diff --git a/.github/workflows/build-policy.yml b/.github/workflows/build-policy.yml index 017c674861..936e17d0c6 100644 --- a/.github/workflows/build-policy.yml +++ b/.github/workflows/build-policy.yml @@ -90,6 +90,12 @@ jobs: echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV echo "WERROR=y" >> $GITHUB_ENV echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV + echo 'multiple-decls = true' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + sed -i -e '/^module-store/a compiler-directory = ${{ steps.dl-userspace.outputs.download-path }}/usr/libexec/selinux/hll' ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + echo -e '[sefcontext_compile]\npath = ${{ steps.dl-userspace.outputs.download-path }}/usr/sbin/sefcontext_compile\nargs = $@\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + echo -e '[setfiles]\npath = ${{ steps.dl-userspace.outputs.download-path }}/sbin/setfiles\nargs = -c $@ $<\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + sudo cp ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf /etc/selinux/semanage.conf + cat /etc/selinux/semanage.conf - name: Build refpolicy shell: bash @@ -119,12 +125,17 @@ jobs: working-directory: ${{ inputs.path }} shell: bash run: | + echo "${TEST_TOOLCHAIN}" make install make install-headers make install-src make install-docs make install-udica-templates make install-appconfig + if [[ $MONOLITHIC == "n" ]]; then + # test modules insertion + sudo -E make load + fi env: DESTDIR: /tmp/refpolicy-install diff --git a/.github/workflows/build-setools.yml b/.github/workflows/build-setools.yml index 1ea08fd061..a7a88a289b 100644 --- a/.github/workflows/build-setools.yml +++ b/.github/workflows/build-setools.yml @@ -23,20 +23,23 @@ jobs: artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }} steps: - - name: Download cached SETools - uses: actions/cache@v4 - id: cache-setools - with: - path: "setools-*.whl" - key: setools-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} - - name: Checkout setools uses: actions/checkout@v4 - if: ${{ steps.cache-setools.outputs.cache-hit != 'true' }} with: repository: SELinuxProject/setools ref: "${{ inputs.version }}" + - name: Get the latest commit hash + shell: bash + run: echo "COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_ENV + + - name: Download cached SETools + uses: actions/cache@v4 + id: cache-setools + with: + path: "setools-*.whl" + key: setools-${{ inputs.version }}-${{ env.COMMIT_HASH }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} + - name: Download userspace artifact uses: actions/download-artifact@v4 if: ${{ steps.cache-setools.outputs.cache-hit != 'true' }} diff --git a/.github/workflows/build-userspace.yml b/.github/workflows/build-userspace.yml index db01097e88..897fa1aa47 100644 --- a/.github/workflows/build-userspace.yml +++ b/.github/workflows/build-userspace.yml @@ -27,21 +27,25 @@ jobs: binary-id: ${{ steps.upload-artifact.outputs.artifact-id }} steps: - - name: Download cached SELinux userspace - uses: actions/cache@v4 - id: cache-userspace - with: - path: ${{ github.workspace }}/selinux.tar.gz - key: selinux-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} - - name: Checkout SELinux userspace tools and libs uses: actions/checkout@v4 - if: ${{ steps.cache-userspace.outputs.cache-hit != 'true' }} with: repository: SELinuxProject/selinux ref: "${{ inputs.version }}" path: "${{ env.SELINUX_SRC }}" + - name: Get the latest commit hash + shell: bash + run: echo "COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_ENV + working-directory: "${{ env.SELINUX_SRC }}" + + - name: Download cached SELinux userspace + uses: actions/cache@v4 + id: cache-userspace + with: + path: ${{ github.workspace }}/selinux.tar.gz + key: selinux-${{ inputs.version }}-${{ env.COMMIT_HASH }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} + - name: Set up Python uses: actions/setup-python@v5 if: ${{ steps.cache-userspace.outputs.cache-hit != 'true' }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1b1982ce39..affaffad67 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -22,7 +22,7 @@ jobs: uses: ./.github/workflows/build-userspace.yml # depend on lint so expensive operations don't run if lint fails with: - version: "3.2" + version: "3.8.1" python-version: "3.10" build_setools: diff --git a/Rules.modular b/Rules.modular index c705541ec9..0a5eb047cb 100644 --- a/Rules.modular +++ b/Rules.modular @@ -3,6 +3,12 @@ # Rules and Targets for building modular policies # +module_store_root := $(DESTDIR)/var/lib/selinux + +ifneq "$(DESTDIR)" "" + SEMODULE += -p $(DESTDIR) -n +endif + all_modules := $(base_mods) $(mod_mods) $(off_mods) all_interfaces := $(all_modules:.te=.if) enabled_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(base_mods:.te=.mod.fc) $(mod_mods:.te=.mod.fc))) @@ -57,7 +63,7 @@ load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root) $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## @@ -68,7 +74,7 @@ pure-load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root) $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) $(foreach omod,$(filter-out base $(notdir $(mod_mods:.te=)),$(shell $(SEMODULE) -l)),-r $(omod)) ########################################