1. 18 May, 2021 1 commit
  2. 03 Feb, 2021 1 commit
    • Nicolas Iooss's avatar
      scripts/release: make the script more robust, and release a source repository snapshot · 108c8edd
      Nicolas Iooss authored
      Following Petr Lautrbach's suggestion, release a snapshot of the source
      repository next to the individual archives which constitute a release.
      While at it, make scripts/release more robust:
      - Fix many warnings reported by shellcheck, by quoting strings.
      - Use bash arrays for DIRS and DIRS_NEED_PREFIX
      - Merge DIRS and DIRS_NEED_PREFIX into a single array, in order to
        produce SHA256 digests that are directly in alphabetical order, for
      - Use "set -e" in order to fail as soon as a command fails
      - Change to the top-level directory at the start of the script, in order
        to be able to run it from anywhere.
      - Use `cat $DIR/VERSION` and `git -C $DIR` instead of `cd $i ; cat VERSION`
        in order to prevent unexpected issues from directory change.
      Finally, if version tags already exists, re-use them. This enables using
      this script to re-generate the release archive (and check that they
      really match the git repository). Currently, running scripts/release
      will produce the same archives as the ones published in the 3.2-rc1
      release (with the same SHA256 digests as the ones on the release page,
      https://github.com/SELinuxProject/selinux/wiki/Releases). This helps to
      ensure that the behaviour of the script is still fine.
      Suggested-by: default avatarPetr Lautrbach <plautrba@redhat.com>
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
  3. 08 Dec, 2020 1 commit
  4. 02 Dec, 2020 2 commits
  5. 27 Nov, 2020 1 commit
  6. 12 Nov, 2020 1 commit
  7. 11 Nov, 2020 1 commit
    • Ondrej Mosnacek's avatar
      ci: bump Fedora image version to 33 · 3de445af
      Ondrej Mosnacek authored
      The testsuite will soon be switching to testing multiple filesystems,
      which exposes a bug in F32 image's kernel. Since Fedora 33 has been
      released recently and the testsuite runs just fine on it, just bump the
      image version to avoid the bug.
      This commit also fixes the script to read out the Fedora image version
      from environment variables instead of using hard-coded values.
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
  8. 11 Aug, 2020 1 commit
  9. 07 Aug, 2020 1 commit
  10. 18 Jun, 2020 2 commits
    • William Roberts's avatar
      ci: dont use hardcoded project name · 1af345d2
      William Roberts authored
      Not everyone's github project is "selinux" so use the projects
      name, as derived from TRAVIS_BUILD_DIR. TRAVIS_BUILD_DIR is
      the absolute path to the project checkout on disk, so the
      basename should be sufficient. The script that runs in the KVM
      environment also needs to be updated where it can find the
      selinux project code, so we pass it in through an env variable
      in the ssh command.
      Tested on Travis CI here:
        - https://travis-ci.org/github/williamcroberts/selinux/jobs/697307824Signed-off-by: default avatarWilliam Roberts <william.c.roberts@intel.com>
      Acked-by: default avatarPetr Lautrbach <plautrba@redhat.com>
    • William Roberts's avatar
      ci: run SELinux kernel test suite · 562d6d15
      William Roberts authored
      The current Travis CI runs the userspace tooling and libraries against
      policy files, but cannot test against an SELinux enabled kernel. Thus,
      some tests are not being done in the CI. Travis, unfortunately only
      provides Ubuntu images, so in order to run against a modern distro with
      SELinux in enforcing mode, we need to launch a KVM with something like
      This patch enables this support by launching a Fedora32 Cloud Image with
      the SELinux userspace library passed on from the Travis clone, it then
      builds and replaces the current SELinux bits on the Fedora32 image and
      runs the SELinux testsuite.
      The cloud image run can be controlled with the TRAVIS env variable:
      TRAVIS_CLOUD_IMAGE_VERSION. That variable takes the major and minor
      version numbers in a colon delimited string, eg: "32:1.6".
      Signed-off-by: default avatarWilliam Roberts <william.c.roberts@intel.com>
      Acked-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
  11. 13 May, 2020 1 commit
    • Petr Lautrbach's avatar
      run-flake8: Filter out ./.git/ directory · d7b0207c
      Petr Lautrbach authored
      When a branch has '.py' suffix git creates a file with the same suffix and this
      file is found by the `find . -name '*.py'` command. Such files from './git' need
      to be filtered out.
          $ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
          Analyzing 189 Python scripts
          ./.git/logs/refs/heads/semanage-test.py:1:42: E999 SyntaxError: invalid syntax
          ./.git/refs/heads/semanage-test.py:1:4: E999 SyntaxError: invalid syntax
          The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
      Signed-off-by: default avatarPetr Lautrbach <plautrba@redhat.com>
      Acked-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
  12. 05 May, 2020 2 commits
    • Nicolas Iooss's avatar
      scripts/env_use_destdir: propagate PREFIX, LIBDIR, BINDIR, etc. · 1baa8ffa
      Nicolas Iooss authored
      On systems using non-default `PREFIX`, `LIBDIR`, `SHLIBDIR`, `BINDIR`
      or `SBINDIR`, running
      `DESTDIR=/path/to/destdir ./scripts/env_use_destdir make test`
      does not perform the intended behavior, because the testing programs and
      libraries are installed into locations that are not added to
      `LD_LIBRARY_PATH` nor `PATH`.
      More precisely, with `LIBDIR=/usr/lib64 SHLIBDIR=/lib64`, `env_use_destdir`
      does not work. Fix this by adding the installation directories relative
      to `DESTDIR` in `LD_LIBRARY_PATH` and `PATH`.
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
      Acked-by: default avatarPetr Lautrbach <plautrba@redhat.com>
    • Nicolas Iooss's avatar
      scripts/env_use_destdir: fix Fedora support · e5056944
      Nicolas Iooss authored
      libselinux and libsemanage use:
          PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
          import *; print(get_python_lib(plat_specific=1,
      while python/semanage and python/sepolgen/src/sepolgen use:
          PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
          import *; print(get_python_lib(prefix='$(PREFIX)'))")
      This is right: libselinux and libsemanage's Python bindings use native
      code (thus "plat_specific=1") while the others only install Python
      Nevertheless `scripts/env_use_destdir` only runs the second command
      when computing `$PYTHONPATH`. When using this script to run `make test`
      in a minimal Fedora 31 environment, this leads to an error such as:
          make[2]: Entering directory '/code/python/sepolicy'
          Traceback (most recent call last):
            File "test_sepolicy.py", line 117, in <module>
              import selinux
          ModuleNotFoundError: No module named 'selinux'
      Fix this by also adding `get_python_lib(plat_specific=1)` to the
      computed `$PYTHONPATH`.
      While at it, preserve `$PYTHONPATH` instead of resetting it. This makes
      it easier to work with Python virtual environments.
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
  13. 30 Sep, 2019 1 commit
    • Nicolas Iooss's avatar
      libsepol, libsemanage: add a macro to silence static analyzer warnings in tests · 120681c1
      Nicolas Iooss authored
      Several static analyzers (clang's one, Facebook Infer, etc.) warn about
      NULL pointer dereferences after a call to CU_ASSERT_PTR_NOT_NULL_FATAL()
      in the test code written using CUnit framework. This is because this
      CUnit macro is too complex for them to understand that the pointer
      cannot be NULL: it is translated to a call to CU_assertImplementation()
      with an argument as TRUE in order to mean that the call is fatal if the
      asserted condition failed (cf.
      A possible solution could consist in replacing the
      CU_ASSERT_..._FATAL() calls by assert() ones, as most static analyzers
      know about assert(). Nevertheless this seems to go against CUnit's API.
      An alternative solution consists in overriding CU_ASSERT_..._FATAL()
      macros in order to expand to assert() after a call to the matching
      CU_ASSERT_...() non-fatal macro. This appears to work fine and to remove
      many false-positive warnings from various static analyzers.
      As this substitution should only occur when using static analyzer, put
      it under #ifdef __CHECKER__, which is the macro used by sparse when
      analyzing the Linux kernel.
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
  14. 20 Feb, 2019 1 commit
    • Petr Lautrbach's avatar
      Switch to python3 by default · 1952be65
      Petr Lautrbach authored
      - Python 2.7 is planned to be the last of the 2.x releases
      - It's generally advised to use Python 3
      - Majority of python/ scripts are already switched python3
      - Users with python 2 only can still use:
      $ make PYTHON=/usr/bin/python ....
      Signed-off-by: default avatarPetr Lautrbach <plautrba@redhat.com>
  15. 05 Feb, 2019 1 commit
  16. 21 Jan, 2019 1 commit
  17. 08 Jan, 2019 1 commit
    • Nicolas Iooss's avatar
      scripts/run-flake8: run on Python scripts not ending with .py · bb518a01
      Nicolas Iooss authored
      When running flake8 on a directory, it does not analyze files without an
      extension, like semanage_migrate_store, mlscolor-test, etc. Use grep to
      find files with a Python shebang and build a list which is then given to
      This commit is possible now that some clean-up patches have been
      applied, such as commit 69c56bd2 ("python/chcat: improve the code
      readability") and b7227aae ("mcstrans: fix Python linter warnings on
      test scripts") and 3cb974d2 ("semanage_migrate_store: fix many
      Python linter warnings").
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
  18. 04 Jan, 2019 1 commit
  19. 19 Aug, 2018 1 commit
  20. 18 Aug, 2018 1 commit
    • Nicolas Iooss's avatar
      Travis-CI: run flake8 on Python code · 41764b73
      Nicolas Iooss authored
      flake8 is a Python linter which is able to detect issues in Python code
      (syntax errors, undefined variables, etc.). It has been used to find
      bugs in the project. In order to prevent the introduction of new bugs
      which can be detected by it, add a script which runs it and use it in
      flake8 can be used to detect code which is not written according to PEP8
      style guide (which forbids whitespaces in some places, enforces the use
      of space-indenting, specifies how many blank lines are used between
      functions, etc.). As SELinux code does not follow this style guide,
      scripts/run-flake8 disables many warnings related to this when running
      the linter.
      In order to silence flake8 warnings, the Python code can also be
      modified. However fixing every "do not use bare 'except'" in the project
      needs to be done carefully and takes much time.
      This is why the warnings which are disabled have been ordered in three
      * The warnings which can be activated in a not-so-distant future after
        the code has been modified.
      * The warnings related to PEP8 which cannot be activated without a major
        cleaning work of the codebase (for example to modify white spaces)
      * The warnings which are introduced by code generated by SWIG 3.0.12,
        which would require patches in SWIG in order to be activated (there
        is right now only one such warning).
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
  21. 15 Jun, 2018 1 commit
    • Nicolas Iooss's avatar
      scripts: add a helper script to run clang's static analyzer · 416900cb
      Nicolas Iooss authored
      Using clang's static analyzer is as simple as running "scan-build make",
      but in order to obtain clean and reproducible results, the build
      environment has to be cleaned beforehand ("make clean distclean").
      Moreover the project requires running "make install" before "make test"
      in order to install the dependencies needed for the tests, and running
      these tests with the newly-built libraries requires a specific
      LD_LIBRARY_PATH. This new script takes care of setting up everything
      which is needed.
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
  22. 16 Nov, 2016 3 commits
  23. 14 Oct, 2016 2 commits
  24. 06 Oct, 2016 1 commit
  25. 31 Mar, 2015 1 commit
  26. 03 Dec, 2014 1 commit
  27. 27 Aug, 2014 1 commit
  28. 31 Oct, 2013 1 commit
  29. 30 Oct, 2013 3 commits
  30. 06 Feb, 2013 1 commit
  31. 12 Mar, 2009 1 commit
  32. 19 Aug, 2008 1 commit