From: Daan De Meyer Date: Mon, 13 May 2024 10:36:40 +0000 (+0200) Subject: TEST-06-SELINUX: Simplify auto-relabeling X-Git-Tag: v256-rc2~18^2~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6af2976aa267d762da5a1dc0f6cfa1059f879e9;p=thirdparty%2Fsystemd.git TEST-06-SELINUX: Simplify auto-relabeling Let's ship a .autorelabel file so we can get rid of firstboot-autorelabel.service. --- diff --git a/mkosi.images/system/mkosi.extra/.autorelabel b/mkosi.images/system/mkosi.extra/.autorelabel new file mode 100644 index 00000000000..bd4fba4dfea --- /dev/null +++ b/mkosi.images/system/mkosi.extra/.autorelabel @@ -0,0 +1 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset index fb82f3608f2..aea1b5eea0c 100644 --- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset +++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset @@ -31,3 +31,6 @@ disable auditd.service # systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead. enable systemd-timesyncd.service + +# Skipped if selinux is not enabled, required for TEST-06-SELINUX. +enable autorelabel.service diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build index 5376f943c23..ec4b502b942 100644 --- a/test/TEST-06-SELINUX/meson.build +++ b/test/TEST-06-SELINUX/meson.build @@ -4,7 +4,7 @@ integration_tests += [ integration_test_template + { 'name' : fs.name(meson.current_source_dir()), 'mkosi-args' : integration_test_template['mkosi-args'] + [ - '--kernel-command-line-extra=apparmor=0 selinux=1 enforcing=0 lsm=selinux systemd.wants=autorelabel.service systemd.wants=firstboot-autorelabel.service' + '--kernel-command-line-extra=selinux=1 lsm=selinux' ], # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. 'firmware' : 'uefi', diff --git a/test/units/autorelabel.service b/test/units/autorelabel.service index fd652225d9e..5f8386ee852 100644 --- a/test/units/autorelabel.service +++ b/test/units/autorelabel.service @@ -5,20 +5,15 @@ DefaultDependencies=no Requires=local-fs.target After=local-fs.target Conflicts=shutdown.target -Before=shutdown.target -Before=multi-user.target -# Needs to access /var, which may not have been populated yet -After=systemd-tmpfiles-setup.service -# Must wait for systemd-machine-id-commit or firstboot-autorelabel will reactivate autorelabel -After=systemd-machine-id-commit.service +Before=shutdown.target basic.target ConditionSecurity=selinux ConditionPathExists=|/.autorelabel +SuccessAction=reboot [Service] -ExecStart=sh -xec 'echo 0 >/sys/fs/selinux/enforce; fixfiles -f -F relabel; rm /.autorelabel; systemctl --force reboot' +ExecStart=sh -xec 'echo 0 >/sys/fs/selinux/enforce; fixfiles -f -F relabel; rm /.autorelabel;' Type=oneshot TimeoutSec=infinity -RemainAfterExit=yes [Install] -WantedBy=multi-user.target +WantedBy=basic.target diff --git a/test/units/firstboot-autorelabel.service b/test/units/firstboot-autorelabel.service deleted file mode 100644 index b69dcf72a38..00000000000 --- a/test/units/firstboot-autorelabel.service +++ /dev/null @@ -1,20 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later -[Unit] -Description=Activate relabelling on firstboot only -DefaultDependencies=no -Wants=first-boot-complete.target -Requires=local-fs.target -After=local-fs.target -Conflicts=shutdown.target -Before=shutdown.target -Before=first-boot-complete.target sysinit.target autorelabel.service -ConditionPathIsReadWrite=/etc -ConditionFirstBoot=yes - -[Service] -ExecStart=touch /.autorelabel -Type=oneshot -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target