TEST-06-SELINUX: Simplify auto-relabeling

Let's ship a .autorelabel file so we can get rid of
firstboot-autorelabel.service.

diff --git a/mkosi.images/system/mkosi.extra/.autorelabel b/mkosi.images/system/mkosi.extra/.autorelabel
new file mode 100644 (file)
index 0000000..bd4fba4
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/.autorelabel
@@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later

diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
index fb82f3608f2f0f19d02d10314e38b5b8ff1f3bf0..aea1b5eea0c97b4eb479f6f8296e5f8cc54b1f1d 100644 (file)
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@@ -31,3 +31,6 @@ disable auditd.service
 
 # systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
 enable systemd-timesyncd.service
+
+# Skipped if selinux is not enabled, required for TEST-06-SELINUX.
+enable autorelabel.service

diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
index 5376f943c2317d9a7f593e83294577293fd29ea1..ec4b502b942e49456b8cae4f8d130e81f19bff1b 100644 (file)
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@@ -4,7 +4,7 @@ integration_tests += [
         integration_test_template + {
                 'name' : fs.name(meson.current_source_dir()),
                 'mkosi-args' : integration_test_template['mkosi-args'] + [
-                        '--kernel-command-line-extra=apparmor=0 selinux=1 enforcing=0 lsm=selinux systemd.wants=autorelabel.service systemd.wants=firstboot-autorelabel.service'
+                        '--kernel-command-line-extra=selinux=1 lsm=selinux'
                 ],
                 # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
                 'firmware' : 'uefi',

diff --git a/test/units/autorelabel.service b/test/units/autorelabel.service
index fd652225d9eabf4be46248947c58f0c9be7e2673..5f8386ee852a831c68a4fb68b2c485fea276054b 100644 (file)
--- a/test/units/autorelabel.service
+++ b/test/units/autorelabel.service
@@ -5,20 +5,15 @@ DefaultDependencies=no
 Requires=local-fs.target
 After=local-fs.target
 Conflicts=shutdown.target
-Before=shutdown.target
-Before=multi-user.target
-# Needs to access /var, which may not have been populated yet
-After=systemd-tmpfiles-setup.service
-# Must wait for systemd-machine-id-commit or firstboot-autorelabel will reactivate autorelabel
-After=systemd-machine-id-commit.service
+Before=shutdown.target basic.target
 ConditionSecurity=selinux
 ConditionPathExists=|/.autorelabel
+SuccessAction=reboot
 
 [Service]
-ExecStart=sh -xec 'echo 0 >/sys/fs/selinux/enforce; fixfiles -f -F relabel; rm /.autorelabel; systemctl --force reboot'
+ExecStart=sh -xec 'echo 0 >/sys/fs/selinux/enforce; fixfiles -f -F relabel; rm /.autorelabel;'
 Type=oneshot
 TimeoutSec=infinity
-RemainAfterExit=yes
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target

diff --git a/test/units/firstboot-autorelabel.service b/test/units/firstboot-autorelabel.service
deleted file mode 100644 (file)
index b69dcf7..0000000
--- a/test/units/firstboot-autorelabel.service
+++ /dev/null
@@ -1,20 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Unit]
-Description=Activate relabelling on firstboot only
-DefaultDependencies=no
-Wants=first-boot-complete.target
-Requires=local-fs.target
-After=local-fs.target
-Conflicts=shutdown.target
-Before=shutdown.target
-Before=first-boot-complete.target sysinit.target autorelabel.service
-ConditionPathIsReadWrite=/etc
-ConditionFirstBoot=yes
-
-[Service]
-ExecStart=touch /.autorelabel
-Type=oneshot
-RemainAfterExit=yes
-
-[Install]
-WantedBy=sysinit.target