diff --git a/.github/workflows/restore-test.sh b/.github/workflows/restore-test.sh index dac89995..750c635b 100755 --- a/.github/workflows/restore-test.sh +++ b/.github/workflows/restore-test.sh @@ -1,13 +1,31 @@ #!/bin/bash -set -e -u -o pipefail +set -e -u -x -o pipefail VERSION=${1:-stable} # Manually build secilc, rather than take the packaged version, so we can have control over version # Github actions will have already checked out the repo to the correct tag for this run sudo apt update -sudo apt install -y --no-install-recommends flex bison pkg-config libaudit-dev libbz2-dev libustr-dev libpcre3-dev xmlto +sudo apt-get install --no-install-recommends --no-install-suggests \ + bison \ + flex \ + gawk \ + gcc \ + gettext \ + make \ + libaudit-dev \ + libbz2-dev \ + libcap-dev \ + libcap-ng-dev \ + libcunit1-dev \ + libglib2.0-dev \ + libpcre2-dev \ + libpcre3-dev \ + pkgconf \ + python3 \ + systemd \ + xmlto pushd selinux @@ -17,8 +35,7 @@ pushd selinux # was fixed upstream in commit a96e8c59ecac84096d870b42701a504791a8cc8c, but # for our purposes compiling the older versions, we can just allow the behavior # with -fcommon -sudo PREFIX=/usr/local make -j16 CFLAGS="-Wno-error=stringop-truncation -fcommon -pipe -fPIC" -C libsepol install -sudo LIBRARY_PATH=/usr/local/lib make -j16 -C secilc install +sudo make LIBDIR=/usr/local/lib/x86_64-linux-gnu SHLIBDIR=/lib/x86_64-linux-gnu CFLAGS="-Wno-error=stringop-truncation -fcommon -pipe -fPIC" OPT_SUBDIRS="" install # https://nickb.dev/blog/azure-pipelines-for-rust-projects curl --proto '=https' -sSf https://sh.rustup.rs | sh -s -- -y diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 5b6b5557..650d4585 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -70,7 +70,7 @@ jobs: # configurable policy versions, we should be able to successfully # test against 2.7-2.9 - selinux-version: [ secilc-3.0, secilc-3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7 ] + selinux-version: [ secilc-3.0, secilc-3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 ] rust-toolchain: [ stable ] include: - selinux-version: '3.7' diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh index 2db5550d..7613f1fa 100755 --- a/.github/workflows/test.sh +++ b/.github/workflows/test.sh @@ -1,6 +1,6 @@ #!/bin/bash -set -e -u -o pipefail +set -e -u -x -o pipefail VERSION=${1:-stable} diff --git a/data/expected_cil/non_virtual_inherit.cil b/data/expected_cil/non_virtual_inherit.cil index 6ccd7220..34b85d18 100644 --- a/data/expected_cil/non_virtual_inherit.cil +++ b/data/expected_cil/non_virtual_inherit.cil @@ -139,12 +139,12 @@ (type kernel_sid) (roletype system_r kernel_sid) (typeattributeset domain (kernel_sid)) -(type other) -(roletype system_r other) -(typeattributeset domain (other)) (type security_sid) (roletype object_r security_sid) (typeattributeset resource (security_sid)) +(type some_other) +(roletype system_r some_other) +(typeattributeset domain (some_other)) (type unlabeled_sid) (roletype object_r unlabeled_sid) (typeattributeset resource (unlabeled_sid)) @@ -155,23 +155,23 @@ (roletype system_r qux) (typeattributeset domain (qux)) (macro bar-read ((type this) (type source)) (allow source this (file (read open getattr)))) -(macro baz-reference_foo ((type this) (type other)) (allow other bar (file (setattr))) (allow other foo (file (setattr)))) +(macro baz-reference_foo ((type this) (type some_other)) (allow some_other bar (file (setattr))) (allow some_other foo (file (setattr)))) (macro foo-read ((type this) (type source)) (allow source this (file (read open getattr)))) -(macro qux-reference_foo ((type this) (type other)) (allow other bar (file (setattr))) (allow other foo (file (setattr)))) +(macro qux-reference_foo ((type this) (type some_other)) (allow some_other bar (file (setattr))) (allow some_other foo (file (setattr)))) (call bar-read (bar baz)) (call bar-read (bar qux)) -(call baz-reference_foo (baz other)) -(call baz-reference_foo (qux other)) +(call baz-reference_foo (baz some_other)) +(call baz-reference_foo (qux some_other)) (allow baz bar (file (write))) (allow baz foo (file (write))) (allow qux bar (dir (write))) (allow qux bar (file (write))) (allow qux foo (dir (write))) (allow qux foo (file (write))) -(typetransition baz bar process other) -(typetransition baz foo process other) -(typetransition qux bar process other) -(typetransition qux foo process other) +(typetransition baz bar process some_other) +(typetransition baz foo process some_other) +(typetransition qux bar process some_other) +(typetransition qux foo process some_other) (sid kernel) (sidcontext kernel (system_u system_r kernel_sid ((s0) (s0)))) (sid security) diff --git a/data/policies/non_virtual_inherit.cas b/data/policies/non_virtual_inherit.cas index b806a7e2..03c746f4 100644 --- a/data/policies/non_virtual_inherit.cas +++ b/data/policies/non_virtual_inherit.cas @@ -10,10 +10,10 @@ resource bar inherits foo {} domain baz { bar.read(); allow(this, foo, file, write); - domain_transition(this, foo, other); + domain_transition(this, foo, some_other); - fn reference_foo(domain other) { - allow(other, foo, file, setattr); + fn reference_foo(domain some_other) { + allow(some_other, foo, file, setattr); } } @@ -21,7 +21,7 @@ domain qux inherits baz { allow(this, foo, dir, write); } -domain other { +domain some_other { baz.reference_foo(this); } diff --git a/src/test.rs b/src/test.rs index 5095e34d..4f2301c9 100644 --- a/src/test.rs +++ b/src/test.rs @@ -757,11 +757,11 @@ fn non_virtual_inherit_test() { "(allow qux bar (file (write)))", "(allow qux foo (dir (write)))", "(allow qux bar (dir (write)))", -"(typetransition baz bar process other)", -"(typetransition baz foo process other)", -"(typetransition qux bar process other)", -"(typetransition qux foo process other)", -"(macro baz-reference_foo ((type this) (type other)) (allow other bar (file (setattr))) (allow other foo (file (setattr))))", +"(typetransition baz bar process some_other)", +"(typetransition baz foo process some_other)", +"(typetransition qux bar process some_other)", +"(typetransition qux foo process some_other)", +"(macro baz-reference_foo ((type this) (type some_other)) (allow some_other bar (file (setattr))) (allow some_other foo (file (setattr))))", ], &["(allow baz foo (dir (write)))"], 0);