Closed fishilico closed 3 years ago
tqre
commented
3 years ago Looks good to me, and certainly improving on the changes I made somewhat hastily just to get things working. I would actually keep the -v -tag on restorecon to see it work. Sure it generates a lots of logs, but I like logs :)
fishilico
commented
3 years ago I would actually keep the
-v-tag onrestoreconto see it work. Sure it generates a lots of logs, but I like logs :)
The thing is, generating many logs in GitHub Actions output is very impractical (the "find" function does not seem to work properly on the job output pages, and loading the whole page takes much time).
Nevertheless if you want logs, I would accept a patch which modifies the command in order to log the output of restorecon -RFv into a file and put this file into the build artifacts.
Here are some commits from https://github.com/archlinuxhardened/selinux/pull/83 and some modifications from me in order to :
lsm=lockdown,yama,selinux,bpf, which is the result of some tests (cf. https://github.com/archlinuxhardened/selinux/issues/81#issuecomment-775471636)grep '^Seccomp:\s*2$' /proc/self/status > /dev/nullwhen detecting thatsystemd-selinuxis being built in a "container". This helps building it in unprivileged containers which use seccomp but not/.dockerenv(such aspodman)-extobashin the workflow configuration, so the job fails as soon as a command fails (before, errors were ignored)restorecon -RF /). Otherwise many files were still unlabeled in the test VM.This fixes https://github.com/archlinuxhardened/selinux/issues/81 and https://github.com/archlinuxhardened/selinux/issues/82.