-
Notifications
You must be signed in to change notification settings - Fork 5
150 lines (134 loc) · 4.63 KB
/
build-policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Build refpolicy
on:
workflow_call:
inputs:
version:
description: "Refpolicy version (a git commit ID, tag, or branch)"
required: false
type: string
default: ""
path:
description: "Path to store the refpolicy sources"
required: false
type: string
default: "refpolicy-src"
python-version:
description: "Python version to use"
required: true
type: string
artifact-name:
description: "Artifact name to use; suffixed with policy build options (distro, mls/mcs, etc.)"
required: false
type: string
default: "refpolicy"
jobs:
build:
runs-on: ubuntu-22.04
strategy:
matrix:
# matrix updates must also be duplicated to validate-policy.yml and diff-policy.yml
distro: ["gentoo"]
type: ["standard", "mcs", "mls"]
monolithic: ["y", "n"]
systemd: ["y", "n"]
direct_initrc: ["y", "n"]
apps-off: ["unconfined", ""]
exclude:
- { distro: "redhat", systemd: "n" }
- { distro: "redhat", direct_initrc: "y" }
- { distro: "debian", systemd: "n" }
- { distro: "debian", direct_initrc: "y" }
- { type: "mls", apps-off: "" }
- { systemd: "y", direct_initrc: "y" }
steps:
- name: Checkout refpolicy sources
uses: actions/checkout@v4
with:
ref: "${{ inputs.version }}"
path: "${{ inputs.path }}"
- name: Download userspace artifact
uses: actions/download-artifact@v4
id: dl-userspace
with:
name: selinux
# This should be the minimum required Python version to build refpolicy.
# or the standard Python version on Ubuntu.
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "${{ inputs.python-version }}"
- name: Download setools artifact
uses: actions/download-artifact@v4
id: dl-setools
with:
name: setools
- name: Install dependencies
shell: bash
run: |
tar -C "${{ steps.dl-setools.outputs.download-path }}" -zxvf selinux.tar.gz
sudo python -m pip install setools*.whl networkx
- name: Configure environment
shell: bash
run: |
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
echo "PYTHON=python${{ inputs.python-version }}" >> $GITHUB_ENV
echo "PYTHONPATH=/usr/local/lib/python${{ inputs.python-version }}/dist-packages" >> $GITHUB_ENV
echo "TYPE=${{ matrix.type }}" >> $GITHUB_ENV
echo "DISTRO=${{ matrix.distro }}" >> $GITHUB_ENV
echo "MONOLITHIC=${{ matrix.monolithic }}" >> $GITHUB_ENV
echo "SYSTEMD=${{ matrix.systemd }}" >> $GITHUB_ENV
echo "APPS_OFF=${{ matrix.apps-off }}" >> $GITHUB_ENV
echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV
echo "WERROR=y" >> $GITHUB_ENV
echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV
- name: Build refpolicy
shell: bash
working-directory: "${{ inputs.path }}"
run: |
# Drop build.conf settings to listen to env vars
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
make bare
make conf
make
- name: Validate output policy
working-directory: ${{ inputs.path }}
shell: bash
run: |
make validate
- name: Build docs
working-directory: ${{ inputs.path }}
shell: bash
run: |
make xml
make html
- name: Test installation
working-directory: ${{ inputs.path }}
shell: bash
run: |
make install
make install-headers
make install-src
make install-docs
make install-udica-templates
make install-appconfig
env:
DESTDIR: /tmp/refpolicy-install
# normalize to "sepolicy" and "file_contexts"
- name: Normalize artifacts
working-directory: ${{ inputs.path }}
shell: bash
run: |
if [[ $MONOLITHIC == "y" ]]; then
policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
mv "${policy_file}" sepolicy
else
mv tmp/policy.bin sepolicy
mv tmp/all_mods.fc file_contexts
fi
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.artifact-name }}-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
path: |
${{ inputs.path }}/sepolicy
${{ inputs.path }}/file_contexts