Re: [PATCH testsuite 3/3] travis: test building the test policy package

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH testsuite 3/3] travis: test building the test policy package
Date: Mon, 30 Sep 2019 09:43:58 -0400	[thread overview]
Message-ID: <2dfde121-d786-6ba3-0820-953cfbba7033@tycho.nsa.gov> (raw)
In-Reply-To: <20190930104850.5482-4-omosnace@redhat.com>

On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
> Download, build, and install Fedora policy & refpolicy and try building
> the test policy package against both of them.

I guess this is a necessary first step to actually getting the testsuite 
to run on travis, which would be the more important goal.  That 
obviously requires actually enabling SELinux on bionic, unless we could 
get travis-ci to offer fedora or centos images.

> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   .travis.yml                         | 24 ++++++++++++++++++--
>   travis-ci/enable-policy.sh          | 10 +++++++++
>   travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
>   travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
>   4 files changed, 89 insertions(+), 2 deletions(-)
>   create mode 100644 travis-ci/enable-policy.sh
>   create mode 100644 travis-ci/setup-policy-fedora.sh
>   create mode 100644 travis-ci/setup-policy-refpolicy.sh
> 
> diff --git a/.travis.yml b/.travis.yml
> index fbbe98d..c8cd44e 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -1,6 +1,6 @@
>   language: c
>   
> -dist: xenial
> +dist: bionic
>   
>   addons:
>     apt:
> @@ -8,6 +8,14 @@ addons:
>         - astyle
>         - libselinux1-dev
>         - libsctp-dev
> +      - checkpolicy
> +      - semodule-utils
> +
> +cache:
> +  directories:
> +    - selinux-policy
> +    - container-selinux
> +    - refpolicy
>   
>   before_install:
>     # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
> @@ -17,7 +25,19 @@ before_install:
>        perl Makefile.PL &&
>        make &&
>        sudo make install)
> +  # install libbpf from sources
> +  - git clone https://github.com/libbpf/libbpf
> +  - (cd libbpf/src && make PREFIX=/usr/local)
> +  - (cd libbpf/src && sudo make install PREFIX=/usr/local)

Not packaged on bionic or not recent enough?

> +  # install Fedora policy and refpolicy
> +  - bash travis-ci/setup-policy-fedora.sh
> +  - bash travis-ci/setup-policy-refpolicy.sh
> +  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> +  - sudo mkdir -p /tmp/fake-selinuxfs
> +  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> +  - echo 31 >/tmp/fake-selinuxfs/policyvers

Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?

>   
>   script:
>     - tools/check-syntax -f && git diff --exit-code
> -  - make
> +  - bash travis-ci/enable-policy.sh targeted  && make POLDEV=/usr/share/selinux/targeted
> +  - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy
> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
> new file mode 100644
> index 0000000..ae53fbe
> --- /dev/null
> +++ b/travis-ci/enable-policy.sh
> @@ -0,0 +1,10 @@
> +#!/bin/bash
> +
> +set -e
> +
> +# create a dummy /etc/selinux/config
> +sudo mkdir -p /etc/selinux
> +sudo tee /etc/selinux/config >/dev/null <<EOF
> +SELINUX=disabled
> +SELINUXTYPE=$1
> +EOF
> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
> new file mode 100644
> index 0000000..192e234
> --- /dev/null
> +++ b/travis-ci/setup-policy-fedora.sh
> @@ -0,0 +1,35 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d selinux-policy/.git ]; then
> +	git clone --recursive https://github.com/fedora-selinux/selinux-policy
> +	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
> +else
> +	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
> +	(cd selinux-policy/policy/modules/contrib && git pull)
> +fi
> +
> +if ! [ -d container-selinux/.git ]; then
> +	git clone https://github.com/containers/container-selinux.git
> +	for f in container.if container.te; do
> +		ln -s ../../../../container-selinux/$f \
> +			selinux-policy/policy/modules/contrib/$f
> +	done
> +else
> +	(cd container-selinux && git pull)
> +fi

Seem brittle / tightly tied to fedora policy internals - is there some 
more general facility or perhaps they even provide a script for doing 
this that we could just reuse?

> +
> +cd selinux-policy
> +
> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
> +	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in

Is this a limitation of the checkpolicy packaged in bionic?  If so, 
should we just grab the upstream selinux userspace and build it ourselves?

> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all`
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
> new file mode 100644
> index 0000000..d89b041
> --- /dev/null
> +++ b/travis-ci/setup-policy-refpolicy.sh
> @@ -0,0 +1,22 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d refpolicy/.git ]; then
> +	git clone https://github.com/SELinuxProject/refpolicy
> +else
> +	git pull || { git checkout '*' && git pull; }
> +fi
> +
> +cd refpolicy
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
> +	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
> +
> +make -j`nproc --all`
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
> 