Test against selinux userspace 3.8

.github/workflows/restore-test.sh

@@ -1,13 +1,31 @@
 #!/bin/bash
 
-set -e -u -o pipefail
+set -e -u -x -o pipefail
 
 VERSION=${1:-stable}
 
 # Manually build secilc, rather than take the packaged version, so we can have control over version
 # Github actions will have already checked out the repo to the correct tag for this run
 sudo apt update
-sudo apt install -y --no-install-recommends flex bison pkg-config libaudit-dev libbz2-dev libustr-dev libpcre3-dev xmlto
+sudo apt-get install --no-install-recommends --no-install-suggests \
+    bison \
+    flex \
+    gawk \
+    gcc \
+    gettext \
+    make \
+    libaudit-dev \
+    libbz2-dev \
+    libcap-dev \
+    libcap-ng-dev \
+    libcunit1-dev \
+    libglib2.0-dev \
+    libpcre2-dev \
+    libpcre3-dev \
+    pkgconf \
+    python3 \
+    systemd \
+    xmlto
 
 pushd selinux
 
@@ -17,8 +35,7 @@ pushd selinux
 # was fixed upstream in commit a96e8c59ecac84096d870b42701a504791a8cc8c, but
 # for our purposes compiling the older versions, we can just allow the behavior
 # with -fcommon
-sudo PREFIX=/usr/local make -j16 CFLAGS="-Wno-error=stringop-truncation -fcommon -pipe -fPIC" -C libsepol install
-sudo LIBRARY_PATH=/usr/local/lib make -j16 -C secilc install
+sudo make LIBDIR=/usr/local/lib/x86_64-linux-gnu SHLIBDIR=/lib/x86_64-linux-gnu CFLAGS="-Wno-error=stringop-truncation -fcommon -pipe -fPIC" OPT_SUBDIRS="" install
 
 # https://nickb.dev/blog/azure-pipelines-for-rust-projects
 curl --proto '=https' -sSf https://sh.rustup.rs | sh -s -- -y

.github/workflows/rust.yml

@@ -70,7 +70,7 @@ jobs:
         # configurable policy versions, we should be able to successfully
         # test against 2.7-2.9
 
-        selinux-version: [ secilc-3.0, secilc-3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7 ]
+        selinux-version: [ secilc-3.0, secilc-3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 ]
         rust-toolchain: [ stable ]
         include:
           - selinux-version: '3.7'

.github/workflows/test.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -e -u -o pipefail
+set -e -u -x -o pipefail
 
 VERSION=${1:-stable}
 

data/expected_cil/non_virtual_inherit.cil

@@ -139,12 +139,12 @@
 (type kernel_sid)
 (roletype system_r kernel_sid)
 (typeattributeset domain (kernel_sid))
-(type other)
-(roletype system_r other)
-(typeattributeset domain (other))
 (type security_sid)
 (roletype object_r security_sid)
 (typeattributeset resource (security_sid))
+(type some_other)
+(roletype system_r some_other)
+(typeattributeset domain (some_other))
 (type unlabeled_sid)
 (roletype object_r unlabeled_sid)
 (typeattributeset resource (unlabeled_sid))
@@ -155,23 +155,23 @@
 (roletype system_r qux)
 (typeattributeset domain (qux))
 (macro bar-read ((type this) (type source)) (allow source this (file (read open getattr))))
-(macro baz-reference_foo ((type this) (type other)) (allow other bar (file (setattr))) (allow other foo (file (setattr))))
+(macro baz-reference_foo ((type this) (type some_other)) (allow some_other bar (file (setattr))) (allow some_other foo (file (setattr))))
 (macro foo-read ((type this) (type source)) (allow source this (file (read open getattr))))
-(macro qux-reference_foo ((type this) (type other)) (allow other bar (file (setattr))) (allow other foo (file (setattr))))
+(macro qux-reference_foo ((type this) (type some_other)) (allow some_other bar (file (setattr))) (allow some_other foo (file (setattr))))
 (call bar-read (bar baz))
 (call bar-read (bar qux))
-(call baz-reference_foo (baz other))
-(call baz-reference_foo (qux other))
+(call baz-reference_foo (baz some_other))
+(call baz-reference_foo (qux some_other))
 (allow baz bar (file (write)))
 (allow baz foo (file (write)))
 (allow qux bar (dir (write)))
 (allow qux bar (file (write)))
 (allow qux foo (dir (write)))
 (allow qux foo (file (write)))
-(typetransition baz bar process other)
-(typetransition baz foo process other)
-(typetransition qux bar process other)
-(typetransition qux foo process other)
+(typetransition baz bar process some_other)
+(typetransition baz foo process some_other)
+(typetransition qux bar process some_other)
+(typetransition qux foo process some_other)
 (sid kernel)
 (sidcontext kernel (system_u system_r kernel_sid ((s0) (s0))))
 (sid security)

data/policies/non_virtual_inherit.cas

@@ -10,18 +10,18 @@ resource bar inherits foo {}
 domain baz {
 	bar.read();
 	allow(this, foo, file, write);
-	domain_transition(this, foo, other);
+	domain_transition(this, foo, some_other);
 
-	fn reference_foo(domain other) {
-		allow(other, foo, file, setattr);
+	fn reference_foo(domain some_other) {
+		allow(some_other, foo, file, setattr);
 	}
 }
 
 domain qux inherits baz {
 	allow(this, foo, dir, write);
 }
 
-domain other {
+domain some_other {
 	baz.reference_foo(this);
 }
 

src/test.rs

@@ -757,11 +757,11 @@ fn non_virtual_inherit_test() {
 "(allow qux bar (file (write)))",
 "(allow qux foo (dir (write)))",
 "(allow qux bar (dir (write)))",
-"(typetransition baz bar process other)",
-"(typetransition baz foo process other)",
-"(typetransition qux bar process other)",
-"(typetransition qux foo process other)",
-"(macro baz-reference_foo ((type this) (type other)) (allow other bar (file (setattr))) (allow other foo (file (setattr))))",
+"(typetransition baz bar process some_other)",
+"(typetransition baz foo process some_other)",
+"(typetransition qux bar process some_other)",
+"(typetransition qux foo process some_other)",
+"(macro baz-reference_foo ((type this) (type some_other)) (allow some_other bar (file (setattr))) (allow some_other foo (file (setattr))))",
 ],
 &["(allow baz foo (dir (write)))"],
 0);