From dedd712dd9b4883678765b9bc1a8ac349cf24f3b Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 9 Jul 2024 12:26:11 +0200
Subject: TEST-06-SELINUX: Various fixes

- Stop installing the policy in the initramfs as it's not really
supported anyway (https://github.com/fedora-selinux/selinux-policy/issues/2221)
- Stop relabeling on first boot and prefer to do it at image build time
- Disable mkosi relabeling by default but enable it in CI
- Build image as root in CI so the SELinux relabeling works properly
---
 mkosi.conf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'mkosi.conf')

diff --git a/mkosi.conf b/mkosi.conf
index c90f5bfc77..96fb992497 100644
--- a/mkosi.conf
+++ b/mkosi.conf
@@ -11,7 +11,6 @@ BuildDirectory=build/mkosi.builddir
 CacheDirectory=build/mkosi.cache
 
 [Content]
-SELinuxRelabel=no
 BuildSourcesEphemeral=yes
 Autologin=yes
 
@@ -24,6 +23,10 @@ ExtraTrees=
 Environment=
         SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=%F
 
+# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
+# and results in lots of errors when building images as a regular user.
+SELinuxRelabel=no
+
 # Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
 # various scenarios. Consider adding support for a credential instead if possible and using that.
 KernelCommandLine=systemd.crash_shell
-- 
cgit v1.2.3