test: add a sanity test for systemd/systemd#19976

which should ensure we can use nspawn containers with SELinux context set via
the `--selinux-context=` and `--selinux-apifs-context=` options.

diff --git a/test/TEST-13-NSPAWN-SMOKE/test.sh b/test/TEST-13-NSPAWN-SMOKE/test.sh
index 18db8d4284f319627c86f2e6cfd13dd546cf3062..352f00682b66dcfac7f4b6b14f3a7b92c62fd770 100755 (executable)
--- a/test/TEST-13-NSPAWN-SMOKE/test.sh
+++ b/test/TEST-13-NSPAWN-SMOKE/test.sh
@@ -12,6 +12,11 @@ test_append_files() {
     (
         local workspace="${1:?}"
 
+        if selinuxenabled >/dev/null; then
+            dracut_install selinuxenabled
+            cp -ar /etc/selinux "$workspace/etc/selinux"
+        fi
+
         "$TEST_BASE_DIR/create-busybox-container" "$workspace/testsuite-13.nc-container"
         initdir="$workspace/testsuite-13.nc-container" dracut_install nc ip md5sum
     )

diff --git a/test/units/testsuite-13.sh b/test/units/testsuite-13.sh
index 0d468b2db1748ec74b8a0ab773062f2f1e0814c8..8f3c0b2df83df90d08a728b7b1cd97e531cc22cc 100755 (executable)
--- a/test/units/testsuite-13.sh
+++ b/test/units/testsuite-13.sh
@@ -115,6 +115,16 @@ EOF
     return "$(systemctl show -P ExecMainStatus nspawn_machinectl_bind.service)"
 }
 
+function check_selinux {
+    if ! selinuxenabled; then
+        echo >&2 "SELinux is not enabled, skipping SELinux-related tests"
+        return 0
+    fi
+
+    # Basic test coverage to avoid issues like https://github.com/systemd/systemd/issues/19976
+    systemd-nspawn "${SUSE_OPTS[@]}" --register=no -b -D /testsuite-13.nc-container --selinux-apifs-context=system_u:object_r:container_file_t:s0:c0,c1 --selinux-context=system_u:system_r:container_t:s0:c0,c1
+}
+
 function run {
     if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
         printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
@@ -199,4 +209,6 @@ done
 
 check_machinectl_bind
 
+check_selinux
+
 touch /testok