From dc916a167ed322a1920321ff066ba22690f88186 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Wed, 14 Jul 2021 20:29:37 +0200 Subject: [PATCH] test: add a sanity test for systemd/systemd#19976 which should ensure we can use nspawn containers with SELinux context set via the `--selinux-context=` and `--selinux-apifs-context=` options. --- test/TEST-13-NSPAWN-SMOKE/test.sh | 5 +++++ test/units/testsuite-13.sh | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/test/TEST-13-NSPAWN-SMOKE/test.sh b/test/TEST-13-NSPAWN-SMOKE/test.sh index 18db8d4284f..352f00682b6 100755 --- a/test/TEST-13-NSPAWN-SMOKE/test.sh +++ b/test/TEST-13-NSPAWN-SMOKE/test.sh @@ -12,6 +12,11 @@ test_append_files() { ( local workspace="${1:?}" + if selinuxenabled >/dev/null; then + dracut_install selinuxenabled + cp -ar /etc/selinux "$workspace/etc/selinux" + fi + "$TEST_BASE_DIR/create-busybox-container" "$workspace/testsuite-13.nc-container" initdir="$workspace/testsuite-13.nc-container" dracut_install nc ip md5sum ) diff --git a/test/units/testsuite-13.sh b/test/units/testsuite-13.sh index 0d468b2db17..8f3c0b2df83 100755 --- a/test/units/testsuite-13.sh +++ b/test/units/testsuite-13.sh @@ -115,6 +115,16 @@ EOF return "$(systemctl show -P ExecMainStatus nspawn_machinectl_bind.service)" } +function check_selinux { + if ! selinuxenabled; then + echo >&2 "SELinux is not enabled, skipping SELinux-related tests" + return 0 + fi + + # Basic test coverage to avoid issues like https://github.com/systemd/systemd/issues/19976 + systemd-nspawn "${SUSE_OPTS[@]}" --register=no -b -D /testsuite-13.nc-container --selinux-apifs-context=system_u:object_r:container_file_t:s0:c0,c1 --selinux-context=system_u:system_r:container_t:s0:c0,c1 +} + function run { if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2 @@ -199,4 +209,6 @@ done check_machinectl_bind +check_selinux + touch /testok -- 2.47.3