From 27acc152033e3adbc744fbefa842edf28810b663 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 8 Jan 2025 13:31:11 +0100 Subject: [PATCH] TEST-06-SELINUX: Add knob to allow checking for AVCs When running the integration tests downstream, it's useful to be able to test that a new systemd version doesn't introduce any AVC denials, so let's add a knob to make that possible. (cherry picked from commit de19520ec979902fd457515d1a795210fdaedf93) --- test/README.testsuite | 10 ++++++++++ test/fmf/integration-tests/test.sh | 7 +++++++ test/units/TEST-06-SELINUX.sh | 4 ++++ 3 files changed, 21 insertions(+) diff --git a/test/README.testsuite b/test/README.testsuite index da2d17a6db..6b367aa673 100644 --- a/test/README.testsuite +++ b/test/README.testsuite @@ -151,6 +151,16 @@ that make use of `run_testcases`. `TEST_SKIP_TESTCASE=testcase`: takes a space separated list of testcases to skip. +### SELinux AVCs + +To have `TEST-06-SELINUX` check for SELinux denials, write the following to +mkosi.local.conf: + +```conf +[Runtime] +KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=1 +``` + ## Ubuntu CI New PRs submitted to the project are run through regression tests, and one set diff --git a/test/fmf/integration-tests/test.sh b/test/fmf/integration-tests/test.sh index 4545090c3c..fccfa15c72 100755 --- a/test/fmf/integration-tests/test.sh +++ b/test/fmf/integration-tests/test.sh @@ -69,6 +69,13 @@ ToolsTreeDistribution=$ID ToolsTreeRelease=${VERSION_ID:-rawhide} EOF +if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then + tee --append mkosi.local.conf <