From fb91772dca1021faca924c1474e33ee358ee7534 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 22 Nov 2024 09:52:04 -0500 Subject: [PATCH 1/2] build-userspace/setools.yml: Add commit hash to cache ID. The jobs use the git reference to cheeckout the sources. Additional commits may have added since the cache was created, so add the commit ID to the cache's key. Signed-off-by: Chris PeBenito --- .github/workflows/build-setools.yml | 19 +++++++++++-------- .github/workflows/build-userspace.yml | 20 ++++++++++++-------- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-setools.yml b/.github/workflows/build-setools.yml index 1ea08fd061..a7a88a289b 100644 --- a/.github/workflows/build-setools.yml +++ b/.github/workflows/build-setools.yml @@ -23,20 +23,23 @@ jobs: artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }} steps: - - name: Download cached SETools - uses: actions/cache@v4 - id: cache-setools - with: - path: "setools-*.whl" - key: setools-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} - - name: Checkout setools uses: actions/checkout@v4 - if: ${{ steps.cache-setools.outputs.cache-hit != 'true' }} with: repository: SELinuxProject/setools ref: "${{ inputs.version }}" + - name: Get the latest commit hash + shell: bash + run: echo "COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_ENV + + - name: Download cached SETools + uses: actions/cache@v4 + id: cache-setools + with: + path: "setools-*.whl" + key: setools-${{ inputs.version }}-${{ env.COMMIT_HASH }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} + - name: Download userspace artifact uses: actions/download-artifact@v4 if: ${{ steps.cache-setools.outputs.cache-hit != 'true' }} diff --git a/.github/workflows/build-userspace.yml b/.github/workflows/build-userspace.yml index db01097e88..897fa1aa47 100644 --- a/.github/workflows/build-userspace.yml +++ b/.github/workflows/build-userspace.yml @@ -27,21 +27,25 @@ jobs: binary-id: ${{ steps.upload-artifact.outputs.artifact-id }} steps: - - name: Download cached SELinux userspace - uses: actions/cache@v4 - id: cache-userspace - with: - path: ${{ github.workspace }}/selinux.tar.gz - key: selinux-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} - - name: Checkout SELinux userspace tools and libs uses: actions/checkout@v4 - if: ${{ steps.cache-userspace.outputs.cache-hit != 'true' }} with: repository: SELinuxProject/selinux ref: "${{ inputs.version }}" path: "${{ env.SELINUX_SRC }}" + - name: Get the latest commit hash + shell: bash + run: echo "COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_ENV + working-directory: "${{ env.SELINUX_SRC }}" + + - name: Download cached SELinux userspace + uses: actions/cache@v4 + id: cache-userspace + with: + path: ${{ github.workspace }}/selinux.tar.gz + key: selinux-${{ inputs.version }}-${{ env.COMMIT_HASH }}-${{ runner.os }}-${{ runner.arch }}-Python${{ inputs.python-version }} + - name: Set up Python uses: actions/setup-python@v5 if: ${{ steps.cache-userspace.outputs.cache-hit != 'true' }} From 3046a8b340ba78433cbe2c661f4994c6f313a265 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 7 Nov 2024 15:10:57 -0500 Subject: [PATCH 2/2] CI: Add a semodule load test to verify modules insert to store. There have been some discrepancies between semodule_link/_expand and semodule -i, see #829. Add an extra CI test of installing the modules using semodule -i. Signed-off-by: Chris PeBenito --- .github/workflows/build-policy.yml | 11 +++++++++++ .github/workflows/tests.yml | 2 +- Rules.modular | 10 ++++++++-- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-policy.yml b/.github/workflows/build-policy.yml index 017c674861..936e17d0c6 100644 --- a/.github/workflows/build-policy.yml +++ b/.github/workflows/build-policy.yml @@ -90,6 +90,12 @@ jobs: echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV echo "WERROR=y" >> $GITHUB_ENV echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV + echo 'multiple-decls = true' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + sed -i -e '/^module-store/a compiler-directory = ${{ steps.dl-userspace.outputs.download-path }}/usr/libexec/selinux/hll' ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + echo -e '[sefcontext_compile]\npath = ${{ steps.dl-userspace.outputs.download-path }}/usr/sbin/sefcontext_compile\nargs = $@\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + echo -e '[setfiles]\npath = ${{ steps.dl-userspace.outputs.download-path }}/sbin/setfiles\nargs = -c $@ $<\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf + sudo cp ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf /etc/selinux/semanage.conf + cat /etc/selinux/semanage.conf - name: Build refpolicy shell: bash @@ -119,12 +125,17 @@ jobs: working-directory: ${{ inputs.path }} shell: bash run: | + echo "${TEST_TOOLCHAIN}" make install make install-headers make install-src make install-docs make install-udica-templates make install-appconfig + if [[ $MONOLITHIC == "n" ]]; then + # test modules insertion + sudo -E make load + fi env: DESTDIR: /tmp/refpolicy-install diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1b1982ce39..affaffad67 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -22,7 +22,7 @@ jobs: uses: ./.github/workflows/build-userspace.yml # depend on lint so expensive operations don't run if lint fails with: - version: "3.2" + version: "3.8.1" python-version: "3.10" build_setools: diff --git a/Rules.modular b/Rules.modular index c705541ec9..0a5eb047cb 100644 --- a/Rules.modular +++ b/Rules.modular @@ -3,6 +3,12 @@ # Rules and Targets for building modular policies # +module_store_root := $(DESTDIR)/var/lib/selinux + +ifneq "$(DESTDIR)" "" + SEMODULE += -p $(DESTDIR) -n +endif + all_modules := $(base_mods) $(mod_mods) $(off_mods) all_interfaces := $(all_modules:.te=.if) enabled_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(base_mods:.te=.mod.fc) $(mod_mods:.te=.mod.fc))) @@ -57,7 +63,7 @@ load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root) $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## @@ -68,7 +74,7 @@ pure-load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root) $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) $(foreach omod,$(filter-out base $(notdir $(mod_mods:.te=)),$(shell $(SEMODULE) -l)),-r $(omod)) ########################################