Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TEST-06-SELINUX to mkosi integration tests #32588

Merged
merged 4 commits into from May 4, 2024
Merged

Add TEST-06-SELINUX to mkosi integration tests #32588

merged 4 commits into from May 4, 2024

Conversation

richardmaw-codethink
Copy link
Contributor

@richardmaw-codethink richardmaw-codethink commented Apr 30, 2024
edited by github-actions bot

This is based on #32540

@github-actions github-actions bot added nspawn build-system selinux tests meson please-review PR is ready for (re-)review by a maintainer labels Apr 30, 2024
@github-actions GitHub Actions
Copy link

Important

An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.

DaanDeMeyer
DaanDeMeyer requested changes Apr 30, 2024
View reviewed changes
Copy link
Contributor

@DaanDeMeyer DaanDeMeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of having --setup-selinux, can we just have a generic kernel_command_line field in test_params which we modify in TEST-06-SELINUX/meson.build?

@richardmaw-codethink richardmaw-codethink force-pushed the mkosi-selinux branch 2 times, most recently from 5fd44a0 to d8cb436 Compare May 1, 2024 16:57
@richardmaw-codethink
Copy link
Contributor Author

Instead of having --setup-selinux, can we just have a generic kernel_command_line field in test_params which we modify in TEST-06-SELINUX/meson.build?

Could even go the whole way and do it as test_params += {'mkosi_args' : ['--kernel-command-line-extra=...']} if we want to keep the number of explicitly implemented features down.

@DaanDeMeyer
Copy link
Contributor

Instead of having --setup-selinux, can we just have a generic kernel_command_line field in test_params which we modify in TEST-06-SELINUX/meson.build?

Could even go the whole way and do it as test_params += {'mkosi_args' : ['--kernel-command-line-extra=...']} if we want to keep the number of explicitly implemented features down.

Yeah that's actually better for now, let's do it like that.

@richardmaw-codethink richardmaw-codethink force-pushed the mkosi-selinux branch 3 times, most recently from 3361a32 to e6d40b2 Compare May 2, 2024 15:26
@richardmaw-codethink
test: Skip TEST-06-SELINUX early if not on fedora/centos
049b456 
Other distributions may be able to install selinux
but they are not expected to use it.

The distribution is tested rather than whether selinux is enabled
because it is expected to work on CentOS and Fedora
and we want it to fail noisily.
@richardmaw-codethink
test: Integrate custom selinux relabelling unit with firstboot
a2a734e
@richardmaw-codethink
mkosi: Disable selinux labelling and install policy in initramfs
e26efe0 
It is necessary to install the selinux policy in the initramfs
so that userland is entered with the correct label.

SELinuxRelabel defaults to auto, which will skip if the relabelling
command is not installed and will treat failure to relabel as non-fatal.

We can't force it on because root privileges are required if the labels
don't exist on the host system and we would like to be able to
cross-build from other distributions.

Since we are already committed to relabelling on first boot
there is no value in even trying to label.
@richardmaw-codethink
test: Enable TEST-06-SELINUX testing with mkosi
ab9d602
@bluca bluca merged commit 72007bb into systemd:main May 4, 2024
43 of 49 checks passed
@github-actions github-actions bot removed the please-review PR is ready for (re-)review by a maintainer label May 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DaanDeMeyer DaanDeMeyer DaanDeMeyer requested changes

@bluca bluca bluca approved these changes

Assignees
No one assigned
Labels
mkosi selinux tests
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@richardmaw-codethink @DaanDeMeyer @bluca