tests: add custom selinux policy test and restorecon checks

Verify that deployments have correct selinux labels from the
base image. Also ensure that if a custom policy is added in a
Containerfile, the resulting deployment has the expected
labels as well.

Assisted by Claude Code

Signed-off-by: Joseph Marrero Corchado <[email protected]>

Author: jmarrero

tmt/plans/integration.fmf

@@ -53,3 +53,11 @@ execute:
     how: fmf
     test:
         - /tmt/tests/test-25-soft-reboot
+
+/test-26-custom-selinux-policy:
+  summary: Execute restorecon test on system with custom selinux policy
+  discover:
+    how: fmf
+    test:
+        - /tmt/tests/bootc-install-provision
+        - /tmt/tests/test-26-custom-selinux-policy

tmt/tests/booted/readonly/025-test-restorecon.nu

@@ -0,0 +1,23 @@
+use std assert
+use tap.nu
+
+# Test each directory separately for better granularity
+let directories = ["/boot", "/etc", "/var"]
+
+for dir in $directories {
+    tap begin $"Run restorecon on ($dir)"
+
+    # Run restorecon on single directory and capture trimmed output
+    let out = (restorecon -vnr $dir | str trim)
+
+    if $dir == "/boot" {
+        # /boot is expected to have incorrect labels - known issue
+        # See: https://github.com/bootc-dev/bootc/issues/1622
+        print $"Note: /boot restorecon output (expected): ($out)"
+    } else {
+        # Assert it's empty for other directories
+        assert equal $out "" $"restorecon run found incorrect labels in ($dir): ($out)"
+    }
+
+    tap ok
+}

tmt/tests/booted/test-custom-selinux-policy.nu

@@ -0,0 +1,53 @@
+# Verify that correct labels are applied after a deployment
+use std assert
+use tap.nu
+
+# This code runs on *each* boot.
+# Here we just capture information.
+bootc status
+
+# Run on the first boot
+def initial_build [] {
+    tap begin "local image push + pull + upgrade"
+
+    let td = mktemp -d
+    cd $td
+
+    bootc image copy-to-storage
+
+    # A simple derived container that customizes selinux policy for random dir
+    "FROM localhost/bootc
+RUN mkdir /usr/lib/opt123 && echo "/usr/lib/opt123 /opt" > /usr/etc/selinux/targeted/contexts/files/file_contexts.subs_dist
+" | save Dockerfile
+    # Build it
+    podman build -t localhost/bootc-derived .
+
+    bootc switch --soft-reboot=auto --transport containers-storage localhost/bootc-derived
+    
+    assert (not ("/usr/lib/opt123" | path exists))
+
+    # https://tmt.readthedocs.io/en/stable/stories/features.html#reboot-during-test
+    tmt-reboot
+}
+
+# The second boot; verify we're in the derived image and directory has correct selinux label
+def second_boot [] {
+    tap begin "Verify directory exists and has correct SELinux label"
+
+    assert ("/usr/lib/opt123" | path exists)
+
+    # Verify the directory has the correct SELinux label (opt_t)
+    let label = (ls -Z /usr/lib/opt123 | get security_context | first)
+    assert ($label | str contains "opt_t") $"Expected opt_t label, got: ($label)"
+
+    tap ok
+}
+
+def main [] {
+    # See https://tmt.readthedocs.io/en/stable/stories/features.html#reboot-during-test
+    match $env.TMT_REBOOT_COUNT? {
+        null | "0" => initial_build,
+        "1" => second_boot,
+        $o => { error make { msg: $"Invalid TMT_REBOOT_COUNT ($o)" } },
+    }
+}

tmt/tests/test-26-custom-selinux-policy.fmf

@@ -0,0 +1,3 @@
+summary: Execute soft reboot test
+test: nu booted/test-custom-selinux-policy.nu
+duration: 30m