[PATCH testsuite v3 0/3] Fix refpolicy build & build test_policy.pp in Travis

[PATCH testsuite v3 0/3] Fix refpolicy build & build test_policy.pp in Travis

[Ondrej Mosnacek]

This series fixes the remaining test_policy.pp build errors under
refpolicy and enables building the test policy under both Fedora policy
and refpolicy in Travis CI.

Passed Travis run: https://travis-ci.org/WOnder93/selinux-testsuite/builds/613471070

Changes in v3:
 - drop the first patch, replace with the following:
 - add patch to replace userdom_search_generic_user_home_dirs()
   directly with userdom_search_user_home_dirs()
 - add a fallback for userdom_search_admin_dir()

Changes in v2:
 - report policy version 999 in the fake selinuxfs to force building
   latest version
 - install userspace tools and libraries straight from source instead
   of working around missing features in the Ubuntu builds
 - install also latest keyutils from source to allow the new 'keys'
   subtest helpers to build

Ondrej Mosnacek (3):
  policy: drop the unneeded userdom_search_generic_user_home_dirs()
  policy: add fallbacks for Fedora-specific macros
  travis: test building the test policy package

 .travis.yml                         | 48 ++++++++++++++++++++++++++---
 policy/Makefile                     | 11 ++++---
 policy/test_ipc.te                  |  2 +-
 policy/test_policy.if               | 21 +++++++++++--
 policy/test_ptrace.te               |  2 +-
 travis-ci/enable-policy.sh          | 10 ++++++
 travis-ci/setup-policy-fedora.sh    | 33 ++++++++++++++++++++
 travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
 8 files changed, 133 insertions(+), 13 deletions(-)
 create mode 100644 travis-ci/enable-policy.sh
 create mode 100644 travis-ci/setup-policy-fedora.sh
 create mode 100644 travis-ci/setup-policy-refpolicy.sh

-- 
2.23.0

[PATCH testsuite v3 1/3] policy: drop the unneeded userdom_search_generic_user_home_dirs()

[Ondrej Mosnacek]

userdom_search_generic_user_home_dirs() is not defined in neither Fedora
policy nor refpolicy. userdom_search_user_home_dirs() is already defined
in both, so just use that directly.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_ipc.te    | 2 +-
 policy/test_policy.if | 6 ------
 policy/test_ptrace.te | 2 +-
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/policy/test_ipc.te b/policy/test_ipc.te
index baa7bda..324b690 100644
--- a/policy/test_ipc.te
+++ b/policy/test_ipc.te
@@ -83,4 +83,4 @@ sysadm_bin_spec_domtrans_to(ipcdomain)
 allow test_ipc_base_t self:sem create_sem_perms;
 allow test_ipc_base_t self:shm create_shm_perms;
 # ipcrm needs this... 
-userdom_search_generic_user_home_dirs(test_ipc_base_t)
+userdom_search_user_home_dirs(test_ipc_base_t)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 5f4000f..939cd7e 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -60,9 +60,3 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
         allow $1 sysadm_t:process sigchld;
 ')
 ')
-
-ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl
-interface(`userdom_search_generic_user_home_dirs', `
-    userdom_search_user_home_dirs($1)
-')
-')
diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
index 0d10e85..b5f9995 100644
--- a/policy/test_ptrace.te
+++ b/policy/test_ptrace.te
@@ -34,7 +34,7 @@ allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms;
 
 # Allow the tracer domain to trace the traced domain.
 allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
-userdom_search_generic_user_home_dirs(test_ptrace_traced_t)
+userdom_search_user_home_dirs(test_ptrace_traced_t)
 
 # Let the tracer wait on the traced domain.
 allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
-- 
2.23.0

[PATCH testsuite v3 2/3] policy: add fallbacks for Fedora-specific macros

[Ondrej Mosnacek]

dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
refpolicy. Fall back to dev_rw_generic_files() and
mount_rw_runtime_files() if they are not defined.

Also, userdom_search_admin_dir() is not defined in refpolicy because it
doesn't have admin_home_t. Fall back to
userdom_search_user_home_content(), which should apply for root's home
directory under refpolicy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_policy.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/test_policy.if b/policy/test_policy.if
index 939cd7e..38214a9 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -60,3 +60,24 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
         allow $1 sysadm_t:process sigchld;
 ')
 ')
+
+# Workarounds for refpolicy:
+
+ifdef(`dev_rw_infiniband_dev', `', ` dnl
+interface(`dev_rw_infiniband_dev', `
+    dev_rw_generic_files($1)
+')
+')
+
+ifdef(`mount_rw_pid_files', `', ` dnl
+interface(`mount_rw_pid_files', `
+    mount_rw_runtime_files($1)
+')
+')
+
+# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
+ifdef(`userdom_search_admin_dir', `', ` dnl
+interface(`userdom_search_admin_dir', `
+    userdom_search_user_home_content($1)
+')
+')
-- 
2.23.0

[PATCH testsuite v3 3/3] travis: test building the test policy package

[Ondrej Mosnacek]

Download, build, and install Fedora policy & refpolicy and try building
the test policy package against both of them.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .travis.yml                         | 48 ++++++++++++++++++++++++++---
 policy/Makefile                     | 11 ++++---
 travis-ci/enable-policy.sh          | 10 ++++++
 travis-ci/setup-policy-fedora.sh    | 33 ++++++++++++++++++++
 travis-ci/setup-policy-refpolicy.sh | 19 ++++++++++++
 5 files changed, 113 insertions(+), 8 deletions(-)
 create mode 100644 travis-ci/enable-policy.sh
 create mode 100644 travis-ci/setup-policy-fedora.sh
 create mode 100644 travis-ci/setup-policy-refpolicy.sh

diff --git a/.travis.yml b/.travis.yml
index fbbe98d..42b2490 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
 language: c
 
-dist: xenial
+dist: bionic
 
 addons:
   apt:
@@ -8,16 +8,56 @@ addons:
       - astyle
       - libselinux1-dev
       - libsctp-dev
+      - libaudit-dev
+      - libcap-dev
+      - libdbus-glib-1-dev
+      - xmlto
+
+cache:
+  directories:
+    - selinux-policy
+    - container-selinux
+    - refpolicy
 
 before_install:
+  - export LIBRARY_PATH=/usr/local/lib
+  - export LD_LIBRARY_PATH=/usr/local/lib
   # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
   - git clone https://github.com/perltidy/perltidy.git perltidy
   - |
     (cd perltidy &&
      perl Makefile.PL &&
-     make &&
-     sudo make install)
+     make PREFIX=/usr/local &&
+     sudo make install PREFIX=/usr/local)
+  # install libbpf from sources
+  - git clone https://github.com/libbpf/libbpf
+  - (cd libbpf/src && make PREFIX=/usr/local)
+  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
+  # install keyutils from sources
+  - git clone https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
+  - KEYUTILS_OPTS=""
+  - KEYUTILS_OPTS+="BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin "
+  - KEYUTILS_OPTS+="LIBDIR=/usr/local/lib USRLIBDIR=/usr/local/lib "
+  - KEYUTILS_OPTS+="INCLUDEDIR=/usr/local/include "
+  - KEYUTILS_OPTS+="SHAREDIR=/usr/local/share/keyutils MANDIR=/usr/local/share/man"
+  - (cd keyutils && make $KEYUTILS_OPTS)
+  - (cd keyutils && sudo make install $KEYUTILS_OPTS)
+  # install SELinux userspace from source
+  - git clone https://github.com/SELinuxProject/selinux
+  - (cd selinux && sudo make install PREFIX=/usr/local SHLIBDIR=/usr/local/lib)
+  # install Fedora policy and refpolicy
+  - bash travis-ci/setup-policy-fedora.sh
+  - bash travis-ci/setup-policy-refpolicy.sh
+  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
+  - sudo mkdir -p /tmp/fake-selinuxfs
+  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
+  - echo 999 >/tmp/fake-selinuxfs/policyvers
 
 script:
   - tools/check-syntax -f && git diff --exit-code
-  - make
+  - |
+    bash travis-ci/enable-policy.sh targeted &&
+    make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
+  - |
+    bash travis-ci/enable-policy.sh refpolicy &&
+    make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
diff --git a/policy/Makefile b/policy/Makefile
index ff65153..39ae84a 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -1,8 +1,11 @@
 
-POLDEV ?= /usr/share/selinux/devel
-SEMODULE = /usr/sbin/semodule
-CHECKPOLICY = /usr/bin/checkpolicy
-CHECKMODULE = /usr/bin/checkmodule
+PREFIX ?= /usr
+BINDIR ?= $(PREFIX)/bin
+SBINDIR ?= $(PREFIX)/sbin
+POLDEV ?= $(PREFIX)/share/selinux/devel
+SEMODULE = $(SBINDIR)/semodule
+CHECKPOLICY = $(BINDIR)/checkpolicy
+CHECKMODULE = $(BINDIR)/checkmodule
 
 DISTRO=$(shell ../tests/os_detect)
 
diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
new file mode 100644
index 0000000..ae53fbe
--- /dev/null
+++ b/travis-ci/enable-policy.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+# create a dummy /etc/selinux/config
+sudo mkdir -p /etc/selinux
+sudo tee /etc/selinux/config >/dev/null <<EOF
+SELINUX=disabled
+SELINUXTYPE=$1
+EOF
diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
new file mode 100644
index 0000000..d2793f0
--- /dev/null
+++ b/travis-ci/setup-policy-fedora.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d selinux-policy/.git ]; then
+	git clone --recursive https://github.com/fedora-selinux/selinux-policy
+	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
+else
+	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
+	(cd selinux-policy/policy/modules/contrib && git pull)
+fi
+
+if ! [ -d container-selinux/.git ]; then
+	git clone https://github.com/containers/container-selinux.git
+	for f in container.if container.te; do
+		ln -s ../../../../container-selinux/$f \
+			selinux-policy/policy/modules/contrib/$f
+	done
+else
+	(cd container-selinux && git pull)
+fi
+
+cd selinux-policy
+
+grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
new file mode 100644
index 0000000..abd4ca4
--- /dev/null
+++ b/travis-ci/setup-policy-refpolicy.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d refpolicy/.git ]; then
+	git clone https://github.com/SELinuxProject/refpolicy
+else
+	git pull || { git checkout '*' && git pull; }
+fi
+
+cd refpolicy
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
-- 
2.23.0

Re: [PATCH testsuite v3 2/3] policy: add fallbacks for Fedora-specific macros

[Stephen Smalley]

On 11/18/19 7:30 AM, Ondrej Mosnacek wrote:
> dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
> refpolicy. Fall back to dev_rw_generic_files() and
> mount_rw_runtime_files() if they are not defined.
> 
> Also, userdom_search_admin_dir() is not defined in refpolicy because it
> doesn't have admin_home_t. Fall back to
> userdom_search_user_home_content(), which should apply for root's home
> directory under refpolicy.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Is there a reason you didn't make the changes I suggested to 
dev_rw_infiniband_dev()?

> ---
>   policy/test_policy.if | 21 +++++++++++++++++++++
>   1 file changed, 21 insertions(+)
> 
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index 939cd7e..38214a9 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -60,3 +60,24 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
>           allow $1 sysadm_t:process sigchld;
>   ')
>   ')
> +
> +# Workarounds for refpolicy:
> +
> +ifdef(`dev_rw_infiniband_dev', `', ` dnl
> +interface(`dev_rw_infiniband_dev', `
> +    dev_rw_generic_files($1)
> +')
> +')
> +
> +ifdef(`mount_rw_pid_files', `', ` dnl
> +interface(`mount_rw_pid_files', `
> +    mount_rw_runtime_files($1)
> +')
> +')
> +
> +# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
> +ifdef(`userdom_search_admin_dir', `', ` dnl
> +interface(`userdom_search_admin_dir', `
> +    userdom_search_user_home_content($1)
> +')
> +')
> 

Re: [PATCH testsuite v3 2/3] policy: add fallbacks for Fedora-specific macros

[Ondrej Mosnacek]

On Mon, Nov 18, 2019 at 3:06 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 11/18/19 7:30 AM, Ondrej Mosnacek wrote:
> > dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
> > refpolicy. Fall back to dev_rw_generic_files() and
> > mount_rw_runtime_files() if they are not defined.
> >
> > Also, userdom_search_admin_dir() is not defined in refpolicy because it
> > doesn't have admin_home_t. Fall back to
> > userdom_search_user_home_content(), which should apply for root's home
> > directory under refpolicy.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> Is there a reason you didn't make the changes I suggested to
> dev_rw_infiniband_dev()?

No, sorry, I forgot to address that part... again :|

>
> > ---
> >   policy/test_policy.if | 21 +++++++++++++++++++++
> >   1 file changed, 21 insertions(+)
> >
> > diff --git a/policy/test_policy.if b/policy/test_policy.if
> > index 939cd7e..38214a9 100644
> > --- a/policy/test_policy.if
> > +++ b/policy/test_policy.if
> > @@ -60,3 +60,24 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
> >           allow $1 sysadm_t:process sigchld;
> >   ')
> >   ')
> > +
> > +# Workarounds for refpolicy:
> > +
> > +ifdef(`dev_rw_infiniband_dev', `', ` dnl
> > +interface(`dev_rw_infiniband_dev', `
> > +    dev_rw_generic_files($1)
> > +')
> > +')
> > +
> > +ifdef(`mount_rw_pid_files', `', ` dnl
> > +interface(`mount_rw_pid_files', `
> > +    mount_rw_runtime_files($1)
> > +')
> > +')
> > +
> > +# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
> > +ifdef(`userdom_search_admin_dir', `', ` dnl
> > +interface(`userdom_search_admin_dir', `
> > +    userdom_search_user_home_content($1)
> > +')
> > +')
> >
>

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.