Closed fishilico closed 3 years ago
Looks good to me, and certainly improving on the changes I made somewhat hastily just to get things working. I would actually keep the -v
-tag on restorecon
to see it work. Sure it generates a lots of logs, but I like logs :)
I would actually keep the
-v
-tag onrestorecon
to see it work. Sure it generates a lots of logs, but I like logs :)
The thing is, generating many logs in GitHub Actions output is very impractical (the "find" function does not seem to work properly on the job output pages, and loading the whole page takes much time).
Nevertheless if you want logs, I would accept a patch which modifies the command in order to log the output of restorecon -RFv
into a file and put this file into the build artifacts.
Here are some commits from https://github.com/archlinuxhardened/selinux/pull/83 and some modifications from me in order to :
lsm=lockdown,yama,selinux,bpf
, which is the result of some tests (cf. https://github.com/archlinuxhardened/selinux/issues/81#issuecomment-775471636)grep '^Seccomp:\s*2$' /proc/self/status > /dev/null
when detecting thatsystemd-selinux
is being built in a "container". This helps building it in unprivileged containers which use seccomp but not/.dockerenv
(such aspodman
)-ex
tobash
in the workflow configuration, so the job fails as soon as a command fails (before, errors were ignored)restorecon -RF /
). Otherwise many files were still unlabeled in the test VM.This fixes https://github.com/archlinuxhardened/selinux/issues/81 and https://github.com/archlinuxhardened/selinux/issues/82.