CI: Add a semodule load test to verify modules insert to store.

There have been some discrepancies between semodule_link/_expand and semodule -i, see #829. Add an extra CI test of installing the modules using semodule -i. Signed-off-by: Chris PeBenito <[email protected]>
SELinuxProject · Nov 22, 2024 · 11f1f1a · 11f1f1a
1 parent 3cf2758
commit 11f1f1a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/.github/workflows/build-policy.yml b/.github/workflows/build-policy.yml
@@ -90,6 +90,12 @@ jobs:
         echo "DIRECT_INITRC=${{ matrix.direct_initrc }}" >> $GITHUB_ENV
         echo "WERROR=y" >> $GITHUB_ENV
         echo "TEST_TOOLCHAIN=\"${{ steps.dl-userspace.outputs.download-path }}\"" >> $GITHUB_ENV
+        echo 'multiple-decls = true' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        sed -i -e '/^module-store/a compiler-directory = ${{ steps.dl-userspace.outputs.download-path }}/usr/libexec/selinux/hll' ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        echo -e '[sefcontext_compile]\npath = ${{ steps.dl-userspace.outputs.download-path }}/usr/sbin/sefcontext_compile\nargs = $@\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        echo -e '[setfiles]\npath = ${{ steps.dl-userspace.outputs.download-path }}/sbin/setfiles\nargs = -c $@ $<\n[end]' >> ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf
+        sudo cp ${{ steps.dl-userspace.outputs.download-path }}/etc/selinux/semanage.conf /etc/selinux/semanage.conf
+        cat /etc/selinux/semanage.conf
 
     - name: Build refpolicy
       shell: bash
@@ -125,6 +131,10 @@ jobs:
         make install-docs
         make install-udica-templates
         make install-appconfig
+        if [[ $MONOLITHIC == "n" ]]; then
+          # test modules insertion
+          make load
+        fi
       env:
         DESTDIR: /tmp/refpolicy-install
 

diff --git a/Rules.modular b/Rules.modular
@@ -3,6 +3,12 @@
 # Rules and Targets for building modular policies
 #
 
+module_store_root := $(DESTDIR)/var/lib/selinux
+
+ifneq ($(DESTDIR),)
+	SEMODULE += -p $(DESTDIR) -n
+endif
+
 all_modules := $(base_mods) $(mod_mods) $(off_mods)
 all_interfaces := $(all_modules:.te=.if)
 enabled_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(base_mods:.te=.mod.fc) $(mod_mods:.te=.mod.fc)))
@@ -57,7 +63,7 @@ load: $(instpkg) $(appfiles)
 # make sure two directories exist since they are not
 # created by semanage
 	@echo "Loading configured modules."
-	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
+	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root)
 	$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
 
 ########################################
@@ -68,7 +74,7 @@ pure-load: $(instpkg) $(appfiles)
 # make sure two directories exist since they are not
 # created by semanage
 	@echo "Loading configured modules."
-	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
+	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(module_store_root)
 	$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) $(foreach omod,$(filter-out base $(notdir $(mod_mods:.te=)),$(shell $(SEMODULE) -l)),-r $(omod))
 
 ########################################