This gets rid of the requirement to run the image build as root.
sanitizers: ""
llvm: 0
cflags: "-O2 -D_FORTIFY_SOURCE=3"
- relabel: no
vm: 1
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: no
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: no
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: no
vm: 0
no_qemu: 1
no_kvm: 1
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: no
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: no
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: address,undefined
llvm: 1
cflags: "-Og"
- relabel: yes
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: yes
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: yes
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: yes
vm: 0
no_qemu: 0
no_kvm: 0
sanitizers: ""
llvm: 0
cflags: "-Og"
- relabel: yes
vm: 0
no_qemu: 0
no_kvm: 0
LLVM=${{ matrix.llvm }}
SYSEXT=1
- [Content]
- SELinuxRelabel=${{ matrix.relabel }}
-
[Runtime]
RAM=4G
EOF
KernelInitrdModules=default
-# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
-# and results in lots of errors when building images as a regular user.
+# Disable relabeling by default as TEST-06-SELINUX handles relabeling itself at runtime.
SELinuxRelabel=no
# Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
disable raid-check.timer
disable systemd-tmpfiles-clean.timer
-# mkosi relabels the image itself so no need to do it on boot.
+# TEST-06-SELINUX handles relabeling itself at runtime.
disable selinux-autorelabel-mark.service
enable coverage-forwarder.service
PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
Packages=
coreutils
+ policycoreutils
swtpm-tools
tpm2-tools
btrfs-progs
coreutils
kmod
+ policycoreutils
tpm2.0-tools
VolatilePackages=
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Unit]
+Description=Relabel /sysroot for SELinux
+
+DefaultDependencies=no
+ConditionPathExists=/sysroot/etc/selinux/config
+After=initrd-root-fs.target
+After=initrd.target initrd-parse-etc.service remote-fs.target
+Before=initrd-cleanup.service
+
+[Service]
+Type=oneshot
+ExecStart=sh -c '. /sysroot/etc/selinux/config && [ -n "$${SELINUXTYPE}" ] && setfiles -mFr /sysroot -T0 -c /sysroot/etc/selinux/$${SELINUXTYPE}/policy/policy.* /sysroot/etc/selinux/$${SELINUXTYPE}/contexts/files/file_contexts /sysroot'
# SPDX-License-Identifier: LGPL-2.1-or-later
-id = find_program('id', required : true)
-uid = run_command(id, '-u', check : true).stdout().strip().to_int()
-
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
- 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'enforcing=0', 'lsm=selinux'],
+ 'cmdline' : integration_test_template['cmdline'] + [
+ 'selinux=1',
+ 'enforcing=0',
+ 'lsm=selinux',
+ 'rd.systemd.wants=initrd-selinux-relabel.service',
+ ],
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
# Use 'auto' to automatically fallback on non-uefi architectures.
'firmware' : 'auto',
'vm' : true,
- # Make sure we don't mount anything with virtiofs as otherwise fixfiles will try to relabel
+ # Make sure we don't mount anything with virtiofs as otherwise setfiles will try to relabel
# it.
'mkosi-args' : integration_test_template['mkosi-args'] + ['--runtime-build-sources=no'],
- 'enabled' : uid == 0,
},
]
projects / thirdparty / systemd.git / commitdiff
