[PATCH testsuite 0/3] Fix refpolicy build & build test_policy.pp in Travis

[PATCH testsuite 0/3] Fix refpolicy build & build test_policy.pp in Travis

[Ondrej Mosnacek]

This series fixes the remaining test_policy.pp build errors under
refpolicy and enables building the test policy under both Fedora policy
and refpolicy in Travis CI.

Ondrej Mosnacek (3):
  policy: consolidate macros for home dirs access
  policy: add fallbacks for Fedora-specific macros
  travis: test building the test policy package

 .travis.yml                         | 24 ++++++++++++++++++--
 policy/test_overlayfs.te            |  6 ++---
 policy/test_policy.if               | 23 +++++++++++++++++--
 travis-ci/enable-policy.sh          | 10 +++++++++
 travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
 travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
 6 files changed, 112 insertions(+), 8 deletions(-)
 create mode 100644 travis-ci/enable-policy.sh
 create mode 100644 travis-ci/setup-policy-fedora.sh
 create mode 100644 travis-ci/setup-policy-refpolicy.sh

-- 
2.21.0

[PATCH testsuite 1/3] policy: consolidate macros for home dirs access

[Ondrej Mosnacek]

Use userdom_search_generic_user_home_dirs(), which is always defined,
and redefine it to match what overlayfs was doing (just in case),

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_overlayfs.te | 6 ++----
 policy/test_policy.if    | 9 +++++++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
index 6f1756e..f56ef78 100644
--- a/policy/test_overlayfs.te
+++ b/policy/test_overlayfs.te
@@ -50,8 +50,7 @@ fs_mount_xattr_fs(test_overlay_mounter_t)
 corecmd_shell_entry_type(test_overlay_mounter_t)
 corecmd_exec_bin(test_overlay_mounter_t)
 
-userdom_search_admin_dir(test_overlay_mounter_t)
-userdom_search_user_home_content(test_overlay_mounter_t)
+userdom_search_generic_user_home_dirs(test_overlay_mounter_t)
 
 mount_exec(test_overlay_mounter_t)
 mount_rw_pid_files(test_overlay_mounter_t)
@@ -122,8 +121,7 @@ corecmd_exec_bin(test_overlay_client_t)
 kernel_read_system_state(test_overlay_client_t)
 kernel_read_proc_symlinks(test_overlay_client_t)
 
-userdom_search_admin_dir(test_overlay_client_t)
-userdom_search_user_home_content(test_overlay_client_t)
+userdom_search_generic_user_home_dirs(test_overlay_client_t)
 
 fs_getattr_xattr_fs(test_overlay_client_t)
 
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 5f4000f..40e7499 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -61,8 +61,13 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
 ')
 ')
 
-ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl
+ifdef(`userdom_search_admin_dir', ` dnl
 interface(`userdom_search_generic_user_home_dirs', `
-    userdom_search_user_home_dirs($1)
+    userdom_search_user_home_content($1)
+    userdom_search_admin_dir($1)
+')
+', ` dnl
+interface(`userdom_search_generic_user_home_dirs', `
+    userdom_search_user_home_content($1)
 ')
 ')
-- 
2.21.0

[PATCH testsuite 2/3] policy: add fallbacks for Fedora-specific macros

[Ondrej Mosnacek]

dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
refpolicy. Fall back to dev_rw_generic_files() and
mount_rw_runtime_files() if they are not defined.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_policy.if | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/policy/test_policy.if b/policy/test_policy.if
index 40e7499..e31345e 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -71,3 +71,17 @@ interface(`userdom_search_generic_user_home_dirs', `
     userdom_search_user_home_content($1)
 ')
 ')
+
+# Workarounds for refpolicy:
+
+ifdef(`dev_rw_infiniband_dev', `', ` dnl
+interface(`dev_rw_infiniband_dev', `
+    dev_rw_generic_files($1)
+')
+')
+
+ifdef(`mount_rw_pid_files', `', ` dnl
+interface(`mount_rw_pid_files', `
+    mount_rw_runtime_files($1)
+')
+')
-- 
2.21.0

[PATCH testsuite 3/3] travis: test building the test policy package

[Ondrej Mosnacek]

Download, build, and install Fedora policy & refpolicy and try building
the test policy package against both of them.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .travis.yml                         | 24 ++++++++++++++++++--
 travis-ci/enable-policy.sh          | 10 +++++++++
 travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
 travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
 4 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100644 travis-ci/enable-policy.sh
 create mode 100644 travis-ci/setup-policy-fedora.sh
 create mode 100644 travis-ci/setup-policy-refpolicy.sh

diff --git a/.travis.yml b/.travis.yml
index fbbe98d..c8cd44e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
 language: c
 
-dist: xenial
+dist: bionic
 
 addons:
   apt:
@@ -8,6 +8,14 @@ addons:
       - astyle
       - libselinux1-dev
       - libsctp-dev
+      - checkpolicy
+      - semodule-utils
+
+cache:
+  directories:
+    - selinux-policy
+    - container-selinux
+    - refpolicy
 
 before_install:
   # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
@@ -17,7 +25,19 @@ before_install:
      perl Makefile.PL &&
      make &&
      sudo make install)
+  # install libbpf from sources
+  - git clone https://github.com/libbpf/libbpf
+  - (cd libbpf/src && make PREFIX=/usr/local)
+  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
+  # install Fedora policy and refpolicy
+  - bash travis-ci/setup-policy-fedora.sh
+  - bash travis-ci/setup-policy-refpolicy.sh
+  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
+  - sudo mkdir -p /tmp/fake-selinuxfs
+  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
+  - echo 31 >/tmp/fake-selinuxfs/policyvers
 
 script:
   - tools/check-syntax -f && git diff --exit-code
-  - make
+  - bash travis-ci/enable-policy.sh targeted  && make POLDEV=/usr/share/selinux/targeted
+  - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy
diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
new file mode 100644
index 0000000..ae53fbe
--- /dev/null
+++ b/travis-ci/enable-policy.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+# create a dummy /etc/selinux/config
+sudo mkdir -p /etc/selinux
+sudo tee /etc/selinux/config >/dev/null <<EOF
+SELINUX=disabled
+SELINUXTYPE=$1
+EOF
diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
new file mode 100644
index 0000000..192e234
--- /dev/null
+++ b/travis-ci/setup-policy-fedora.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d selinux-policy/.git ]; then
+	git clone --recursive https://github.com/fedora-selinux/selinux-policy
+	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
+else
+	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
+	(cd selinux-policy/policy/modules/contrib && git pull)
+fi
+
+if ! [ -d container-selinux/.git ]; then
+	git clone https://github.com/containers/container-selinux.git
+	for f in container.if container.te; do
+		ln -s ../../../../container-selinux/$f \
+			selinux-policy/policy/modules/contrib/$f
+	done
+else
+	(cd container-selinux && git pull)
+fi
+
+cd selinux-policy
+
+grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
+grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
+	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
+
+[ -f policy/modules.conf ] || make conf
+
+make -j`nproc --all`
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
new file mode 100644
index 0000000..d89b041
--- /dev/null
+++ b/travis-ci/setup-policy-refpolicy.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -ex
+
+if ! [ -d refpolicy/.git ]; then
+	git clone https://github.com/SELinuxProject/refpolicy
+else
+	git pull || { git checkout '*' && git pull; }
+fi
+
+cd refpolicy
+
+[ -f policy/modules.conf ] || make conf
+
+grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
+	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
+
+make -j`nproc --all`
+sudo make install install-headers
+
+# workaround for different Makefile location in Fedora RPMs
+sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
-- 
2.21.0

Re: [PATCH testsuite 1/3] policy: consolidate macros for home dirs access

[Stephen Smalley]

On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
> Use userdom_search_generic_user_home_dirs(), which is always defined,
> and redefine it to match what overlayfs was doing (just in case),
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   policy/test_overlayfs.te | 6 ++----
>   policy/test_policy.if    | 9 +++++++--
>   2 files changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
> index 6f1756e..f56ef78 100644
> --- a/policy/test_overlayfs.te
> +++ b/policy/test_overlayfs.te
> @@ -50,8 +50,7 @@ fs_mount_xattr_fs(test_overlay_mounter_t)
>   corecmd_shell_entry_type(test_overlay_mounter_t)
>   corecmd_exec_bin(test_overlay_mounter_t)
>   
> -userdom_search_admin_dir(test_overlay_mounter_t)
> -userdom_search_user_home_content(test_overlay_mounter_t)
> +userdom_search_generic_user_home_dirs(test_overlay_mounter_t)
>   
>   mount_exec(test_overlay_mounter_t)
>   mount_rw_pid_files(test_overlay_mounter_t)
> @@ -122,8 +121,7 @@ corecmd_exec_bin(test_overlay_client_t)
>   kernel_read_system_state(test_overlay_client_t)
>   kernel_read_proc_symlinks(test_overlay_client_t)
>   
> -userdom_search_admin_dir(test_overlay_client_t)
> -userdom_search_user_home_content(test_overlay_client_t)
> +userdom_search_generic_user_home_dirs(test_overlay_client_t)
>   
>   fs_getattr_xattr_fs(test_overlay_client_t)
>   
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index 5f4000f..40e7499 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -61,8 +61,13 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
>   ')
>   ')
>   
> -ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl
> +ifdef(`userdom_search_admin_dir', ` dnl
>   interface(`userdom_search_generic_user_home_dirs', `
> -    userdom_search_user_home_dirs($1)
> +    userdom_search_user_home_content($1)
> +    userdom_search_admin_dir($1)
> +')
> +', ` dnl
> +interface(`userdom_search_generic_user_home_dirs', `
> +    userdom_search_user_home_content($1)
>   ')
>   ')

Previously, if userdom_search_generic_user_home_dirs() was defined by 
the base policy (as it used to be), we would use that definition, else 
we would use userdom_search_user_home_dirs(). After, we will always 
redefine it, and the redefinition is more expansive than just search 
access to $HOME and its ancestors in the hierarchy.  Might not affect 
the tests themselves but it seems a bit confusing.

Re: [PATCH testsuite 2/3] policy: add fallbacks for Fedora-specific macros

[Stephen Smalley]

On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
> dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
> refpolicy. Fall back to dev_rw_generic_files() and
> mount_rw_runtime_files() if they are not defined.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   policy/test_policy.if | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index 40e7499..e31345e 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -71,3 +71,17 @@ interface(`userdom_search_generic_user_home_dirs', `
>       userdom_search_user_home_content($1)
>   ')
>   ')
> +
> +# Workarounds for refpolicy:
> +
> +ifdef(`dev_rw_infiniband_dev', `', ` dnl
> +interface(`dev_rw_infiniband_dev', `
> +    dev_rw_generic_files($1)
> +')
> +')

dev_rw_infiniband_dev allows access to character and block devices 
labeled infiniband_device_t.  dev_rw_generic_files() allows access to 
_regular_ files labeled device_t. dev_rw_generic_chr_files() and 
dev_rw_generic_blk_files() would be the equivalent interfaces. 
Alternatively, we could wrap the calls in the test_ib*.te files with 
ifdefs as we do for e.g. corenet_ib_pkey and other interfaces. 
Regardless, I don't think the infiniband tests will presently work on a 
system with only refpolicy.

> +
> +ifdef(`mount_rw_pid_files', `', ` dnl
> +interface(`mount_rw_pid_files', `
> +    mount_rw_runtime_files($1)
> +')
> +')
> 

Re: [PATCH testsuite 3/3] travis: test building the test policy package

[Stephen Smalley]

On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
> Download, build, and install Fedora policy & refpolicy and try building
> the test policy package against both of them.

I guess this is a necessary first step to actually getting the testsuite 
to run on travis, which would be the more important goal.  That 
obviously requires actually enabling SELinux on bionic, unless we could 
get travis-ci to offer fedora or centos images.

> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   .travis.yml                         | 24 ++++++++++++++++++--
>   travis-ci/enable-policy.sh          | 10 +++++++++
>   travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
>   travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
>   4 files changed, 89 insertions(+), 2 deletions(-)
>   create mode 100644 travis-ci/enable-policy.sh
>   create mode 100644 travis-ci/setup-policy-fedora.sh
>   create mode 100644 travis-ci/setup-policy-refpolicy.sh
> 
> diff --git a/.travis.yml b/.travis.yml
> index fbbe98d..c8cd44e 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -1,6 +1,6 @@
>   language: c
>   
> -dist: xenial
> +dist: bionic
>   
>   addons:
>     apt:
> @@ -8,6 +8,14 @@ addons:
>         - astyle
>         - libselinux1-dev
>         - libsctp-dev
> +      - checkpolicy
> +      - semodule-utils
> +
> +cache:
> +  directories:
> +    - selinux-policy
> +    - container-selinux
> +    - refpolicy
>   
>   before_install:
>     # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
> @@ -17,7 +25,19 @@ before_install:
>        perl Makefile.PL &&
>        make &&
>        sudo make install)
> +  # install libbpf from sources
> +  - git clone https://github.com/libbpf/libbpf
> +  - (cd libbpf/src && make PREFIX=/usr/local)
> +  - (cd libbpf/src && sudo make install PREFIX=/usr/local)

Not packaged on bionic or not recent enough?

> +  # install Fedora policy and refpolicy
> +  - bash travis-ci/setup-policy-fedora.sh
> +  - bash travis-ci/setup-policy-refpolicy.sh
> +  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> +  - sudo mkdir -p /tmp/fake-selinuxfs
> +  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> +  - echo 31 >/tmp/fake-selinuxfs/policyvers

Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?

>   
>   script:
>     - tools/check-syntax -f && git diff --exit-code
> -  - make
> +  - bash travis-ci/enable-policy.sh targeted  && make POLDEV=/usr/share/selinux/targeted
> +  - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy
> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
> new file mode 100644
> index 0000000..ae53fbe
> --- /dev/null
> +++ b/travis-ci/enable-policy.sh
> @@ -0,0 +1,10 @@
> +#!/bin/bash
> +
> +set -e
> +
> +# create a dummy /etc/selinux/config
> +sudo mkdir -p /etc/selinux
> +sudo tee /etc/selinux/config >/dev/null <<EOF
> +SELINUX=disabled
> +SELINUXTYPE=$1
> +EOF
> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
> new file mode 100644
> index 0000000..192e234
> --- /dev/null
> +++ b/travis-ci/setup-policy-fedora.sh
> @@ -0,0 +1,35 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d selinux-policy/.git ]; then
> +	git clone --recursive https://github.com/fedora-selinux/selinux-policy
> +	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
> +else
> +	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
> +	(cd selinux-policy/policy/modules/contrib && git pull)
> +fi
> +
> +if ! [ -d container-selinux/.git ]; then
> +	git clone https://github.com/containers/container-selinux.git
> +	for f in container.if container.te; do
> +		ln -s ../../../../container-selinux/$f \
> +			selinux-policy/policy/modules/contrib/$f
> +	done
> +else
> +	(cd container-selinux && git pull)
> +fi

Seem brittle / tightly tied to fedora policy internals - is there some 
more general facility or perhaps they even provide a script for doing 
this that we could just reuse?

> +
> +cd selinux-policy
> +
> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
> +	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in

Is this a limitation of the checkpolicy packaged in bionic?  If so, 
should we just grab the upstream selinux userspace and build it ourselves?

> +
> +[ -f policy/modules.conf ] || make conf
> +
> +make -j`nproc --all`
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
> new file mode 100644
> index 0000000..d89b041
> --- /dev/null
> +++ b/travis-ci/setup-policy-refpolicy.sh
> @@ -0,0 +1,22 @@
> +#!/bin/bash
> +
> +set -ex
> +
> +if ! [ -d refpolicy/.git ]; then
> +	git clone https://github.com/SELinuxProject/refpolicy
> +else
> +	git pull || { git checkout '*' && git pull; }
> +fi
> +
> +cd refpolicy
> +
> +[ -f policy/modules.conf ] || make conf
> +
> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
> +	sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
> +
> +make -j`nproc --all`
> +sudo make install install-headers
> +
> +# workaround for different Makefile location in Fedora RPMs
> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
> 

Re: [PATCH testsuite 3/3] travis: test building the test policy package

[Stephen Smalley]

On 9/30/19 9:43 AM, Stephen Smalley wrote:
> On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
>> Download, build, and install Fedora policy & refpolicy and try building
>> the test policy package against both of them.
> 
> I guess this is a necessary first step to actually getting the testsuite 
> to run on travis, which would be the more important goal.  That 
> obviously requires actually enabling SELinux on bionic, unless we could 
> get travis-ci to offer fedora or centos images.
> 
>>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>> ---
>>   .travis.yml                         | 24 ++++++++++++++++++--
>>   travis-ci/enable-policy.sh          | 10 +++++++++
>>   travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
>>   travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
>>   4 files changed, 89 insertions(+), 2 deletions(-)
>>   create mode 100644 travis-ci/enable-policy.sh
>>   create mode 100644 travis-ci/setup-policy-fedora.sh
>>   create mode 100644 travis-ci/setup-policy-refpolicy.sh
>>
>> diff --git a/.travis.yml b/.travis.yml
>> index fbbe98d..c8cd44e 100644
>> --- a/.travis.yml
>> +++ b/.travis.yml
>> @@ -1,6 +1,6 @@
>>   language: c
>> -dist: xenial
>> +dist: bionic
>>   addons:
>>     apt:
>> @@ -8,6 +8,14 @@ addons:
>>         - astyle
>>         - libselinux1-dev
>>         - libsctp-dev
>> +      - checkpolicy
>> +      - semodule-utils
>> +
>> +cache:
>> +  directories:
>> +    - selinux-policy
>> +    - container-selinux
>> +    - refpolicy
>>   before_install:
>>     # FYI: known good with HEAD at 
>> 8551fc60fc515cd290ba38ee8c758c1f4df52b56
>> @@ -17,7 +25,19 @@ before_install:
>>        perl Makefile.PL &&
>>        make &&
>>        sudo make install)
>> +  # install libbpf from sources
>> +  - git clone https://github.com/libbpf/libbpf
>> +  - (cd libbpf/src && make PREFIX=/usr/local)
>> +  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
> 
> Not packaged on bionic or not recent enough?
> 
>> +  # install Fedora policy and refpolicy
>> +  - bash travis-ci/setup-policy-fedora.sh
>> +  - bash travis-ci/setup-policy-refpolicy.sh
>> +  # establish a fake "selinuxfs" mount (policy/Makefile just greps 
>> for selinuxfs)
>> +  - sudo mkdir -p /tmp/fake-selinuxfs
>> +  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
>> +  - echo 31 >/tmp/fake-selinuxfs/policyvers
> 
> Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?

Looks like the idiom we use in selinux-testsuite/policy/Makefile and 
refpolicy/Rules.monolithic is checkpolicy -V | cut -f 1 -d ' '

> 
>>   script:
>>     - tools/check-syntax -f && git diff --exit-code
>> -  - make
>> +  - bash travis-ci/enable-policy.sh targeted  && make 
>> POLDEV=/usr/share/selinux/targeted
>> +  - bash travis-ci/enable-policy.sh refpolicy && make 
>> POLDEV=/usr/share/selinux/refpolicy
>> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
>> new file mode 100644
>> index 0000000..ae53fbe
>> --- /dev/null
>> +++ b/travis-ci/enable-policy.sh
>> @@ -0,0 +1,10 @@
>> +#!/bin/bash
>> +
>> +set -e
>> +
>> +# create a dummy /etc/selinux/config
>> +sudo mkdir -p /etc/selinux
>> +sudo tee /etc/selinux/config >/dev/null <<EOF
>> +SELINUX=disabled
>> +SELINUXTYPE=$1
>> +EOF
>> diff --git a/travis-ci/setup-policy-fedora.sh 
>> b/travis-ci/setup-policy-fedora.sh
>> new file mode 100644
>> index 0000000..192e234
>> --- /dev/null
>> +++ b/travis-ci/setup-policy-fedora.sh
>> @@ -0,0 +1,35 @@
>> +#!/bin/bash
>> +
>> +set -ex
>> +
>> +if ! [ -d selinux-policy/.git ]; then
>> +    git clone --recursive 
>> https://github.com/fedora-selinux/selinux-policy
>> +    (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
>> +else
>> +    (cd selinux-policy && git pull || { git checkout '*' && git pull; })
>> +    (cd selinux-policy/policy/modules/contrib && git pull)
>> +fi
>> +
>> +if ! [ -d container-selinux/.git ]; then
>> +    git clone https://github.com/containers/container-selinux.git
>> +    for f in container.if container.te; do
>> +        ln -s ../../../../container-selinux/$f \
>> +            selinux-policy/policy/modules/contrib/$f
>> +    done
>> +else
>> +    (cd container-selinux && git pull)
>> +fi
> 
> Seem brittle / tightly tied to fedora policy internals - is there some 
> more general facility or perhaps they even provide a script for doing 
> this that we could just reuse?
> 
>> +
>> +cd selinux-policy
>> +
>> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' 
>> build.conf
>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
>> +    sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
> 
> Is this a limitation of the checkpolicy packaged in bionic?  If so, 
> should we just grab the upstream selinux userspace and build it ourselves?
> 
>> +
>> +[ -f policy/modules.conf ] || make conf
>> +
>> +make -j`nproc --all`
>> +sudo make install install-headers
>> +
>> +# workaround for different Makefile location in Fedora RPMs
>> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
>> diff --git a/travis-ci/setup-policy-refpolicy.sh 
>> b/travis-ci/setup-policy-refpolicy.sh
>> new file mode 100644
>> index 0000000..d89b041
>> --- /dev/null
>> +++ b/travis-ci/setup-policy-refpolicy.sh
>> @@ -0,0 +1,22 @@
>> +#!/bin/bash
>> +
>> +set -ex
>> +
>> +if ! [ -d refpolicy/.git ]; then
>> +    git clone https://github.com/SELinuxProject/refpolicy
>> +else
>> +    git pull || { git checkout '*' && git pull; }
>> +fi
>> +
>> +cd refpolicy
>> +
>> +[ -f policy/modules.conf ] || make conf
>> +
>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
>> +    sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
>> +
>> +make -j`nproc --all`
>> +sudo make install install-headers
>> +
>> +# workaround for different Makefile location in Fedora RPMs
>> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
>>
> 

Re: [PATCH testsuite 1/3] policy: consolidate macros for home dirs access

[Ondrej Mosnacek]

On Mon, Sep 30, 2019 at 3:24 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
> > Use userdom_search_generic_user_home_dirs(), which is always defined,
> > and redefine it to match what overlayfs was doing (just in case),
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   policy/test_overlayfs.te | 6 ++----
> >   policy/test_policy.if    | 9 +++++++--
> >   2 files changed, 9 insertions(+), 6 deletions(-)
> >
> > diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
> > index 6f1756e..f56ef78 100644
> > --- a/policy/test_overlayfs.te
> > +++ b/policy/test_overlayfs.te
> > @@ -50,8 +50,7 @@ fs_mount_xattr_fs(test_overlay_mounter_t)
> >   corecmd_shell_entry_type(test_overlay_mounter_t)
> >   corecmd_exec_bin(test_overlay_mounter_t)
> >
> > -userdom_search_admin_dir(test_overlay_mounter_t)
> > -userdom_search_user_home_content(test_overlay_mounter_t)
> > +userdom_search_generic_user_home_dirs(test_overlay_mounter_t)
> >
> >   mount_exec(test_overlay_mounter_t)
> >   mount_rw_pid_files(test_overlay_mounter_t)
> > @@ -122,8 +121,7 @@ corecmd_exec_bin(test_overlay_client_t)
> >   kernel_read_system_state(test_overlay_client_t)
> >   kernel_read_proc_symlinks(test_overlay_client_t)
> >
> > -userdom_search_admin_dir(test_overlay_client_t)
> > -userdom_search_user_home_content(test_overlay_client_t)
> > +userdom_search_generic_user_home_dirs(test_overlay_client_t)
> >
> >   fs_getattr_xattr_fs(test_overlay_client_t)
> >
> > diff --git a/policy/test_policy.if b/policy/test_policy.if
> > index 5f4000f..40e7499 100644
> > --- a/policy/test_policy.if
> > +++ b/policy/test_policy.if
> > @@ -61,8 +61,13 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
> >   ')
> >   ')
> >
> > -ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl
> > +ifdef(`userdom_search_admin_dir', ` dnl
> >   interface(`userdom_search_generic_user_home_dirs', `
> > -    userdom_search_user_home_dirs($1)
> > +    userdom_search_user_home_content($1)
> > +    userdom_search_admin_dir($1)
> > +')
> > +', ` dnl
> > +interface(`userdom_search_generic_user_home_dirs', `
> > +    userdom_search_user_home_content($1)
> >   ')
> >   ')
>
> Previously, if userdom_search_generic_user_home_dirs() was defined by
> the base policy (as it used to be), we would use that definition, else
> we would use userdom_search_user_home_dirs(). After, we will always
> redefine it, and the redefinition is more expansive than just search
> access to $HOME and its ancestors in the hierarchy.  Might not affect
> the tests themselves but it seems a bit confusing.

You're right, I'm mixing up the semantics too much. Let me see if I
can handle this more nicely...

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH testsuite 2/3] policy: add fallbacks for Fedora-specific macros

[Ondrej Mosnacek]

On Mon, Sep 30, 2019 at 3:32 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
> > dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in
> > refpolicy. Fall back to dev_rw_generic_files() and
> > mount_rw_runtime_files() if they are not defined.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   policy/test_policy.if | 14 ++++++++++++++
> >   1 file changed, 14 insertions(+)
> >
> > diff --git a/policy/test_policy.if b/policy/test_policy.if
> > index 40e7499..e31345e 100644
> > --- a/policy/test_policy.if
> > +++ b/policy/test_policy.if
> > @@ -71,3 +71,17 @@ interface(`userdom_search_generic_user_home_dirs', `
> >       userdom_search_user_home_content($1)
> >   ')
> >   ')
> > +
> > +# Workarounds for refpolicy:
> > +
> > +ifdef(`dev_rw_infiniband_dev', `', ` dnl
> > +interface(`dev_rw_infiniband_dev', `
> > +    dev_rw_generic_files($1)
> > +')
> > +')
>
> dev_rw_infiniband_dev allows access to character and block devices
> labeled infiniband_device_t.  dev_rw_generic_files() allows access to
> _regular_ files labeled device_t. dev_rw_generic_chr_files() and
> dev_rw_generic_blk_files() would be the equivalent interfaces.
> Alternatively, we could wrap the calls in the test_ib*.te files with
> ifdefs as we do for e.g. corenet_ib_pkey and other interfaces.
> Regardless, I don't think the infiniband tests will presently work on a
> system with only refpolicy.

Fair enough, I'll switch to
dev_rw_generic_chr_files()+dev_rw_generic_blk_files(). I think it is
better to have the workaround in the common interface, as it will be a
bit easier to remove/change it in the future.

>
> > +
> > +ifdef(`mount_rw_pid_files', `', ` dnl
> > +interface(`mount_rw_pid_files', `
> > +    mount_rw_runtime_files($1)
> > +')
> > +')
> >
>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH testsuite 3/3] travis: test building the test policy package

[Ondrej Mosnacek]

On Mon, Sep 30, 2019 at 3:44 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
> > Download, build, and install Fedora policy & refpolicy and try building
> > the test policy package against both of them.
>
> I guess this is a necessary first step to actually getting the testsuite
> to run on travis, which would be the more important goal.  That
> obviously requires actually enabling SELinux on bionic, unless we could
> get travis-ci to offer fedora or centos images.
>
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   .travis.yml                         | 24 ++++++++++++++++++--
> >   travis-ci/enable-policy.sh          | 10 +++++++++
> >   travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
> >   travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
> >   4 files changed, 89 insertions(+), 2 deletions(-)
> >   create mode 100644 travis-ci/enable-policy.sh
> >   create mode 100644 travis-ci/setup-policy-fedora.sh
> >   create mode 100644 travis-ci/setup-policy-refpolicy.sh
> >
> > diff --git a/.travis.yml b/.travis.yml
> > index fbbe98d..c8cd44e 100644
> > --- a/.travis.yml
> > +++ b/.travis.yml
> > @@ -1,6 +1,6 @@
> >   language: c
> >
> > -dist: xenial
> > +dist: bionic
> >
> >   addons:
> >     apt:
> > @@ -8,6 +8,14 @@ addons:
> >         - astyle
> >         - libselinux1-dev
> >         - libsctp-dev
> > +      - checkpolicy
> > +      - semodule-utils
> > +
> > +cache:
> > +  directories:
> > +    - selinux-policy
> > +    - container-selinux
> > +    - refpolicy
> >
> >   before_install:
> >     # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
> > @@ -17,7 +25,19 @@ before_install:
> >        perl Makefile.PL &&
> >        make &&
> >        sudo make install)
> > +  # install libbpf from sources
> > +  - git clone https://github.com/libbpf/libbpf
> > +  - (cd libbpf/src && make PREFIX=/usr/local)
> > +  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
>
> Not packaged on bionic or not recent enough?

Not packaged, AFAICT.

>
> > +  # install Fedora policy and refpolicy
> > +  - bash travis-ci/setup-policy-fedora.sh
> > +  - bash travis-ci/setup-policy-refpolicy.sh
> > +  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> > +  - sudo mkdir -p /tmp/fake-selinuxfs
> > +  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> > +  - echo 31 >/tmp/fake-selinuxfs/policyvers
>
> Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?

This will get the policy version that checkpolicy supports, but the
policy Makefile also checks the version supported by the running
kernel. Since the policy won't actually be loaded in this case, it
makes sense to just report the highest known version so that the
Makefile tries to build as much as it can with the checkpolicy it has.
On second thought, we might even put in just some "infinity" number
(e.g. 999), since it should be just an additional upper bound to the
checkpolicy upper bound.

>
> >
> >   script:
> >     - tools/check-syntax -f && git diff --exit-code
> > -  - make
> > +  - bash travis-ci/enable-policy.sh targeted  && make POLDEV=/usr/share/selinux/targeted
> > +  - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy
> > diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
> > new file mode 100644
> > index 0000000..ae53fbe
> > --- /dev/null
> > +++ b/travis-ci/enable-policy.sh
> > @@ -0,0 +1,10 @@
> > +#!/bin/bash
> > +
> > +set -e
> > +
> > +# create a dummy /etc/selinux/config
> > +sudo mkdir -p /etc/selinux
> > +sudo tee /etc/selinux/config >/dev/null <<EOF
> > +SELINUX=disabled
> > +SELINUXTYPE=$1
> > +EOF
> > diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
> > new file mode 100644
> > index 0000000..192e234
> > --- /dev/null
> > +++ b/travis-ci/setup-policy-fedora.sh
> > @@ -0,0 +1,35 @@
> > +#!/bin/bash
> > +
> > +set -ex
> > +
> > +if ! [ -d selinux-policy/.git ]; then
> > +     git clone --recursive https://github.com/fedora-selinux/selinux-policy
> > +     (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
> > +else
> > +     (cd selinux-policy && git pull || { git checkout '*' && git pull; })
> > +     (cd selinux-policy/policy/modules/contrib && git pull)
> > +fi
> > +
> > +if ! [ -d container-selinux/.git ]; then
> > +     git clone https://github.com/containers/container-selinux.git
> > +     for f in container.if container.te; do
> > +             ln -s ../../../../container-selinux/$f \
> > +                     selinux-policy/policy/modules/contrib/$f
> > +     done
> > +else
> > +     (cd container-selinux && git pull)
> > +fi
>
> Seem brittle / tightly tied to fedora policy internals - is there some
> more general facility or perhaps they even provide a script for doing
> this that we could just reuse?

No, this is simply how the Fedora policy repos are structured. I
mostly mirrored the logic of .travis.yml from the main repo [1] I
don't think there's a better way to do this.

[1] https://github.com/fedora-selinux/selinux-policy/

>
> > +
> > +cd selinux-policy
> > +
> > +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
> > +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
> > +     sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
>
> Is this a limitation of the checkpolicy packaged in bionic?  If so,

Yes, I think it is due to checkpolicy/-module being too old. Maybe it
should actually be handled in policy/Makefile with a [MOD_]POL_VERS
check... I'll need to look more carefully into this.

> should we just grab the upstream selinux userspace and build it ourselves?

I tried to keep the number of dynamic dependencies on the minimum, but
perhaps that's indeed the better way to go here...

>
> > +
> > +[ -f policy/modules.conf ] || make conf
> > +
> > +make -j`nproc --all`
> > +sudo make install install-headers
> > +
> > +# workaround for different Makefile location in Fedora RPMs
> > +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
> > diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
> > new file mode 100644
> > index 0000000..d89b041
> > --- /dev/null
> > +++ b/travis-ci/setup-policy-refpolicy.sh
> > @@ -0,0 +1,22 @@
> > +#!/bin/bash
> > +
> > +set -ex
> > +
> > +if ! [ -d refpolicy/.git ]; then
> > +     git clone https://github.com/SELinuxProject/refpolicy
> > +else
> > +     git pull || { git checkout '*' && git pull; }
> > +fi
> > +
> > +cd refpolicy
> > +
> > +[ -f policy/modules.conf ] || make conf
> > +
> > +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
> > +     sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
> > +
> > +make -j`nproc --all`
> > +sudo make install install-headers
> > +
> > +# workaround for different Makefile location in Fedora RPMs
> > +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
> >
>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH testsuite 3/3] travis: test building the test policy package

[Stephen Smalley]

On 9/30/19 11:02 AM, Ondrej Mosnacek wrote:
> On Mon, Sep 30, 2019 at 3:44 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 9/30/19 6:48 AM, Ondrej Mosnacek wrote:
>>> Download, build, and install Fedora policy & refpolicy and try building
>>> the test policy package against both of them.
>>
>> I guess this is a necessary first step to actually getting the testsuite
>> to run on travis, which would be the more important goal.  That
>> obviously requires actually enabling SELinux on bionic, unless we could
>> get travis-ci to offer fedora or centos images.
>>
>>>
>>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>>> ---
>>>    .travis.yml                         | 24 ++++++++++++++++++--
>>>    travis-ci/enable-policy.sh          | 10 +++++++++
>>>    travis-ci/setup-policy-fedora.sh    | 35 +++++++++++++++++++++++++++++
>>>    travis-ci/setup-policy-refpolicy.sh | 22 ++++++++++++++++++
>>>    4 files changed, 89 insertions(+), 2 deletions(-)
>>>    create mode 100644 travis-ci/enable-policy.sh
>>>    create mode 100644 travis-ci/setup-policy-fedora.sh
>>>    create mode 100644 travis-ci/setup-policy-refpolicy.sh
>>>
>>> diff --git a/.travis.yml b/.travis.yml
>>> index fbbe98d..c8cd44e 100644
>>> --- a/.travis.yml
>>> +++ b/.travis.yml
>>> @@ -1,6 +1,6 @@
>>>    language: c
>>>
>>> -dist: xenial
>>> +dist: bionic
>>>
>>>    addons:
>>>      apt:
>>> @@ -8,6 +8,14 @@ addons:
>>>          - astyle
>>>          - libselinux1-dev
>>>          - libsctp-dev
>>> +      - checkpolicy
>>> +      - semodule-utils
>>> +
>>> +cache:
>>> +  directories:
>>> +    - selinux-policy
>>> +    - container-selinux
>>> +    - refpolicy
>>>
>>>    before_install:
>>>      # FYI: known good with HEAD at 8551fc60fc515cd290ba38ee8c758c1f4df52b56
>>> @@ -17,7 +25,19 @@ before_install:
>>>         perl Makefile.PL &&
>>>         make &&
>>>         sudo make install)
>>> +  # install libbpf from sources
>>> +  - git clone https://github.com/libbpf/libbpf
>>> +  - (cd libbpf/src && make PREFIX=/usr/local)
>>> +  - (cd libbpf/src && sudo make install PREFIX=/usr/local)
>>
>> Not packaged on bionic or not recent enough?
> 
> Not packaged, AFAICT.
> 
>>
>>> +  # install Fedora policy and refpolicy
>>> +  - bash travis-ci/setup-policy-fedora.sh
>>> +  - bash travis-ci/setup-policy-refpolicy.sh
>>> +  # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
>>> +  - sudo mkdir -p /tmp/fake-selinuxfs
>>> +  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
>>> +  - echo 31 >/tmp/fake-selinuxfs/policyvers
>>
>> Fragile; maybe use checkpolicy -V | awk '{print $1}' or equivalent?
> 
> This will get the policy version that checkpolicy supports, but the
> policy Makefile also checks the version supported by the running
> kernel. Since the policy won't actually be loaded in this case, it
> makes sense to just report the highest known version so that the
> Makefile tries to build as much as it can with the checkpolicy it has.
> On second thought, we might even put in just some "infinity" number
> (e.g. 999), since it should be just an additional upper bound to the
> checkpolicy upper bound.

When building policies, we should always build the highest version 
supported by checkpolicy.  libselinux will downgrade automatically at 
load time if necessary to the kernel's version.

> 
>>
>>>
>>>    script:
>>>      - tools/check-syntax -f && git diff --exit-code
>>> -  - make
>>> +  - bash travis-ci/enable-policy.sh targeted  && make POLDEV=/usr/share/selinux/targeted
>>> +  - bash travis-ci/enable-policy.sh refpolicy && make POLDEV=/usr/share/selinux/refpolicy
>>> diff --git a/travis-ci/enable-policy.sh b/travis-ci/enable-policy.sh
>>> new file mode 100644
>>> index 0000000..ae53fbe
>>> --- /dev/null
>>> +++ b/travis-ci/enable-policy.sh
>>> @@ -0,0 +1,10 @@
>>> +#!/bin/bash
>>> +
>>> +set -e
>>> +
>>> +# create a dummy /etc/selinux/config
>>> +sudo mkdir -p /etc/selinux
>>> +sudo tee /etc/selinux/config >/dev/null <<EOF
>>> +SELINUX=disabled
>>> +SELINUXTYPE=$1
>>> +EOF
>>> diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
>>> new file mode 100644
>>> index 0000000..192e234
>>> --- /dev/null
>>> +++ b/travis-ci/setup-policy-fedora.sh
>>> @@ -0,0 +1,35 @@
>>> +#!/bin/bash
>>> +
>>> +set -ex
>>> +
>>> +if ! [ -d selinux-policy/.git ]; then
>>> +     git clone --recursive https://github.com/fedora-selinux/selinux-policy
>>> +     (cd selinux-policy/policy/modules/contrib && git checkout rawhide)
>>> +else
>>> +     (cd selinux-policy && git pull || { git checkout '*' && git pull; })
>>> +     (cd selinux-policy/policy/modules/contrib && git pull)
>>> +fi
>>> +
>>> +if ! [ -d container-selinux/.git ]; then
>>> +     git clone https://github.com/containers/container-selinux.git
>>> +     for f in container.if container.te; do
>>> +             ln -s ../../../../container-selinux/$f \
>>> +                     selinux-policy/policy/modules/contrib/$f
>>> +     done
>>> +else
>>> +     (cd container-selinux && git pull)
>>> +fi
>>
>> Seem brittle / tightly tied to fedora policy internals - is there some
>> more general facility or perhaps they even provide a script for doing
>> this that we could just reuse?
> 
> No, this is simply how the Fedora policy repos are structured. I
> mostly mirrored the logic of .travis.yml from the main repo [1] I
> don't think there's a better way to do this.
> 
> [1] https://github.com/fedora-selinux/selinux-policy/
> 
>>
>>> +
>>> +cd selinux-policy
>>> +
>>> +grep -q refpolicy build.conf && sed -i 's/refpolicy/targeted/' build.conf
>>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
>>> +     sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
>>
>> Is this a limitation of the checkpolicy packaged in bionic?  If so,
> 
> Yes, I think it is due to checkpolicy/-module being too old. Maybe it
> should actually be handled in policy/Makefile with a [MOD_]POL_VERS
> check... I'll need to look more carefully into this.
> 
>> should we just grab the upstream selinux userspace and build it ourselves?
> 
> I tried to keep the number of dynamic dependencies on the minimum, but
> perhaps that's indeed the better way to go here...
> 
>>
>>> +
>>> +[ -f policy/modules.conf ] || make conf
>>> +
>>> +make -j`nproc --all`
>>> +sudo make install install-headers
>>> +
>>> +# workaround for different Makefile location in Fedora RPMs
>>> +sudo ln -s include/Makefile /usr/share/selinux/targeted/Makefile
>>> diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
>>> new file mode 100644
>>> index 0000000..d89b041
>>> --- /dev/null
>>> +++ b/travis-ci/setup-policy-refpolicy.sh
>>> @@ -0,0 +1,22 @@
>>> +#!/bin/bash
>>> +
>>> +set -ex
>>> +
>>> +if ! [ -d refpolicy/.git ]; then
>>> +     git clone https://github.com/SELinuxProject/refpolicy
>>> +else
>>> +     git pull || { git checkout '*' && git pull; }
>>> +fi
>>> +
>>> +cd refpolicy
>>> +
>>> +[ -f policy/modules.conf ] || make conf
>>> +
>>> +grep -q '^portcon sctp' policy/modules/kernel/corenetwork.te.in && \
>>> +     sed -i '/^portcon sctp/d' policy/modules/kernel/corenetwork.te.in
>>> +
>>> +make -j`nproc --all`
>>> +sudo make install install-headers
>>> +
>>> +# workaround for different Makefile location in Fedora RPMs
>>> +sudo ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
>>>
>>
>