Merge remote-tracking branch 'upstream/main' (refpolicy 2.20240226)

SorenEricMent · Feb 29, 2024 · f94e978 · f94e978
2 parents 4086ec1 + fa84ee8
commit f94e978
Show file tree

Hide file tree

Showing 80 changed files with 4,169 additions and 185 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -3,30 +3,41 @@ name: Build tests
 on: [push, pull_request]
 
 env:
+  # Minimum userspace version to build refpolicy.
   SELINUX_USERSPACE_VERSION: checkpolicy-3.1
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # This version should be the minimum required to run the fc checker
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: 3.7
 
     - name: Install dependencies
       run: |
-        sudo apt-get update -qq
+        sudo apt-get update -q
+        sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev
 
-        # Install SELint from Debian testing
-        wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add -
-        sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y
-        sudo apt-get install -qqy selint
-        selint -V
+    - name: Checkout SELint
+      uses: actions/checkout@v3
+      with:
+        repository: SELinuxProject/selint
+        ref: 'v1.5.0'
+        path: selint
+
+    - name: Build SELint
+      run: |
+        cd selint/
+        ./autogen.sh
+        ./configure --without-check
+        make -j$(nproc)
+        sudo make install
 
     - name: Create generated policy files
       run: |
@@ -39,69 +50,86 @@ jobs:
     - name: Run SELint
       run: |
         # disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
+        # disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
         # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
-        selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy
+        selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
 
   build:
-    runs-on: ubuntu-latest
-
-    needs: lint
+    runs-on: ubuntu-20.04
 
     strategy:
       fail-fast: false
 
       matrix:
         build-opts:
-          - {type: standard, distro: arch, monolithic: y, systemd: y}
-          - {type: standard, distro: arch, monolithic: n, systemd: y}
-          - {type: standard, distro: redhat, monolithic: y, systemd: y}
-          - {type: standard, distro: redhat, monolithic: n, systemd: y}
-          - {type: standard, distro: debian, monolithic: y, systemd: y}
-          - {type: standard, distro: debian, monolithic: n, systemd: y}
-          - {type: standard, distro: gentoo, monolithic: y, systemd: n}
-          - {type: standard, distro: gentoo, monolithic: n, systemd: n}
-          - {type: mcs, distro: arch, monolithic: y, systemd: y}
-          - {type: mcs, distro: arch, monolithic: n, systemd: y}
-          - {type: mcs, distro: redhat, monolithic: y, systemd: y}
-          - {type: mcs, distro: redhat, monolithic: n, systemd: y}
-          - {type: mcs, distro: debian, monolithic: y, systemd: y}
-          - {type: mcs, distro: debian, monolithic: n, systemd: y}
-          - {type: mcs, distro: gentoo, monolithic: y, systemd: n}
-          - {type: mcs, distro: gentoo, monolithic: n, systemd: n}
-          - {type: mls, distro: arch, monolithic: y, systemd: y}
-          - {type: mls, distro: arch, monolithic: n, systemd: y}
-          - {type: mls, distro: redhat, monolithic: y, systemd: y}
-          - {type: mls, distro: redhat, monolithic: n, systemd: y}
-          - {type: mls, distro: debian, monolithic: y, systemd: y}
-          - {type: mls, distro: debian, monolithic: n, systemd: y}
-          - {type: mls, distro: gentoo, monolithic: y, systemd: n}
-          - {type: mls, distro: gentoo, monolithic: n, systemd: n}
-          - {type: standard, distro: arch, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-          - {type: mcs, distro: arch, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-          - {type: mls, distro: arch, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
-          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
-
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
+          - {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
+          - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
+
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     # This should be the minimum required Python version to build refpolicy.
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: 3.5
 
     - name: Install dependencies
       run: |
-        sudo apt-get update -qq
-        sudo apt-get install -qqy \
+        sudo apt-get update -q
+        sudo apt-get install -qy \
             bison \
             flex \
             gettext \
@@ -122,6 +150,7 @@ jobs:
         echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
         echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
         echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
+        echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
         echo "WERROR=y" >> $GITHUB_ENV
 
     - name: Build toolchain
@@ -142,7 +171,7 @@ jobs:
     - name: Build refpolicy
       run: |
         # Drop build.conf settings to listen to env vars
-        sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
+        sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf
 
         make bare
         make conf