TEST-06-SELINUX: Simplify auto-relabeling

Let's ship a .autorelabel file so we can get rid of firstboot-autorelabel.service.
2024-10-01 13:55:20 +00:00 · 2024-05-13 12:36:40 +02:00 · 2024-05-13 12:36:40 +02:00 · f6af2976aa
parent c87e243fef
commit f6af2976aa
5 changed files with 9 additions and 30 deletions
--- a/mkosi.images/system/mkosi.extra/.autorelabel
+++ b/mkosi.images/system/mkosi.extra/.autorelabel
@ -0,0 +1 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
@ -31,3 +31,6 @@ disable auditd.service

 # systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
 enable systemd-timesyncd.service
+
+# Skipped if selinux is not enabled, required for TEST-06-SELINUX.
+enable autorelabel.service
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@ -4,7 +4,7 @@ integration_tests += [
        integration_test_template + {
                'name' : fs.name(meson.current_source_dir()),
                'mkosi-args' : integration_test_template['mkosi-args'] + [
-                        '--kernel-command-line-extra=apparmor=0 selinux=1 enforcing=0 lsm=selinux systemd.wants=autorelabel.service systemd.wants=firstboot-autorelabel.service'
+                        '--kernel-command-line-extra=selinux=1 lsm=selinux'
                ],
                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
                'firmware' : 'uefi',
--- a/test/units/autorelabel.service
+++ b/test/units/autorelabel.service
@ -5,20 +5,15 @@ DefaultDependencies=no
 Requires=local-fs.target
 After=local-fs.target
 Conflicts=shutdown.target
-Before=shutdown.target
-Before=multi-user.target
-# Needs to access /var, which may not have been populated yet
-After=systemd-tmpfiles-setup.service
-# Must wait for systemd-machine-id-commit or firstboot-autorelabel will reactivate autorelabel
-After=systemd-machine-id-commit.service
+Before=shutdown.target basic.target
 ConditionSecurity=selinux
 ConditionPathExists=|/.autorelabel
+SuccessAction=reboot

 [Service]
-ExecStart=sh -xec 'echo 0 >/sys/fs/selinux/enforce; fixfiles -f -F relabel; rm /.autorelabel; systemctl --force reboot'
+ExecStart=sh -xec 'echo 0 >/sys/fs/selinux/enforce; fixfiles -f -F relabel; rm /.autorelabel;'
 Type=oneshot
 TimeoutSec=infinity
-RemainAfterExit=yes

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/test/units/firstboot-autorelabel.service
+++ b/test/units/firstboot-autorelabel.service
@ -1,20 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Unit]
-Description=Activate relabelling on firstboot only
-DefaultDependencies=no
-Wants=first-boot-complete.target
-Requires=local-fs.target
-After=local-fs.target
-Conflicts=shutdown.target
-Before=shutdown.target
-Before=first-boot-complete.target sysinit.target autorelabel.service
-ConditionPathIsReadWrite=/etc
-ConditionFirstBoot=yes
-
-[Service]
-ExecStart=touch /.autorelabel
-Type=oneshot
-RemainAfterExit=yes
-
-[Install]
-WantedBy=sysinit.target
				`@ -0,0 +1 @@`
				`# SPDX-License-Identifier: LGPL-2.1-or-later`