CI: Add a semodule load test to verify modules insert to store.

There have been some discrepancies between semodule_link/_expand
and semodule -i, see #829.  Add an extra CI test of installing
the modules using semodule -i.

Signed-off-by: Chris PeBenito <[email protected]>

Author: pebenito

.github/workflows/build-policy.yml

@@ -90,6 +90,12 @@ jobs:
         echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV
         echo "WERROR=y" >> $GITHUB_ENV
         echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV
+        echo 'multiple-decls = true' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        sed -i -e '/^module-store/a compiler-directory = ${{ steps.dl-userspace.outputs.download-path }}/usr/libexec/selinux/hll' ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        echo -e '[sefcontext_compile]\npath = ${{ steps.dl-userspace.outputs.download-path }}/usr/sbin/sefcontext_compile\nargs = $@\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        echo -e '[setfiles]\npath = ${{ steps.dl-userspace.outputs.download-path }}/sbin/setfiles\nargs = -c $@ $<\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        sudo cp ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf /etc/selinux/semanage.conf
+        cat /etc/selinux/semanage.conf
 
     - name: Build refpolicy
       shell: bash
@@ -119,12 +125,17 @@ jobs:
       working-directory: ${{ inputs.path }}
       shell: bash
       run: |
+        echo "${TEST_TOOLCHAIN}"
         make install
         make install-headers
         make install-src
         make install-docs
         make install-udica-templates
         make install-appconfig
+        if [[ $MONOLITHIC == "n" ]]; then
+          # test modules insertion
+          sudo -E make load
+        fi
       env:
         DESTDIR: /tmp/refpolicy-install
 

.github/workflows/tests.yml

@@ -22,7 +22,7 @@ jobs:
     uses: ./.github/workflows/build-userspace.yml
     # depend on lint so expensive operations don't run if lint fails
     with:
-      version: "3.2"
+      version: "3.8.1"
       python-version: "3.10"
 
   build_setools:

Rules.modular

@@ -3,6 +3,12 @@
 # Rules and Targets for building modular policies
 #
 
+module_store_root := $(DESTDIR)/var/lib/selinux
+
+ifneq "$(DESTDIR)" ""
+	SEMODULE += -p $(DESTDIR) -n
+endif
+
 all_modules := $(base_mods) $(mod_mods) $(off_mods)
 all_interfaces := $(all_modules:.te=.if)
 enabled_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(base_mods:.te=.mod.fc) $(mod_mods:.te=.mod.fc)))
@@ -57,7 +63,7 @@ load: $(instpkg) $(appfiles)
 # make sure two directories exist since they are not
 # created by semanage
 	@echo "Loading configured modules."
-	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
+	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root)
 	$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
 
 ########################################
@@ -68,7 +74,7 @@ pure-load: $(instpkg) $(appfiles)
 # make sure two directories exist since they are not
 # created by semanage
 	@echo "Loading configured modules."
-	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
+	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root)
 	$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) $(foreach omod,$(filter-out base $(notdir $(mod_mods:.te=)),$(shell $(SEMODULE) -l)),-r $(omod))
 
 ########################################