Merge pull request #32588 from CodethinkLabs/mkosi-selinux

Add TEST-06-SELINUX to mkosi integration tests
2025-03-09 12:58:26 +03:00 · 2024-05-04 20:48:55 +02:00 · 2024-05-04 20:48:55 +02:00 · 72007bbc9b
commit 72007bbc9b
parent 7df0297ac5 ab9d60250e
6 changed files with 48 additions and 4 deletions
--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@ -10,3 +10,11 @@ Packages=
        selinux-policy
        selinux-policy-targeted
        setools-console
+
+# We relabel on first boot instead of at build time because it is only possible to label without root
+# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
+SELinuxRelabel=no
+
+InitrdPackages=
+        selinux-policy
+        selinux-policy-targeted
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+test_params += {
+        'mkosi_args' : ['--kernel-command-line-extra=apparmor=0 selinux=1 enforcing=0 lsm=selinux systemd.wants=autorelabel.service systemd.wants=firstboot-autorelabel.service'],
+}
--- a/test/meson.build
+++ b/test/meson.build
@ -341,7 +341,7 @@ integration_tests = {
        '03': 'TEST-03-JOBS',
        # '04': 'TEST-04-JOURNAL', # Extremely flaky
        '05': 'TEST-05-RLIMITS',
-        # '06': 'TEST-06-SELINUX',
+        '06': 'TEST-06-SELINUX',
        # '07': 'TEST-07-PID1',
        # '08': 'TEST-08-INITRD',
        '09': 'TEST-09-REBOOT',
--- a/test/units/autorelabel.service
+++ b/test/units/autorelabel.service
@ -3,9 +3,14 @@
 Description=Relabel all filesystems
 DefaultDependencies=no
 Requires=local-fs.target
-Conflicts=shutdown.target
 After=local-fs.target
-Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=multi-user.target
+# Needs to access /var, which may not have been populated yet
+After=systemd-tmpfiles-setup.service
+# Must wait for systemd-machine-id-commit or firstboot-autorelabel will reactivate autorelabel
+After=systemd-machine-id-commit.service
 ConditionSecurity=selinux
 ConditionPathExists=|/.autorelabel

@ -16,4 +21,4 @@ TimeoutSec=infinity
 RemainAfterExit=yes

 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
--- a/test/units/firstboot-autorelabel.service
+++ b/test/units/firstboot-autorelabel.service
@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Activate relabelling on firstboot only
+DefaultDependencies=no
+Wants=first-boot-complete.target
+Requires=local-fs.target
+After=local-fs.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=first-boot-complete.target sysinit.target autorelabel.service
+ConditionPathIsReadWrite=/etc
+ConditionFirstBoot=yes
+
+[Service]
+ExecStart=touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target
--- a/test/units/testsuite-06.sh
+++ b/test/units/testsuite-06.sh
@ -3,6 +3,12 @@
 set -eux
 set -o pipefail

+. /etc/os-release
+if ! [[ "$ID" =~ centos|fedora ]]; then
+    echo "Skipping because only CentOS and Fedora support SELinux tests" >>/skipped
+    exit 77
+fi
+
 # Note: ATTOW the following checks should work with both Fedora and upstream reference policy
 #       (with or without MCS/MLS)