From 9eb63104f0ba11a724c888c4c9e7565dc1027860 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 11 Oct 2023 13:24:20 -0700
Subject: [PATCH 1/2] ci/cirrus: run rootless tests on CentOS 7

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 .cirrus.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index d79db495a0c..2dbcc5af546 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -190,11 +190,4 @@ task:
       ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes"
     esac
   integration_fs_rootless_script: |
-    case $DISTRO in
-    centos-7)
-      echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs"
-        ;;
-    *)
       ssh -tt localhost "make -C /home/runc localrootlessintegration"
-      ;;
-    esac

From 2d8a55bd80b7349cc235f1d03571488f35099404 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 11 Oct 2023 17:20:32 -0700
Subject: [PATCH 2/2] add selinux debug

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 tests/rootless.sh | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tests/rootless.sh b/tests/rootless.sh
index 7f0408508ce..8336a041884 100755
--- a/tests/rootless.sh
+++ b/tests/rootless.sh
@@ -164,6 +164,12 @@ features_powerset="$(powerset "${ALL_FEATURES[@]}")"
 # rootless user won't be able to write to $TESTDATA.
 "$ROOT"/tests/integration/get-images.sh >/dev/null
 
+# If SELinux is enabled, fix runc's context.
+if selinuxenabled 2>/dev/null; then
+	chcon -u system_u -r object_r -t container_runtime_exec_t runc
+	ls -lZ runc
+fi
+
 # Iterate over the powerset of all features.
 IFS=:
 idx=0
@@ -178,9 +184,17 @@ for enabled_features in $features_powerset; do
 		"$hook_func"
 	done
 
+	# Save the start date and time for ausearch.
+	if command -v ausearch &>/dev/null; then
+		AU_DD="$(date +%x)"
+		AU_TT="$(date +%H:%M:%S)"
+	fi
+
 	# Run the test suite!
 	echo "path: $PATH"
 	export ROOTLESS_FEATURES="$enabled_features"
+	# Allow the test to fail and use RET.
+	set +e
 	if [ -v RUNC_USE_SYSTEMD ]; then
 		# We use `ssh rootless@localhost` instead of `sudo -u rootless` for creating systemd user session.
 		# Alternatively we could use `machinectl shell`, but it is known not to work well on SELinux-enabled hosts as of April 2020:
@@ -189,5 +203,20 @@ for enabled_features in $features_powerset; do
 	else
 		sudo -HE -u rootless PATH="$PATH" "$(which bats)" -t "$ROOT/tests/integration$ROOTLESS_TESTPATH"
 	fi
+	RET=$?
+	set -e
+
+	# Show any avc denials.
+	if [[ -v AU_DD && -v AU_TT ]]; then
+		echo ===========================================
+		ausearch -ts "$AU_DD" "$AU_TT" -i -m avc || true
+		ls -lR /sys/fs/cgroup/*/runc-cgroups-integration-test
+		echo ===========================================
+	fi
+
 	cleanup
+	if [ $RET -ne 0 ]; then
+		echo "FAILED" >&2
+		exit $RET
+	fi
 done