test: make TEST-06-SELINUX work with the refpolicy and beef it up a bit

Currently the test works only with policy shipped by Fedora, which makes
it pretty much useless in most of our CIs. Let's drop the custom module
and make the test more generic, so it works with the refpolicy as well,
which should allow us to run it on Arch and probably even in Ubuntu CI.

4 files changed, 19 insertions, 103 deletions

diff --git a/test/TEST-06-SELINUX/systemd_test.fc b/test/TEST-06-SELINUX/systemd_test.fc
deleted file mode 100644
index 2aa442ce77..0000000000
--- a/test/TEST-06-SELINUX/systemd_test.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-/usr/lib/systemd/tests/testdata/testsuite-06\.units(/.*)?   system_u:object_r:systemd_unit_file_t:s0
diff --git a/test/TEST-06-SELINUX/systemd_test.if b/test/TEST-06-SELINUX/systemd_test.if
deleted file mode 100644
index 1e74e1d749..0000000000
--- a/test/TEST-06-SELINUX/systemd_test.if
+++ /dev/null
@@ -1,9 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-template(`systemd_test_base_template', `
-	gen_require(`
-		attribute systemd_test_domain_type;
-	')
-
-	type $1_t, systemd_test_domain_type;
-	domain_type($1_t)
-')
diff --git a/test/TEST-06-SELINUX/systemd_test.te b/test/TEST-06-SELINUX/systemd_test.te
deleted file mode 100644
index 43dbf3e8f4..0000000000
--- a/test/TEST-06-SELINUX/systemd_test.te
+++ /dev/null
@@ -1,51 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-policy_module(systemd_test, 0.0.1)
-
-# declarations
-attribute systemd_test_domain_type;
-
-systemd_test_base_template(systemd_test)
-systemd_test_base_template(systemd_test_status)
-systemd_test_base_template(systemd_test_start)
-systemd_test_base_template(systemd_test_stop)
-systemd_test_base_template(systemd_test_reload)
-
-# systemd_test_domain_type
-
-require {
-	role system_r;
-	role unconfined_r;
-	type bin_t;
-	type initrc_t;
-	type systemd_systemctl_exec_t;
-	type unconfined_service_t;
-}
-
-role system_r types systemd_test_domain_type;
-role unconfined_r types systemd_test_domain_type;
-
-allow systemd_test_domain_type bin_t: file entrypoint;
-allow systemd_test_domain_type systemd_systemctl_exec_t: file entrypoint;
-allow initrc_t systemd_test_domain_type: process transition;
-allow unconfined_service_t systemd_test_domain_type: process transition;
-corecmd_exec_bin(systemd_test_domain_type)
-init_signal_script(systemd_test_domain_type)
-init_sigchld_script(systemd_test_domain_type)
-systemd_exec_systemctl(systemd_test_domain_type)
-userdom_use_user_ttys(systemd_test_domain_type)
-userdom_use_user_ptys(systemd_test_domain_type)
-
-optional_policy(`
-	dbus_system_bus_client(systemd_test_domain_type)
-	init_dbus_chat(systemd_test_domain_type)
-')
-
-# systemd_test_*_t
-require {
-	type systemd_unit_file_t;
-}
-
-allow systemd_test_status_t systemd_unit_file_t: service { status };
-allow systemd_test_start_t systemd_unit_file_t: service { start };
-allow systemd_test_stop_t systemd_unit_file_t: service { stop };
-allow systemd_test_reload_t systemd_unit_file_t: service { reload };
diff --git a/test/TEST-06-SELINUX/test.sh b/test/TEST-06-SELINUX/test.sh
index c7eaae8ab4..384101577f 100755
--- a/test/TEST-06-SELINUX/test.sh
+++ b/test/TEST-06-SELINUX/test.sh
@@ -6,60 +6,38 @@ TEST_DESCRIPTION="SELinux tests"
 IMAGE_NAME="selinux"
 TEST_NO_NSPAWN=1
 
-# Requirements:
-# A selinux policy is installed. Preferably selinux-policy-targeted, but it could work with others
-# selinux-policy-devel
+if [[ -e /etc/selinux/config ]]; then
+    SEPOLICY="$(awk -F= '/^SELINUXTYPE=/ {print $2; exit}' /etc/selinux/config)"
 
-# Check if
-# - selinux-policy-devel is installed and
-# - some selinux policy is installed. To keep this generic just check for the
-#   existence of a directory below /etc/selinux/, indicating a SELinux policy is
-#   installed
-# otherwise bail out early instead of failing
-test -f /usr/share/selinux/devel/include/system/systemd.if && find /etc/selinux -mindepth 1 -maxdepth 1 -not -empty -type d | grep -q . || exit 0
+    # C8S doesn't set SELINUXTYPE in /etc/selinux/config, so default to 'targeted'
+    if [[ -z "$SEPOLICY" ]]; then
+        echo "Failed to parse SELinux policy from /etc/selinux/config, falling back to 'targeted'"
+        SEPOLICY="targeted"
+    fi
+
+    if [[ ! -d "/etc/selinux/$SEPOLICY" ]]; then
+        echo "Missing policy directory /etc/selinux/$SEPOLICY, skipping the test"
+        exit 0
+    fi
+
+    echo "Using SELinux policy '$SEPOLICY'"
+else
+    echo "/etc/selinux/config is missing, skipping the test"
+    exit 0
+fi
 
 # shellcheck source=test/test-functions
 . "${TEST_BASE_DIR:?}/test-functions"
 
 SETUP_SELINUX=yes
-KERNEL_APPEND="${KERNEL_APPEND:=} selinux=1 security=selinux enforcing=0"
+KERNEL_APPEND="${KERNEL_APPEND:-} selinux=1 enforcing=0 lsm=selinux"
 
 test_append_files() {
     local workspace="${1:?}"
-    local policy_headers_dir=/usr/share/selinux/devel
-    local modules_dir=/var/lib/selinux
 
     setup_selinux
-    # Make sure we never expand this to "/..."
-    rm -rf "${workspace:?}/$modules_dir"
-
-    if ! cp -ar "$modules_dir" "$workspace/$modules_dir"; then
-        dfatal "Failed to copy $modules_dir"
-        exit 1
-    fi
-
-    rm -rf "${workspace:?}/$policy_headers_dir"
-    inst_dir /usr/share/selinux
-
-    if ! cp -ar "$policy_headers_dir" "$workspace/$policy_headers_dir"; then
-        dfatal "Failed to copy $policy_headers_dir"
-        exit 1
-    fi
-
-    mkdir "$workspace/systemd-test-module"
-    cp -v systemd_test.* "$workspace/systemd-test-module/"
-    image_install checkmodule load_policy m4 make sefcontext_compile semodule semodule_package runcon
-    image_install -o sesearch
-    image_install -o /usr/libexec/selinux/hll/pp # Fedora/RHEL/...
-    image_install -o /usr/lib/selinux/hll/pp     # Debian/Ubuntu/...
-
     # Config file has (unfortunately) always precedence, so let's switch it there as well
     sed -i '/^SELINUX=disabled$/s/disabled/permissive/' "$workspace/etc/selinux/config"
-
-    if ! chroot "$workspace" make -C /systemd-test-module -f /usr/share/selinux/devel/Makefile clean load systemd_test.pp QUIET=n; then
-        dfatal "Failed to build the systemd test module"
-        exit 1
-    fi
 }
 
 do_test "$@"