ci: disable selinux in the rawhide container

Some tests (especially non-root in a user namespace) in the container need selinux to be disabled. In the container it is not possible to change the state of selinux. Let's just disable it for this test run. Signed-off-by: Adrian Reber <areber@redhat.com>
checkpoint-restore · Dec 1, 2023 · 2f7daf4 · 2f7daf4
1 parent af6e9ae
commit 2f7daf4
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/scripts/ci/prepare-for-fedora-rawhide.sh b/scripts/ci/prepare-for-fedora-rawhide.sh
@@ -18,6 +18,7 @@ dnf install -y \
 	libnet-devel \
 	libnl3-devel \
 	libbsd-devel \
+	libselinux-utils \
 	make \
 	procps-ng \
 	protobuf-c-devel \

diff --git a/scripts/ci/run-ci-tests.sh b/scripts/ci/run-ci-tests.sh
@@ -292,7 +292,7 @@ if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true; then
 	make -C test/zdtm/ cleanout
 	rm -rf test/dump
 	setcap cap_checkpoint_restore,cap_sys_ptrace+eip criu/criu
-	if [ -d /sys/fs/selinux ]; then
+	if [ -d /sys/fs/selinux ] && [ ! -e /run/.containerenv ]; then
 		# Note: selinux in Enforcing mode prevents us from calling clone3() or writing to ns_last_pid on restore; hence set to Permissive for the test and then set back.
 		selinuxmode=$(getenforce)
 		setenforce Permissive
@@ -301,7 +301,7 @@ if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true; then
 	# under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace,
 	# otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies.
 	sudo --user=#65534 --group=#65534 unshare -Ucfpm --mount-proc -- bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true"
-	if [ -d /sys/fs/selinux ]; then
+	if [ -d /sys/fs/selinux ] && [ ! -e /run/.containerenv ]; then
 		setenforce "$selinuxmode"
 	fi
 	setcap -r criu/criu

diff --git a/scripts/ci/vagrant.sh b/scripts/ci/vagrant.sh
@@ -70,6 +70,10 @@ fedora-rawhide() {
 	#
 	ssh default 'sudo dnf remove -y crun || true'
 	ssh default sudo dnf install -y podman runc
+	# Some tests in the container need selinux to be disabled.
+	# In the container it is not possible to change the state of selinux.
+	# Let's just disable it for this test run completely.
+	ssh default 'sudo setenforce Permissive'
 	ssh default 'cd /vagrant; tar xf criu.tar; cd criu; sudo -E make -C scripts/ci fedora-rawhide CONTAINER_RUNTIME=podman BUILD_OPTIONS="--security-opt seccomp=unconfined"'
 }