From: Daan De Meyer Date: Thu, 26 Mar 2026 14:40:07 +0000 (+0100) Subject: TEST-06-SELINUX: Relabel in the initrd rather than at image build time X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=72cfcfa0ec2be967833c802fc8237f3eed23994e;p=thirdparty%2Fsystemd.git TEST-06-SELINUX: Relabel in the initrd rather than at image build time This gets rid of the requirement to run the image build as root. --- diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml index 5fd1469ba35..859e50a34cc 100644 --- a/.github/workflows/mkosi.yml +++ b/.github/workflows/mkosi.yml @@ -60,7 +60,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-O2 -D_FORTIFY_SOURCE=3" - relabel: no vm: 1 no_qemu: 0 no_kvm: 0 @@ -71,7 +70,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: no vm: 0 no_qemu: 0 no_kvm: 0 @@ -82,7 +80,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: no vm: 0 no_qemu: 0 no_kvm: 0 @@ -93,7 +90,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: no vm: 0 no_qemu: 1 no_kvm: 1 @@ -104,7 +100,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: no vm: 0 no_qemu: 0 no_kvm: 0 @@ -115,7 +110,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: no vm: 0 no_qemu: 0 no_kvm: 0 @@ -126,7 +120,6 @@ jobs: sanitizers: address,undefined llvm: 1 cflags: "-Og" - relabel: yes vm: 0 no_qemu: 0 no_kvm: 0 @@ -137,7 +130,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: yes vm: 0 no_qemu: 0 no_kvm: 0 @@ -148,7 +140,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: yes vm: 0 no_qemu: 0 no_kvm: 0 @@ -159,7 +150,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: yes vm: 0 no_qemu: 0 no_kvm: 0 @@ -170,7 +160,6 @@ jobs: sanitizers: "" llvm: 0 cflags: "-Og" - relabel: yes vm: 0 no_qemu: 0 no_kvm: 0 @@ -233,9 +222,6 @@ jobs: LLVM=${{ matrix.llvm }} SYSEXT=1 - [Content] - SELinuxRelabel=${{ matrix.relabel }} - [Runtime] RAM=4G EOF diff --git a/mkosi/mkosi.conf b/mkosi/mkosi.conf index 22547a5a1f9..2fc087cb73f 100644 --- a/mkosi/mkosi.conf +++ b/mkosi/mkosi.conf @@ -59,8 +59,7 @@ ExtraTrees= KernelInitrdModules=default -# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time -# and results in lots of errors when building images as a regular user. +# Disable relabeling by default as TEST-06-SELINUX handles relabeling itself at runtime. SELinuxRelabel=no # Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in diff --git a/mkosi/mkosi.extra.common/usr/lib/systemd/system-preset/00-mkosi.preset b/mkosi/mkosi.extra.common/usr/lib/systemd/system-preset/00-mkosi.preset index d7774e03f64..4423c3dabd7 100644 --- a/mkosi/mkosi.extra.common/usr/lib/systemd/system-preset/00-mkosi.preset +++ b/mkosi/mkosi.extra.common/usr/lib/systemd/system-preset/00-mkosi.preset @@ -46,7 +46,7 @@ disable fstrim.timer disable raid-check.timer disable systemd-tmpfiles-clean.timer -# mkosi relabels the image itself so no need to do it on boot. +# TEST-06-SELINUX handles relabeling itself at runtime. disable selinux-autorelabel-mark.service enable coverage-forwarder.service diff --git a/mkosi/mkosi.initrd.conf/mkosi.conf.d/centos-fedora.conf b/mkosi/mkosi.initrd.conf/mkosi.conf.d/centos-fedora.conf index 2077f0662f8..e753749dc44 100644 --- a/mkosi/mkosi.initrd.conf/mkosi.conf.d/centos-fedora.conf +++ b/mkosi/mkosi.initrd.conf/mkosi.conf.d/centos-fedora.conf @@ -8,6 +8,7 @@ Distribution=|fedora PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare Packages= coreutils + policycoreutils swtpm-tools tpm2-tools diff --git a/mkosi/mkosi.initrd.conf/mkosi.conf.d/opensuse.conf b/mkosi/mkosi.initrd.conf/mkosi.conf.d/opensuse.conf index 92fc255670f..c30d970c85a 100644 --- a/mkosi/mkosi.initrd.conf/mkosi.conf.d/opensuse.conf +++ b/mkosi/mkosi.initrd.conf/mkosi.conf.d/opensuse.conf @@ -9,6 +9,7 @@ Packages= btrfs-progs coreutils kmod + policycoreutils tpm2.0-tools VolatilePackages= diff --git a/mkosi/mkosi.initrd.conf/mkosi.extra/usr/lib/systemd/system/initrd-selinux-relabel.service b/mkosi/mkosi.initrd.conf/mkosi.extra/usr/lib/systemd/system/initrd-selinux-relabel.service new file mode 100644 index 00000000000..077b36900a2 --- /dev/null +++ b/mkosi/mkosi.initrd.conf/mkosi.extra/usr/lib/systemd/system/initrd-selinux-relabel.service @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Unit] +Description=Relabel /sysroot for SELinux + +DefaultDependencies=no +ConditionPathExists=/sysroot/etc/selinux/config +After=initrd-root-fs.target +After=initrd.target initrd-parse-etc.service remote-fs.target +Before=initrd-cleanup.service + +[Service] +Type=oneshot +ExecStart=sh -c '. /sysroot/etc/selinux/config && [ -n "$${SELINUXTYPE}" ] && setfiles -mFr /sysroot -T0 -c /sysroot/etc/selinux/$${SELINUXTYPE}/policy/policy.* /sysroot/etc/selinux/$${SELINUXTYPE}/contexts/files/file_contexts /sysroot' diff --git a/test/integration-tests/TEST-06-SELINUX/meson.build b/test/integration-tests/TEST-06-SELINUX/meson.build index 22f306260db..8dca509b829 100644 --- a/test/integration-tests/TEST-06-SELINUX/meson.build +++ b/test/integration-tests/TEST-06-SELINUX/meson.build @@ -1,19 +1,20 @@ # SPDX-License-Identifier: LGPL-2.1-or-later -id = find_program('id', required : true) -uid = run_command(id, '-u', check : true).stdout().strip().to_int() - integration_tests += [ integration_test_template + { 'name' : fs.name(meson.current_source_dir()), - 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'enforcing=0', 'lsm=selinux'], + 'cmdline' : integration_test_template['cmdline'] + [ + 'selinux=1', + 'enforcing=0', + 'lsm=selinux', + 'rd.systemd.wants=initrd-selinux-relabel.service', + ], # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. # Use 'auto' to automatically fallback on non-uefi architectures. 'firmware' : 'auto', 'vm' : true, - # Make sure we don't mount anything with virtiofs as otherwise fixfiles will try to relabel + # Make sure we don't mount anything with virtiofs as otherwise setfiles will try to relabel # it. 'mkosi-args' : integration_test_template['mkosi-args'] + ['--runtime-build-sources=no'], - 'enabled' : uid == 0, }, ]