selinux: run the GNU test too

sylvestre · sylvestre · commit 72ad89d9569d · 2025-03-17T11:09:18.000+01:00
diff --git a/.github/workflows/GnuTests.yml b/.github/workflows/GnuTests.yml
@@ -82,6 +82,44 @@ jobs:
         submodules: false
         persist-credentials: false
 
+    - name: Selinux - Setup Lima
+      uses: lima-vm/lima-actions/setup@v1
+      id: lima-actions-setup
+
+    - name: Selinux - Cache ~/.cache/lima
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/lima
+        key: lima-${{ steps.lima-actions-setup.outputs.version }}
+
+    - name: Selinux - Start Fedora VM with SELinux
+      run: limactl start --plain --name=default --cpus=2 --disk=40 --memory=8 --network=lima:user-v2 template://fedora
+
+    - name: Selinux - Setup SSH
+      uses: lima-vm/lima-actions/ssh@v1
+
+    - name: Selinux - Verify SELinux Status and Configuration
+      run: |
+        lima getenforce
+        lima ls -laZ /etc/selinux
+        lima sudo sestatus
+
+        # Ensure we're running in enforcing mode
+        lima sudo setenforce 1
+        lima getenforce
+
+        # Create test files with SELinux contexts for testing
+        lima sudo mkdir -p /var/test_selinux
+        lima sudo touch /var/test_selinux/test_file
+        lima sudo chcon -t etc_t /var/test_selinux/test_file
+        lima ls -Z /var/test_selinux/test_file  # Verify context
+
+    - name: Selinux - Install dependencies in VM
+      run: |
+        lima sudo dnf -y update
+        lima sudo dnf -y install git autoconf autopoint bison texinfo gperf gcc g++ gdb jq libacl-devel libattr-devel libcap-devel libselinux-devel attr rustup clang-devel texinfo-tex wget automake patch quilt
+        lima rustup-init -y --default-toolchain stable
+
     - name: Override submodule URL and initialize submodules
       # Use github instead of upstream git server
       run: |
@@ -125,12 +163,42 @@ jobs:
         sudo update-locale
         echo "After:"
         locale -a
+
+    - name: Selinux - Copy the sources to VM
+      run: |
+        rsync -a -e ssh . lima-default:~/work/
+
     - name: Build binaries
       shell: bash
       run: |
         ## Build binaries
         cd '${{ steps.vars.outputs.path_UUTILS }}'
         bash util/build-gnu.sh --release-build
+
+    - name: Selinux - Generate selinux tests list
+      run: |
+        # Find and list all tests that require SELinux
+        lima bash -c "cd ~/work/gnu/ && grep -l 'require_selinux_' -r tests/ > ~/work/uutils/selinux-tests.txt"
+        lima bash -c "cd ~/work/uutils/ && cat selinux-tests.txt"
+
+        # Count the tests
+        lima bash -c "cd ~/work/uutils/ && echo 'Found SELinux tests:'; wc -l selinux-tests.txt"
+
+    - name: Selinux - Build for selinux tests
+      run: |
+        lima bash -c "cd ~/work/uutils/ && bash util/build-gnu.sh"
+
+    - name: Selinux - Run selinux tests
+      run: |
+        lima sudo setenforce 1
+        lima getenforce
+        lima cat /proc/filesystems
+        lima bash -c "cd ~/work/uutils/ && bash util/run-gnu-test.sh \$(cat selinux-tests.txt)"
+
+    - name: Selinux - Run selinux tests as root
+      run: |
+        lima bash -c "cd ~/work/uutils/ && CI=1 bash util/run-gnu-test.sh run-root \$(cat selinux-tests.txt)"
+
     - name: Run GNU tests
       shell: bash
       run: |
diff --git a/GNUmakefile b/GNUmakefile
@@ -57,11 +57,16 @@ TOYBOX_ROOT := $(BASEDIR)/tmp
 TOYBOX_VER  := 0.8.8
 TOYBOX_SRC  := $(TOYBOX_ROOT)/toybox-$(TOYBOX_VER)
 
-ifeq ($(SELINUX_ENABLED),)
-	SELINUX_ENABLED := 0
+
+ifdef SELINUX_ENABLED
+	override SELINUX_ENABLED := 0
+# Now check if we should enable it (only on non-Windows)
 	ifneq ($(OS),Windows_NT)
-		ifeq ($(shell /sbin/selinuxenabled 2>/dev/null ; echo $$?),0)
-			SELINUX_ENABLED := 1
+		ifeq ($(shell if [ -x /sbin/selinuxenabled ] && /sbin/selinuxenabled 2>/dev/null; then echo 0; else echo 1; fi),0)
+			override SELINUX_ENABLED := 1
+$(info /sbin/selinuxenabled successful)
+	    else
+$(info SELINUX_ENABLED=1 but /sbin/selinuxenabled failed)
 		endif
 	endif
 endif
diff --git a/util/build-gnu.sh b/util/build-gnu.sh
@@ -240,6 +240,10 @@ sed -i "s/  {ERR_SUBST=>\"s\/(unrecognized|unknown) option \[-' \]\*foobar\[' \]
 
 # Remove the check whether a util was built. Otherwise tests against utils like "arch" are not run.
 sed -i "s|require_built_ |# require_built_ |g" init.cfg
+
+# exit early for the selinux check. The first is enough for us.
+sed -i "s|# Independent of whether SELinux|return 0\n  #|g" init.cfg
+
 # Some tests are executed with the "nobody" user.
 # The check to verify if it works is based on the GNU coreutils version
 # making it too restrictive for us
