Fix Github workflows

- no longer build SELinux policies for CentOS7, Amazon Linux 2
- install pandoc from the "Rocky Powertools" repo
- remove defunct build-container-image, corresponding README entry

.github/workflows/build.yml

@@ -218,8 +218,10 @@ jobs:
     steps:
       - name: Prepare
         run: |
+          dnf install 'dnf-command(config-manager)'
+          dnf config-manager --enable powertools
           dnf -q -y update
-          dnf -q -y install gcc file libacl-devel clang
+          dnf -q -y install gcc file libacl-devel clang make pandoc
       - name: Install Rust toolchain (stable)
         uses: actions-rs/toolchain@v1
         with:
@@ -229,6 +231,7 @@ jobs:
       - name: Build
         run: |
           cargo build --release
+          make -C man
       - uses: actions/upload-artifact@v3
         with:
           name: laurel-x86_64-gnu-old

.github/workflows/release.yml

@@ -77,6 +77,8 @@ jobs:
     steps:
       - name: Prepare
         run: |
+          dnf install 'dnf-command(config-manager)'
+          dnf config-manager --enable powertools
           dnf -q -y update
           dnf -q -y install gcc file libacl-devel clang make pandoc
       - name: Install Rust toolchain (stable)
@@ -110,85 +112,3 @@ jobs:
           asset_path: laurel.tar.gz
           asset_name: laurel-${{ needs.prep.outputs.git_version }}-x86_64-glibc.tar.gz
           asset_content_type: application/tar
-
-  build-container-image:
-    needs: build-musl
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Download a Build Artifact
-        uses: actions/download-artifact@v2.1.1
-        with:
-          name: laurel
-          path: .
-
-      # use tar to keep permissions
-      - name: Unpack Build Artifact
-        run: tar -xzf laurel.tar.gz
-
-      - name: Edit configuration
-        run: |
-          sed -e 's#^input = .*#input = "unix:/var/run/audispd_events"#' etc/laurel/config.toml
-
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v2
-
-      # Workaround: https://github.com/docker/build-push-action/issues/461
-      - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
-
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
-        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}

.github/workflows/selinux.yml

@@ -9,30 +9,6 @@ on:
       - .github/workflows/selinux.yml
 
 jobs:
-  build-el7:
-    env:
-      ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-    runs-on: ubuntu-latest
-    container: centos:7
-    steps:
-      - name: Prepare
-        run: |
-          sed -i \
-              -e 's,^# *baseurl=http://mirror.centos.org/centos/,baseurl=https://vault.centos.org/centos/,g' \
-              -e 's,^mirrorlist=http://mirrorlist.centos.org,#&1,' \
-              /etc/yum.repos.d/*.repo
-          yum install -y selinux-policy-devel
-      - uses: actions/checkout@v2
-      - name: Build
-        run: |
-          make -C contrib/selinux AUDITD_VERSIONS=2
-      - name: Archive policy
-        uses: actions/upload-artifact@v3
-        with:
-          name: selinux-el7
-          path: contrib/selinux/laurel.pp
-
   build-el8:
     runs-on: ubuntu-latest
     container: rockylinux:8
@@ -67,26 +43,6 @@ jobs:
           name: selinux-el9
           path: contrib/selinux/laurel.pp
 
-  build-al2:
-    env:
-      ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-    runs-on: ubuntu-latest
-    container: amazonlinux:2
-    steps:
-      - name: Prepare
-        run: |
-          yum install -y selinux-policy-devel findutils tar
-      - uses: actions/checkout@v2
-      - name: Build
-        run: |
-          make -C contrib/selinux AUDITD_VERSIONS=2
-      - name: Archive policy
-        uses: actions/upload-artifact@v3
-        with:
-          name: selinux-al2
-          path: contrib/selinux/laurel.pp
-
   build-al2023:
     runs-on: ubuntu-latest
     container: amazonlinux:2023

README.md

@@ -31,14 +31,6 @@ The [_LAUREL_ installation instructions](INSTALL.md) contain instructions on how
 
 We developed _LAUREL_ because we were not content with feature sets and performance characteristics of existing projects and products. Please refer to the [Performance](performance.md) document for details.
 
-## Container Image
-
-From v0.5.2 on laurel is able to connect to a socket for forwarded auditd messages and can be executed in a container this way. A basic container image is published in this repository to `ghcr.io/threathunters-io/laurel` with tags `latest` and the respective version tag.
-
-The provided container image build includes default labels via docker buildx from the pipeline. These labels are not included in the provided Dockerfile but are considered good practice. If you use a custom build with another tooling, consider adding the default labels to the Dockerfile.
-
-The provided container image contains the default configuration, with one modification: Laurel connects to `/var/run/audispd_events` (the default path specified for the `builtin_af_unix` _auditd(8)_ plug-in. The plug-in needs to be enabled and the socket must be accessible from within the container. The rest of the configuration file should be customized as needed before deploying.
-
 ## See also
 
 - [ansible-auditd-laurel](https://github.com/certeu/ansible-auditd-laurel/), an Ansible role to deploy _auditd_ + _laurel_, by @0xFustang / CERT-EU