/bin/checkpolicy
> -CHECKMODULE = /usr/bin/checkmodule
> +PREFIX ?= /usr
> +BINDIR ?= $(PREFIX)/bin
> +SBINDIR ?= $(PREFIX)/sbin
> +POLDEV ?= $(PREFIX)/share/selinux/devel
> +SEMODULE = $(SBINDIR)/semodule
> +CHECKPOLICY = $(BINDIR)/checkpolicy
> +CHECKMODULE = $(BINDIR)/checkmodule
>
> DISTRO=$(shell ../tests/os_detect)
>
> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
> new file mode 100644
> index 0000000..ae53fbe
> --- /dev/null
> +++ b/travis-ci/enable-policy.sh
> @@ -0,0 +1,10 @@
> +#!/bin/bash
> +
> +set -e
> +
> +# create a dummy /etc/selinux/config
> +sudo mkdir -p /etc/selinux
> +sudo tee /etc/selinux/config >/dev/null <<EOF
> +SELINUX=disabled
> +SELINUXTYPE=$1
> +EOF
> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
> new file mode 100644
> index 0000000..d2793f0
> --- /dev/null
> +++ b/travis-ci/setup-policy-fedora.sh
> @@ -0,0 +1,33 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d selinux-policy/.git ]; then
> + git clone --recursive https://github.com/fedora-selinux/selinux-policy
> + (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
> +else
> + (cd selinux-policy && git pull || { git checkout '*' && git pull; })
> + (cd selinux-policy/policy/modules/contrib && git pull)
> +fi
> +
> +if ! [ -d container-selinux/.git ]; then
> + git clone https://github.com/containers/container-selinux.git
> + for f in container.if container.te; do
> + ln -s ../../../../container-selinux/$f \
> + selinux-policy/policy/modules/contrib/$f
> + done
> +else
> + (cd container-selinux && git pull)
> +fi
> +
> +cd selinux-policy
> +
> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
> new file mode 100644
> index 0000000..abd4ca4
> --- /dev/null
> +++ b/travis-ci/setup-policy-refpolicy.sh
> @@ -0,0 +1,19 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d refpolicy/.git ]; then
> + git clone https://github.com/SELinuxProject/refpolicy
> +else
> + git pull || { git checkout '*' && git pull; }
> +fi
> +
> +cd refpolicy
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH testsuite v4 3/3] travis: test building the test policy package
2019-11-18 14:52 ` [PATCH testsuite v4 3/3] travis: test building the test policy package Ondrej Mosnacek
2019-11-18 15:09 ` Stephen Smalley
@ 2019-11-21 17:02 ` Stephen Smalley
1 sibling, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2019-11-21 17:02 UTC (permalink / raw)
To: Ondrej Mosnacek, selinux
On 11/18/19 9:52 AM, Ondrej Mosnacek wrote:
> Download, build, and install Fedora policy & refpolicy and try building
> the test policy package against both of them.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Thanks, all 3 patches applied.
> ---
> .travis.yml | 48 ++++++++++++++++++++++++++---
> policy/Makefile | 11 ++++---
> travis-ci/enable-policy.sh | 10 ++++++
> travis-ci/setup-policy-fedora.sh | 33 ++++++++++++++++++++
> travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
> 5 files changed, 113 insertions(+), 8 deletions(-)
> create mode 100644 travis-ci/enable-policy.sh
> create mode 100644 travis-ci/setup-policy-fedora.sh
> create mode 100644 travis-ci/setup-policy-refpolicy.sh
>
> diff --git a/.travis.yml b/.travis.yml
> index fbbe98d..42b2490 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -1,6 +1,6 @@
> language: c
>
> -dist: xenial
> +dist: bionic
>
> addons:
> apt:
> @@ -8,16 +8,56 @@ addons:
> - astyle
> - libselinux1-dev
> - libsctp-dev
> + - libaudit-dev
> + - libcap-dev
> + - libdbus-glib-1-dev
> + - xmlto
> +
> +cache:
> + directories:
> + - selinux-policy
> + - container-selinux
> + - refpolicy
>
> before_install:
> + - export LIBRARY_PATH=/usr/local/lib
> + - export LD_LIBRARY_PATH=/usr/local/lib
> # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
> - git clone https://github.com/perltidy/perltidy.git perltidy
> - |
> (cd perltidy &&
> perl Makefile.PL &&
> - make &&
> - sudo make install)
> + make PREFIX=/usr/local &&
> + sudo make install PREFIX=/usr/local)
> + # install libbpf from sources
> + - git clone https://github.com/libbpf/libbpf
> + - (cd libbpf/src && make PREFIX=/usr/local)
> + - (cd libbpf/src && sudo make install PREFIX=/usr/local)
> + # install keyutils from sources
> + - git clone https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
> + - KEYUTILS_OPTS=""
> + - KEYUTILS_OPTS+="BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin "
> + - KEYUTILS_OPTS+="LIBDIR=/usr/local/lib USRLIBDIR=/usr/local/lib "
> + - KEYUTILS_OPTS+="INCLUDEDIR=/usr/local/include "
> + - KEYUTILS_OPTS+="SHAREDIR=/usr/local/share/keyutils MANDIR=/usr/local/share/man"
> + - (cd keyutils && make $KEYUTILS_OPTS)
> + - (cd keyutils && sudo make install $KEYUTILS_OPTS)
> + # install SELinux userspace from source
> + - git clone https://github.com/SELinuxProject/selinux
> + - (cd selinux && sudo make install PREFIX=/usr/local SHLIBDIR=/usr/local/lib)
> + # install Fedora policy and refpolicy
> + - bash travis-ci/setup-policy-fedora.sh
> + - bash travis-ci/setup-policy-refpolicy.sh
> + # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> + - sudo mkdir -p /tmp/fake-selinuxfs
> + - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> + - echo 999 >/tmp/fake-selinuxfs/policyvers
>
> script:
> - tools/check-syntax -f && git diff --exit-code
> - - make
> + - |
> + bash travis-ci/enable-policy.sh targeted &&
> + make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
> + - |
> + bash travis-ci/enable-policy.sh refpolicy &&
> + make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> diff --git a/policy/Makefile b/policy/Makefile
> index ff65153..39ae84a 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -1,8 +1,11 @@
>
> -POLDEV ?= /usr/share/selinux/devel
> -SEMODULE = /usr/sbin/semodule
> -CHECKPOLICY = /usr/bin/checkpolicy
> -CHECKMODULE = /usr/bin/checkmodule
> +PREFIX ?= /usr
> +BINDIR ?= $(PREFIX)/bin
> +SBINDIR ?= $(PREFIX)/sbin
> +POLDEV ?= $(PREFIX)/share/selinux/devel
> +SEMODULE = $(SBINDIR)/semodule
> +CHECKPOLICY = $(BINDIR)/checkpolicy
> +CHECKMODULE = $(BINDIR)/checkmodule
>
> DISTRO=$(shell ../tests/os_detect)
>
> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
> new file mode 100644
> index 0000000..ae53fbe
> --- /dev/null
> +++ b/travis-ci/enable-policy.sh
> @@ -0,0 +1,10 @@
> +#!/bin/bash
> +
> +set -e
> +
> +# create a dummy /etc/selinux/config
> +sudo mkdir -p /etc/selinux
> +sudo tee /etc/selinux/config >/dev/null <<EOF
> +SELINUX=disabled
> +SELINUXTYPE=$1
> +EOF
> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
> new file mode 100644
> index 0000000..d2793f0
> --- /dev/null
> +++ b/travis-ci/setup-policy-fedora.sh
> @@ -0,0 +1,33 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d selinux-policy/.git ]; then
> + git clone --recursive https://github.com/fedora-selinux/selinux-policy
> + (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
> +else
> + (cd selinux-policy && git pull || { git checkout '*' && git pull; })
> + (cd selinux-policy/policy/modules/contrib && git pull)
> +fi
> +
> +if ! [ -d container-selinux/.git ]; then
> + git clone https://github.com/containers/container-selinux.git
> + for f in container.if container.te; do
> + ln -s ../../../../container-selinux/$f \
> + selinux-policy/policy/modules/contrib/$f
> + done
> +else
> + (cd container-selinux && git pull)
> +fi
> +
> +cd selinux-policy
> +
> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
> new file mode 100644
> index 0000000..abd4ca4
> --- /dev/null
> +++ b/travis-ci/setup-policy-refpolicy.sh
> @@ -0,0 +1,19 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d refpolicy/.git ]; then
> + git clone https://github.com/SELinuxProject/refpolicy
> +else
> + git pull || { git checkout '*' && git pull; }
> +fi
> +
> +cd refpolicy
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-11-21 17:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-18 14:52 [PATCH testsuite v4 0/3] Fix refpolicy build & build test_policy.pp in Travis Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 1/3] policy: drop the unneeded userdom_search_generic_user_home_dirs() Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 2/3] policy: add fallbacks for Fedora-specific macros Ondrej Mosnacek
2019-11-18 14:52 ` [PATCH testsuite v4 3/3] travis: test building the test policy package Ondrej Mosnacek
2019-11-18 15:09 ` Stephen Smalley
2019-11-21 17:02 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.