ci: switch to permissive selinux mode during test

Signed-off-by: Adrian Reber <areber@redhat.com>
2026-01-23 02:14:37 +00:00 · 2023-11-29 14:56:41 +00:00 · 2023-11-29 14:56:41 +00:00 · 088390ea89
commit 088390ea89
parent 900909d95e
1 changed files with 8 additions and 0 deletions
--- a/scripts/ci/run-ci-tests.sh
+++ b/scripts/ci/run-ci-tests.sh
@ -292,10 +292,18 @@ if capsh --supports=cap_checkpoint_restore && unshare -c /bin/true; then
 	make -C test/zdtm/ cleanout
 	rm -rf test/dump
 	setcap cap_checkpoint_restore,cap_sys_ptrace+eip criu/criu
+	if [ -d /sys/fs/selinux ]; then
+		# Note: selinux in Enforcing mode prevents us from calling clone3() or writing to ns_last_pid on restore; hence set to Permissive for the test and then set back.
+		selinuxmode=$(getenforce)
+		setenforce Permissive
+	fi
 	# Run it as non-root in a user namespace. Since CAP_CHECKPOINT_RESTORE behaves differently in non-user namespaces (e.g. no access to map_files) this tests that we can dump and restore
 	# under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace,
 	# otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies.
 	sudo --user=#65534 --group=#65534 unshare -Ucfpm --mount-proc -- bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true"
+	if [ -d /sys/fs/selinux ]; then
+		setenforce "$selinuxmode"
+	fi
 	setcap -r criu/criu
 else
 	echo "Skipping unprivileged mode tests"