Merge pull request #20225 from mrc0mmand/selinux-nspawn-sanity

test: add a sanity test for #19976

test/TEST-13-NSPAWN-SMOKE/test.sh

@@ -12,6 +12,11 @@ test_append_files() {
     (
         local workspace="${1:?}"
 
+        if selinuxenabled >/dev/null; then
+            dracut_install selinuxenabled
+            cp -ar /etc/selinux "$workspace/etc/selinux"
+        fi
+
         "$TEST_BASE_DIR/create-busybox-container" "$workspace/testsuite-13.nc-container"
         initdir="$workspace/testsuite-13.nc-container" dracut_install nc ip md5sum
     )

test/test-functions

@@ -417,7 +417,6 @@ run_qemu() {
         "loglevel=2"
         "init=$PATH_TO_INIT"
         "console=$CONSOLE"
-        "selinux=0"
         "SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/testsuite-$1.units:/usr/lib/systemd/tests/testdata/units:"
         "systemd.unit=testsuite.target"
         "systemd.wants=testsuite-$1.service"

test/units/testsuite-13.sh

@@ -115,6 +115,16 @@ EOF
     return "$(systemctl show -P ExecMainStatus nspawn_machinectl_bind.service)"
 }
 
+function check_selinux {
+    if ! selinuxenabled; then
+        echo >&2 "SELinux is not enabled, skipping SELinux-related tests"
+        return 0
+    fi
+
+    # Basic test coverage to avoid issues like https://github.com/systemd/systemd/issues/19976
+    systemd-nspawn "${SUSE_OPTS[@]}" --register=no -b -D /testsuite-13.nc-container --selinux-apifs-context=system_u:object_r:container_file_t:s0:c0,c1 --selinux-context=system_u:system_r:container_t:s0:c0,c1
+}
+
 function run {
     if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
         printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
@@ -199,4 +209,6 @@ done
 
 check_machinectl_bind
 
+check_selinux
+
 touch /testok