From de19520ec979902fd457515d1a795210fdaedf93 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 8 Jan 2025 13:31:11 +0100 Subject: [PATCH] TEST-06-SELINUX: Add knob to allow checking for AVCs When running the integration tests downstream, it's useful to be able to test that a new systemd version doesn't introduce any AVC denials, so let's add a knob to make that possible. --- test/README.md | 10 ++++++++++ test/fmf/integration-tests/test.sh | 7 +++++++ test/units/TEST-06-SELINUX.sh | 4 ++++ 3 files changed, 21 insertions(+) diff --git a/test/README.md b/test/README.md index 396ac0ed32..f880a984f1 100644 --- a/test/README.md +++ b/test/README.md @@ -151,6 +151,16 @@ that make use of `run_testcases`. `TEST_SKIP_TESTCASE=testcase`: takes a space separated list of testcases to skip. +### SELinux AVCs + +To have `TEST-06-SELINUX` check for SELinux denials, write the following to +mkosi.local.conf: + +```conf +[Runtime] +KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=1 +``` + ## Ubuntu CI New PRs submitted to the project are run through regression tests, and one set diff --git a/test/fmf/integration-tests/test.sh b/test/fmf/integration-tests/test.sh index effe4b2d6f..be8d874dc4 100755 --- a/test/fmf/integration-tests/test.sh +++ b/test/fmf/integration-tests/test.sh @@ -69,6 +69,13 @@ ToolsTreeDistribution=$ID ToolsTreeRelease=${VERSION_ID:-rawhide} EOF +if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then + tee --append mkosi.local.conf <