sanitizers: ""
llvm: 0
cflags: "-O2 -D_FORTIFY_SOURCE=3"
+ relabel: no
- distro: debian
release: testing
sanitizers: ""
llvm: 0
cflags: "-Og"
+ relabel: no
- distro: ubuntu
release: noble
sanitizers: ""
llvm: 0
cflags: "-Og"
+ relabel: no
- distro: fedora
release: "40"
sanitizers: ""
llvm: 0
cflags: "-Og"
+ relabel: yes
- distro: fedora
release: rawhide
sanitizers: address,undefined
llvm: 1
cflags: "-Og"
+ relabel: yes
- distro: opensuse
release: tumbleweed
sanitizers: ""
llvm: 0
cflags: "-Og"
+ relabel: no
- distro: centos
release: "9"
sanitizers: ""
llvm: 0
cflags: "-Og"
+ relabel: yes
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
MESON_OPTIONS=--werror
LLVM=${{ matrix.llvm }}
+ SELinuxRelabel=${{ matrix.relabel }}
+
[Host]
QemuMem=4G
# We build with debuginfo so there's no point in mounting the sources into the machine.
-Dvmspawn=enabled
- name: Build image
- run: meson compile -C build mkosi
+ run: sudo meson compile -C build mkosi
- name: Run integration tests
run: sudo --preserve-env meson test -C build --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit --num-processes "$(($(nproc) - 1))"
CacheDirectory=build/mkosi.cache
[Content]
-SELinuxRelabel=no
BuildSourcesEphemeral=yes
Autologin=yes
Environment=
SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=%F
+# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
+# and results in lots of errors when building images as a regular user.
+SELinuxRelabel=no
+
# Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
# various scenarios. Consider adding support for a credential instead if possible and using that.
KernelCommandLine=systemd.crash_shell
# SPDX-License-Identifier: LGPL-2.1-or-later
+# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
+# building a /usr-only image.
+
[Match]
Profile=!particle
[Content]
-# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
-# building a /usr-only image.
Packages=
selinux-policy
selinux-policy-targeted
setools-console
-
-# We relabel on first boot instead of at build time because it is only possible to label without root
-# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
-SELinuxRelabel=no
-
-InitrdPackages=
- selinux-policy
- selinux-policy-targeted
# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
enable systemd-timesyncd.service
-# Skipped if selinux is not enabled, required for TEST-06-SELINUX.
-enable autorelabel.service
-
# Enabled by default on OpenSUSE and not conditioned out in containers, so let's disable these here instead.
disable iscsi.service
disable iscsid.socket
disable iscsiuio.socket
+
+# mkosi relabels the image itself so no need to do it on boot.
+disable selinux-autorelabel-mark.service
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
- 'cmdline' : integration_test_template['cmdline'] + ['systemd.wants=autorelabel.service', 'selinux=1', 'lsm=selinux'],
+ 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
# Use 'auto' to automatically fallback on non-uefi architectures.
'firmware' : 'auto',
projects / thirdparty / systemd.git / commitdiff
