Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/.github/workflows/validate-policy.yml
blob: ef367e3f9b75d1b7f5d78f5022513a5e6411a8cf (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

name: Validate policy

on:
  workflow_call:
    inputs:
      python-version:
        description: "Python version to use"
        required: true
        type: string

jobs:
  sechecker:
    runs-on: ubuntu-22.04

    strategy:
      matrix:
        distro: ["gentoo"]
        type: ["standard", "mcs", "mls"]
        monolithic: ["y", "n"]
        systemd: ["y", "n"]
        direct_initrc: ["y", "n"]
        apps-off: ["unconfined", ""]
        exclude:
          - { distro: "redhat", systemd: "n" }
          - { distro: "redhat", direct_initrc: "y" }
          - { distro: "debian", systemd: "n" }
          - { distro: "debian", direct_initrc: "y" }
          - { type: "mls", apps-off: "" }
          - { systemd: "y", direct_initrc: "y" }
          # above here, the matrix must be the same as in build-policy.yml.
          # below here, remove duplicate analyses
          - { monolithic: "n" }
          - { type: "standard" }
          - { apps-off: "" }
          - { systemd: "n" }

    steps:
      - name: Checkout testing dir of repo
        uses: actions/checkout@v4
        with:
          sparse-checkout: testing

      - name: Install dependencies
        shell: bash
        run: |
          sudo apt-get update -q

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "${{ inputs.python-version }}"

      - name: Download userspace binary artifact
        uses: actions/download-artifact@v4
        id: dl-userspace
        with:
          name: selinux-bin

        # actions/upload-artifact does not preserve permissions.
      - name: Fix userspace file permissions
        shell: bash
        working-directory: "${{ steps.dl-userspace.outputs.download-path }}"
        run: chmod +x usr/bin/* lib/*.so* usr/lib/*.so* usr/libexec/selinux/hll/pp sbin/* usr/sbin/*

      - name: Download policy artifact
        uses: actions/download-artifact@v4
        id: dl-refpolicy
        with:
          name: refpolicy-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}

      - name: Download setools artifact
        uses: actions/download-artifact@v4
        id: dl-setools
        with:
          name: setools

      - name: Install setools
        shell: bash
        working-directory: ${{ steps.dl-setools.outputs.download-path }}
        run: sudo pip install setools*.whl

      - name: Validate security goals with sechecker
        shell: bash
        id: sechecker
        run: sechecker testing/sechecker.ini ${{ steps.dl-refpolicy.outputs.download-path }}/sepolicy -o sechecker.log
        env:
          LD_LIBRARY_PATH: "${{ steps.dl-userspace.outputs.download-path }}/lib:${{ steps.dl-userspace.outputs.download-path }}/usr/lib"

      - name: Upload artifact
        uses: actions/upload-artifact@v4
        if: ${{ always() }}
        with:
          name: validation-${{ matrix.distro }}-${{ matrix.type }}-${{ matrix.monolithic }}-${{ matrix.systemd }}-${{ matrix.direct_initrc }}-${{ matrix.apps-off }}
          path: |
            sechecker.log