Merge pull request #7440 from sylvestre/selinux

CI: add a new job to test with Selinux
2025-07-27 11:07:44 +00:00 · 2025-03-14 13:40:01 +01:00 · 2025-03-14 13:40:01 +01:00 · 5f6a7d0ffa
commit 5f6a7d0ffa
parent eb11961329 a193073556
6 changed files with 50 additions and 2 deletions
--- a/.github/workflows/CICD.yml
+++ b/.github/workflows/CICD.yml
@ -1034,3 +1034,38 @@ jobs:
          echo "Running tests with --features=$f and --no-default-features"
          cargo test --features=$f --no-default-features
        done
  test_selinux:
    name: Build/SELinux
    needs: [ min_version, deps ]
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        persist-credentials: false
    - uses: dtolnay/rust-toolchain@stable
    - name: Setup Lima
      uses: lima-vm/lima-actions/setup@v1
      id: lima-actions-setup
    - name: Cache ~/.cache/lima
      uses: actions/cache@v4
      with:
        path: ~/.cache/lima
        key: lima-${{ steps.lima-actions-setup.outputs.version }}
    - name: Start Fedora VM with SELinux
      run: limactl start --plain --name=default --cpus=1 --disk=30 --memory=4 --network=lima:user-v2 template://fedora
    - name: Setup SSH
      uses: lima-vm/lima-actions/ssh@v1
    - run: rsync -v -a -e ssh . lima-default:~/work/
    - name: Setup Rust and other build deps in VM
      run: |
        lima sudo dnf install gcc g++ git rustup libselinux-devel clang-devel -y
        lima rustup-init -y --default-toolchain stable
    - name: Verify SELinux Status
      run: |
        lima getenforce
        lima ls -laZ /etc/selinux
    - name: Build and Test with SELinux
      run: |
        lima ls
        lima bash -c "cd work && cargo test --features 'feat_selinux'"
--- a/tests/by-util/test_chcon.rs
+++ b/tests/by-util/test_chcon.rs
@ -527,6 +527,7 @@ fn valid_reference_repeat_flags() {
 }
 #[test]
 #[ignore = "issue #7443"]
 fn valid_reference_repeated_reference() {
    let (dir, mut cmd) = at_and_ucmd!();
--- a/tests/by-util/test_dd.rs
+++ b/tests/by-util/test_dd.rs
@ -4,7 +4,7 @@
 // file that was distributed with this source code.
 // spell-checker:ignore fname, tname, fpath, specfile, testfile, unspec, ifile, ofile, outfile, fullblock, urand, fileio, atoe, atoibm, availible, behaviour, bmax, bremain, btotal, cflags, creat, ctable, ctty, datastructures, doesnt, etoa, fileout, fname, gnudd, iconvflags, iseek, nocache, noctty, noerror, nofollow, nolinks, nonblock, oconvflags, oseek, outfile, parseargs, rlen, rmax, rposition, rremain, rsofar, rstat, sigusr, sigval, wlen, wstat abcdefghijklm abcdefghi nabcde nabcdefg abcdefg fifoname seekable
-#[cfg(unix)]
+#[cfg(all(unix, not(feature = "feat_selinux")))]
 use crate::common::util::run_ucmd_as_root_with_stdin_stdout;
 use crate::common::util::TestScenario;
 #[cfg(all(not(windows), feature = "printf"))]
@ -1552,6 +1552,8 @@ fn test_nocache_file() {
 #[test]
 #[cfg(unix)]
 #[cfg(not(feature = "feat_selinux"))]
 // Disabled on SELinux for now
 fn test_skip_past_dev() {
    // NOTE: This test intends to trigger code which can only be reached with root permissions.
    let ts = TestScenario::new(util_name!());
@ -1573,6 +1575,7 @@ fn test_skip_past_dev() {
 #[test]
 #[cfg(unix)]
 #[cfg(not(feature = "feat_selinux"))]
 fn test_seek_past_dev() {
    // NOTE: This test intends to trigger code which can only be reached with root permissions.
    let ts = TestScenario::new(util_name!());
--- a/tests/by-util/test_df.rs
+++ b/tests/by-util/test_df.rs
@ -285,6 +285,7 @@ fn test_type_option() {
 #[test]
 #[cfg(not(any(target_os = "freebsd", target_os = "windows")))] // FIXME: fix test for FreeBSD & Win
 #[cfg(not(feature = "feat_selinux"))]
 fn test_type_option_with_file() {
    let fs_type = new_ucmd!()
        .args(&["--output=fstype", "."])
--- a/tests/by-util/test_ls.rs
+++ b/tests/by-util/test_ls.rs
@ -1102,6 +1102,8 @@ fn test_ls_long() {
 #[cfg(not(windows))]
 #[test]
 #[cfg(not(feature = "feat_selinux"))]
 // Disabled on the SELinux runner for now
 fn test_ls_long_format() {
    let scene = TestScenario::new(util_name!());
    let at = &scene.fixtures;
@ -1474,6 +1476,8 @@ fn test_ls_long_total_size() {
 }
 #[test]
 #[cfg(not(feature = "feat_selinux"))]
 // Disabled on the SELinux runner for now
 fn test_ls_long_formats() {
    let scene = TestScenario::new(util_name!());
    let at = &scene.fixtures;
@ -2749,6 +2753,8 @@ fn test_ls_color() {
 #[cfg(unix)]
 #[test]
 #[cfg(not(feature = "feat_selinux"))]
 // Disabled on the SELinux runner for now
 fn test_ls_inode() {
    let scene = TestScenario::new(util_name!());
    let at = &scene.fixtures;
@ -5279,6 +5285,8 @@ fn test_acl_display() {
 // setting is also configured).
 #[cfg(unix)]
 #[test]
 #[cfg(not(feature = "feat_selinux"))]
 // Disabled on the SELinux runner for now
 fn test_ls_color_norm() {
    let scene = TestScenario::new(util_name!());
    let at = &scene.fixtures;
--- a/tests/by-util/test_runcon.rs
+++ b/tests/by-util/test_runcon.rs
@ -51,7 +51,7 @@ fn invalid() {
        "unconfined_u:unconfined_r:unconfined_t:s0",
        "inexistent-file",
    ];
-    new_ucmd!().args(args).fails_with_code(1);
+    new_ucmd!().args(args).fails_with_code(127);
    let args = &["invalid", "/bin/true"];
    new_ucmd!().args(args).fails_with_code(1);