When running the integration tests downstream, it's useful to be
able to test that a new systemd version doesn't introduce any AVC
denials, so let's add a knob to make that possible.
(cherry picked from commit
de19520ec979902fd457515d1a795210fdaedf93)
`TEST_SKIP_TESTCASE=testcase`: takes a space separated list of testcases to skip.
+### SELinux AVCs
+
+To have `TEST-06-SELINUX` check for SELinux denials, write the following to
+mkosi.local.conf:
+
+```conf
+[Runtime]
+KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=1
+```
+
## Ubuntu CI
New PRs submitted to the project are run through regression tests, and one set
ToolsTreeRelease=${VERSION_ID:-rawhide}
EOF
+if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
+ tee --append mkosi.local.conf <<EOF
+[Runtime]
+KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
+EOF
+fi
+
if [[ -n "${TESTING_FARM_REQUEST_ID:-}" ]]; then
tee --append mkosi.local.conf <<EOF
[Build]
[[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" stat --printf %C /run)" == "$CONTEXT" ]]
[[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" --tmpfs=/tmp stat --printf %C /tmp)" == "$CONTEXT" ]]
+if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]] && ((TEST_SELINUX_CHECK_AVCS)); then
+ (! journalctl -t audit -g AVC -o cat)
+fi
+
touch /testok
projects / thirdparty / systemd.git / commitdiff
