test: add a sanity test for systemd/systemd#19976

which should ensure we can use nspawn containers with SELinux context set via
the `--selinux-context=` and `--selinux-apifs-context=` options.

test/TEST-13-NSPAWN-SMOKE/test.sh

@@ -12,6 +12,11 @@ test_append_files() {
     (
         local workspace="${1:?}"
 
+        if selinuxenabled >/dev/null; then
+            dracut_install selinuxenabled
+            cp -ar /etc/selinux "$workspace/etc/selinux"
+        fi
+
         "$TEST_BASE_DIR/create-busybox-container" "$workspace/testsuite-13.nc-container"
         initdir="$workspace/testsuite-13.nc-container" dracut_install nc ip md5sum
     )

test/units/testsuite-13.sh

@@ -115,6 +115,16 @@ EOF
     return "$(systemctl show -P ExecMainStatus nspawn_machinectl_bind.service)"
 }
 
+function check_selinux {
+    if ! selinuxenabled; then
+        echo >&2 "SELinux is not enabled, skipping SELinux-related tests"
+        return 0
+    fi
+
+    # Basic test coverage to avoid issues like https://github.com/systemd/systemd/issues/19976
+    systemd-nspawn "${SUSE_OPTS[@]}" --register=no -b -D /testsuite-13.nc-container --selinux-apifs-context=system_u:object_r:container_file_t:s0:c0,c1 --selinux-context=system_u:system_r:container_t:s0:c0,c1
+}
+
 function run {
     if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
         printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
@@ -199,4 +209,6 @@ done
 
 check_machinectl_bind
 
+check_selinux
+
 touch /testok