root/tools/external-buildtest.sh

#!/bin/bash

einfo() {
        echo -e " \e[32;01m*\e[0m $*"
}

eerror() {
        echo -e " \e[31;01m*\e[0m $*"
}

die() {
        [ -z "$1" ] || eerror $1
        exit 1
}

make_layer_test_policy() {
        mkdir -p $1/apps
        cat > $1/apps/testapp.te << EOF
policy_module(testapp,1.0)
type testapp_t;
type testapp_exec_t;
init_daemon_domain(testapp_t,testapp_exec_t)
EOF

        cat > $1/apps/testapp.fc << EOF
/usr/bin/testapp -- gen_context(system_u:object_r:testapp_exec_t,s0)
EOF

        cat > $1/apps/testapp.if << EOF
## <summary>Test application policy</summary>

interface(\`testapp_domtrans',\`
gen_require(\`type testapp_t, testapp_exec_t;')
domtrans_pattern($1,testapp_exec_t,testapp_t)
')
EOF

        mkdir -p $1/services
        cat > $1/services/testsrv.te << EOF
policy_module(testsrv,1.0)
type testsrv_t;
type testsrv_exec_t;
init_daemon_domain(testsrv_t,testsrv_exec_t)
EOF

        cat > $1/services/testsrv.fc << EOF
/usr/bin/testsrv -- gen_context(system_u:object_r:testsrv_exec_t,s0)
EOF

        cat > $1/services/testsrv.if << EOF
## <summary>Test service policy</summary>

interface(\`testsrv_domtrans',\`
gen_require(\`type testsrv_t, testsrv_exec_t;')
domtrans_pattern($1,testsrv_exec_t,testsrv_t)
')
EOF

        mkdir -p $1/test
        echo "<summary>external test layer</summary>" > $1/test/metadata.xml

        cat > $1/test/test.te << EOF
policy_module(test,1.0)
type test_t;
type test_exec_t;
init_daemon_domain(test_t,test_exec_t)
EOF

        cat > $1/test/test.fc << EOF
/usr/bin/test -- gen_context(system_u:object_r:testsrv_t,s0)
EOF

        cat > $1/test/test.if << EOF
## <summary>Test policy</summary>

interface(\`test_domtrans',\`
gen_require(\`type test_t, test_exec_t;')
domtrans_pattern($1,test_exec_t,test_t)
')
EOF
}

if [ -x /usr/bin/sandbox ]; then
        SANDBOX=/usr/bin/sandbox
else
        echo "Test is better with Gentoo's sandbox binary, which is missing."
        echo "Continuing without it, but no guarantees that there is no writing"
        echo "outside of the local policy directory."
        echo "Sandbox can be found at http://distfiles.gentoo.org/distfiles/sandbox-[ver].tar.bz2"
fi


if [ ! -d policy/flask ]; then
        die "This should be run from the root of the refpolicy source tree."
fi

BOX=`mktemp -d`
START=`pwd`
PV=20
export SANDBOX_WRITE="/dev:/proc:$BOX/policy"

einfo "Building generated files"
make generate || die "Failed to build generated files!?!?!"

export LOCAL_ROOT="$BOX/policy"

################# external reference build (monolithic)
mkdir -p ${LOCAL_ROOT}
mkdir -p ${LOCAL_ROOT}/doc # should this be in the makefile?
sed -r -e '/OUTPUT_POLICY/s/18/20/' -e '/OUTPUT_POLICY/s/^#//' ${START}/build.conf > ${LOCAL_ROOT}/build.conf
cd ${LOCAL_ROOT}
make_layer_test_policy policy/modules

einfo "Building conf (extref; mon)"
$SANDBOX make -C $START conf || die "Failed make conf (extref; mon)"
grep -q ^testapp policy/modules.conf || die "testapp missing from modules.conf (extref; mon)"
grep -q ^testsrv policy/modules.conf || die "testsrv missing from modules.conf (extref; mon)"
grep -q '^test ' policy/modules.conf || die "test missing from modules.conf (extref; mon)"
einfo "Building fc_sort"
# need to figure out why this gets "Aborted" when run in sandbox
make -C $START ${LOCAL_ROOT}/tmp/fc_sort || die
einfo "Building policy (extref; mon)"
$SANDBOX make -C $START policy || die "failed building policy (extref; mon)"
grep -q 'type test_t;' policy.conf || die "test_t missing from policy.conf (extref; mon)"
grep -q 'type testapp_t;' policy.conf || die "testapp_t missing from policy.conf (extref; mon)"
grep -q 'type testsrv_t;' policy.conf || die "testsrv_t missing from policy.conf (extref; mon)"
[ -f policy.20 ] || die "policy.20 is missing (extref; mon)"
$SANDBOX make -C $START ${LOCAL_ROOT}/file_contexts || die "failed building file_contexts (extref; mon)"
[ -f file_contexts ] || die "file_contexts is missing (extref; mon)"
if [ ! -z "$SANDBOX" ]; then
        einfo "Touch test--this should fail (extref; mod)"
        $SANDBOX touch $START/EPERM && die "Touch test failed (extref; mon)"
fi
einfo "Cleaning up (extref; mon)"
cd $START
rm -fR $BOX/*

################# external reference build (modular)
mkdir -p ${LOCAL_ROOT}
mkdir -p ${LOCAL_ROOT}/doc # should this be in the makefile?
sed -r -e '/^MONOLITHIC/s/y$/n/' ${START}/build.conf > ${LOCAL_ROOT}/build.conf
cd ${LOCAL_ROOT}
make_layer_test_policy policy/modules

einfo "Building conf (extref; mod)"
$SANDBOX make -C $START conf || die
grep -q ^testapp policy/modules.conf || die "testapp missing from modules.conf (extref; mod)"
grep -q ^testsrv policy/modules.conf || die "testsrv missing from modules.conf (extref; mod)"
einfo "Building fc_sort"
# need to figure out why this gets "Aborted" when run in sandbox
make -C $START ${LOCAL_ROOT}/tmp/fc_sort || die
einfo "Building all policy (extref; mod)"
$SANDBOX make -C $START base || die "failed building base module (extref; mod)"
[ -f base.pp ] || die "base.pp is missing (extref; mod)"
$SANDBOX make -C $START modules || die "failed building all modules (extref; mod)"
[ -f apache.pp ] || die "apache.pp is missing (extref; mod)"
[ -f testapp.pp ] || die "testapp.pp is missing (extref; mod)"
einfo "Verifying policy linking (extref; mod)"
$SANDBOX make -C $START validate || die "failed validating linking (extref; mod)"
$SANDBOX make -C $START clean || die
einfo "Building policy by name (extref; mod)"
$SANDBOX make -C $START ${LOCAL_ROOT}/apache.pp ${LOCAL_ROOT}/testapp.pp || die "Failed building modules by name (extref; mod)"
[ -f apache.pp ] || die "apache.pp is missing (extref; mod)"
[ -f testapp.pp ] || die "testapp.pp is missing (extref; mod)"
# need to figure out why this gets "Aborted" when run in sandbox
make -C $START ${LOCAL_ROOT}/tmp/fc_sort || die
$SANDBOX make -C $START ${LOCAL_ROOT}/base.pp || die "Failed building base by name (extref; mod)"
[ -f base.pp ] || die "base.pp is missing (extref; mod)"
if [ ! -z "$SANDBOX" ]; then
        einfo "Touch test--this should fail (extref; mod)"
        $SANDBOX touch $START/EPERM && die "Touch test failed (extref; mod)"
fi
einfo "Cleaning up (extref; mod)"
cd $START
rm -fR $BOX/*

### change environment for headers tests
unset LOCAL_ROOT
export SHAREDIR="$BOX/usr/share/selinux"
###

################# headers build (flat)
einfo "Installing headers (headers; flat)"
make DESTDIR=$BOX install-headers || die "Failed to install headers (headers; flat)"
mkdir $BOX/policy
cp doc/example.* $BOX/policy
cp doc/Makefile.example $BOX/policy/Makefile

cd ${BOX}/policy
einfo "Building all policy (headers; flat)"
$SANDBOX make QUIET=n NAME=refpolicy all || die "Failed to build all policy (headers; flat)"
[ -f example.pp ] || die "example.pp is missing (headers; flat)"
$SANDBOX make QUIET=n NAME=refpolicy clean
einfo "Building policy by name (headers; flat)"
$SANDBOX make QUIET=n NAME=refpolicy example.pp || die "Failed to build by name (headers; flat)"
[ -f example.pp ] || die "example.pp is missing (headers; flat)"
einfo "Building XML (headers; flat)"
$SANDBOX make QUIET=n NAME=refpolicy xml || die "Failed to build XML (headers; flat)"
grep -q '<layer name="third_party">' doc/policy.xml || die "third_party layer missing from XML (headers; flat)"
grep -q '<layer name="kernel">' doc/policy.xml || die "kernel layer missing from XML (headers; flat)"
egrep -q '<module name="example" .*>' doc/policy.xml || die "example module missing from XML (headers; flat)"
egrep -q '<module name="apache" .*>' doc/policy.xml || die "apache module missing from XML (headers; flat)"
if [ ! -z "$SANDBOX" ]; then
        einfo "Touch test--this should fail (headers; flat)"
        $SANDBOX touch $BOX/usr/share/selinux/refpolicy/Makefile
fi
einfo "Cleaning up (headers; flat)"
cd $START
rm -fR $BOX/*

################# headers build (layered)
einfo "Installing headers (headers; layered)"
make DESTDIR=$BOX install-headers
mkdir $BOX/policy
cp doc/Makefile.example $BOX/policy/Makefile
cd ${BOX}/policy
make_layer_test_policy .

einfo "Building all policy (headers; layered)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux all || die
[ -f testsrv.pp ] || die "testsrv.pp is missing (headers; layered)"
[ -f test.pp ] || die "test.pp is missing (headers; layered)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux clean || die
einfo "Building policy by name (headers; layered and flat)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux testsrv.pp test.pp || die
[ -f testsrv.pp ] || die "testsrv.pp is missing (headers; layered)"
[ -f test.pp ] || die "test.pp is missing (headers; layered)"
einfo "Building XML (headers; layered) (headers; layered)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux xml || die
grep -q '<layer name="kernel">' doc/policy.xml || die "kernel layer missing from XML (headers; layered)"
grep -q '<layer name="test">' doc/policy.xml || die "test layer missing from XML (headers; layered)"
egrep -q '<module name="test" .*>' doc/policy.xml || die "test module missing from XML (headers; layered)"
egrep -q '<module name="testsrv" .*>' doc/policy.xml || die "testsrv module missing from XML (headers; layered)"
egrep -q '<module name="testapp" .*>' doc/policy.xml || die "testapp module missing from XML (headers; layered)"
egrep -q '<module name="apache" .*>' doc/policy.xml || die "apache module missing from XML (headers; layered)"
if [ ! -z "$SANDBOX" ]; then
        einfo "Touch test--this should fail (headers; layered)"
        $SANDBOX touch $BOX/usr/share/selinux/refpolicy/Makefile
fi
einfo "Cleaning up (headers; layered)"
cd $START
rm -fR $BOX/*

################# headers build (layered and flat)
einfo "Installing headers (headers; layered and flat)"
make DESTDIR=$BOX install-headers
mkdir $BOX/policy
cp doc/example.* $BOX/policy
cp doc/Makefile.example $BOX/policy/Makefile
cd ${BOX}/policy
make_layer_test_policy .

einfo "Building all policy (headers; layered and flat)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux all || die
[ -f example.pp ] || die "example.pp is missing (headers; layered and flat)"
[ -f testapp.pp ] || die "testapp.pp is missing (headers; layered and flat)"
[ -f testsrv.pp ] || die "testsrv.pp is missing (headers; layered and flat)"
[ -f test.pp ] || die "test.pp is missing (headers; layered and flat)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux clean || die
einfo "Building policy by name (headers; layered and flat)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux test.pp example.pp testapp.pp || die
[ -f testapp.pp ] || die "testapp.pp is missing (headers; layered and flat)"
[ -f test.pp ] || die "test.pp is missing (headers; layered and flat)"
einfo "Building XML (headers; layered and flat)"
$SANDBOX make QUIET=n NAME=refpolicy SHAREDIR=$BOX/usr/share/selinux xml || die
grep -q '<layer name="kernel">' doc/policy.xml || die "kernel layer missing from XML (headers; layered and flat)"
grep -q '<layer name="test">' doc/policy.xml || die "test layer missing from XML (headers; layered and flat)"
grep -q '<layer name="third_party">' doc/policy.xml || die "third_party layer missing from XML (headers; layered and flat)"
egrep -q '<module name="test" .*>' doc/policy.xml || die "test module missing from XML (headers; layered and flat)"
egrep -q '<module name="testsrv" .*>' doc/policy.xml || die "testsrv module missing from XML (headers; layered and flat)"
egrep -q '<module name="testapp" .*>' doc/policy.xml || die "testapp module missing from XML (headers; layered and flat)"
egrep -q '<module name="apache" .*>' doc/policy.xml || die "apache module missing from XML (headers; layered and flat)"
egrep -q '<module name="example" .*>' doc/policy.xml || die "example module missing from XML (headers; layered and flat)"
if [ ! -z "$SANDBOX" ]; then
        einfo "Touch test--this should fail (headers; layered and flat)"
        $SANDBOX touch $BOX/usr/share/selinux/refpolicy/Makefile
fi
einfo "Cleaning up (headers; layered and flat)"
cd $START
rm -fR $BOX


#
# clean up
#
rm -fR $BOX
make bare
einfo "Completed successfully"
exit 0