systemd · bluca · May 4, 2024 · Apr 30, 2024 · Apr 5, 2024 · Apr 30, 2024
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@@ -10,3 +10,11 @@ Packages=
         selinux-policy
         selinux-policy-targeted
         setools-console
+
+# We relabel on first boot instead of at build time because it is only possible to label without root
+# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
+SELinuxRelabel=no
+
+InitrdPackages=
+        selinux-policy
+        selinux-policy-targeted
diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+test_params += {
+        'mkosi_args' : ['--kernel-command-line-extra=apparmor=0 selinux=1 enforcing=0 lsm=selinux systemd.wants=autorelabel.service systemd.wants=firstboot-autorelabel.service'],
+}
diff --git a/test/meson.build b/test/meson.build
@@ -341,7 +341,7 @@ integration_tests = {
         '03': 'TEST-03-JOBS',
         # '04': 'TEST-04-JOURNAL', # Extremely flaky
         '05': 'TEST-05-RLIMITS',
-        # '06': 'TEST-06-SELINUX',
+        '06': 'TEST-06-SELINUX',
         # '07': 'TEST-07-PID1',
         # '08': 'TEST-08-INITRD',
         '09': 'TEST-09-REBOOT',

diff --git a/test/units/autorelabel.service b/test/units/autorelabel.service
@@ -3,9 +3,14 @@
 Description=Relabel all filesystems
 DefaultDependencies=no
 Requires=local-fs.target
-Conflicts=shutdown.target
 After=local-fs.target
-Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=multi-user.target
+# Needs to access /var, which may not have been populated yet
+After=systemd-tmpfiles-setup.service
+# Must wait for systemd-machine-id-commit or firstboot-autorelabel will reactivate autorelabel
+After=systemd-machine-id-commit.service
 ConditionSecurity=selinux
 ConditionPathExists=|/.autorelabel
 
@@ -16,4 +21,4 @@ TimeoutSec=infinity
 RemainAfterExit=yes
 
 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
diff --git a/test/units/firstboot-autorelabel.service b/test/units/firstboot-autorelabel.service
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Activate relabelling on firstboot only
+DefaultDependencies=no
+Wants=first-boot-complete.target
+Requires=local-fs.target
+After=local-fs.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=first-boot-complete.target sysinit.target autorelabel.service
+ConditionPathIsReadWrite=/etc
+ConditionFirstBoot=yes
+
+[Service]
+ExecStart=touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target
diff --git a/test/units/testsuite-06.sh b/test/units/testsuite-06.sh
@@ -3,6 +3,12 @@
 set -eux
 set -o pipefail
 
+. /etc/os-release
+if ! [[ "$ID" =~ centos|fedora ]]; then
+    echo "Skipping because only CentOS and Fedora support SELinux tests" >>/skipped
+    exit 77
+fi
+
 # Note: ATTOW the following checks should work with both Fedora and upstream reference policy
 #       (with or without MCS/MLS)