TEST-06-SELINUX: Add knob to allow checking for AVCs

When running the integration tests downstream, it's useful to be
able to test that a new systemd version doesn't introduce any AVC
denials, so let's add a knob to make that possible.

(cherry picked from commit de19520ec979902fd457515d1a795210fdaedf93)

test/README.testsuite

@@ -151,6 +151,16 @@ that make use of `run_testcases`.
 
 `TEST_SKIP_TESTCASE=testcase`: takes a space separated list of testcases to skip.
 
+### SELinux AVCs
+
+To have `TEST-06-SELINUX` check for SELinux denials, write the following to
+mkosi.local.conf:
+
+```conf
+[Runtime]
+KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=1
+```
+
 ## Ubuntu CI
 
 New PRs submitted to the project are run through regression tests, and one set

test/fmf/integration-tests/test.sh

@@ -69,6 +69,13 @@ ToolsTreeDistribution=$ID
 ToolsTreeRelease=${VERSION_ID:-rawhide}
 EOF
 
+if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
+    tee --append mkosi.local.conf <<EOF
+[Runtime]
+KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
+EOF
+fi
+
 if [[ -n "${TESTING_FARM_REQUEST_ID:-}" ]]; then
     tee --append mkosi.local.conf <<EOF
 [Build]

test/units/TEST-06-SELINUX.sh

@@ -46,4 +46,8 @@ NSPAWN_ARGS=(systemd-nspawn -q --volatile=yes --directory=/ --bind-ro=/etc --ina
 [[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" stat --printf %C /run)" == "$CONTEXT" ]]
 [[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" --tmpfs=/tmp stat --printf %C /tmp)" == "$CONTEXT" ]]
 
+if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]] && ((TEST_SELINUX_CHECK_AVCS)); then
+    (! journalctl -t audit -g AVC -o cat)
+fi
+
 touch /testok