add selinux debug

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
opencontainers · Oct 12, 2023 · 4c18d93 · 4c18d93
1 parent 6576995
commit 4c18d93
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -79,7 +79,7 @@ task:
     CIRRUS_WORKING_DIR: /home/runc
     GO_VERSION: "1.20"
     BATS_VERSION: "v1.9.0"
-    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
+    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
     # yamllint disable rule:key-duplicates
     matrix:
       DISTRO: centos-7
@@ -171,6 +171,11 @@ task:
     df -T
     # -----
     cat /proc/cpuinfo
+  setlinux_label_script: |
+    if selinuxenabled; then
+      chcon -u system_u -r object_r -t container_runtime_exec_t "$ROOT"/runc
+      ls -lZ "$ROOT"/runc
+    fi
   check_config_script: |
     /home/runc/script/check-config.sh
   unit_tests_script: |

diff --git a/tests/rootless.sh b/tests/rootless.sh
@@ -178,6 +178,12 @@ for enabled_features in $features_powerset; do
 		"$hook_func"
 	done
 
+	# Save the start date and time for ausearch.
+	if command -v ausearch &>/dev/null; then
+		AU_DD="$(date +%x)"
+		AU_TT="$(date +%H:%M:%S)"
+	fi
+
 	# Run the test suite!
 	echo "path: $PATH"
 	export ROOTLESS_FEATURES="$enabled_features"
@@ -189,5 +195,11 @@ for enabled_features in $features_powerset; do
 	else
 		sudo -HE -u rootless PATH="$PATH" "$(which bats)" -t "$ROOT/tests/integration$ROOTLESS_TESTPATH"
 	fi
+
+	# Show any avc denials.
+	if [[ -v AU_DD && -v AU_TT ]]; then
+		ausearch -ts "$AU_DD" "$AU_TT" -i -m avc || true
+	fi
+
 	cleanup
 done