Merge pull request #9598 from rhatdan/kvm

Check for supportsKVM based on basename of the runtime

1 files changed, 16 insertions, 4 deletions

diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 7482d3e55..215b2832e 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -39,17 +39,17 @@ function check_label() {
 }
 
 @test "podman selinux: container with label=disable" {
-    skip_if_rootless
-
     check_label "--security-opt label=disable" "spc_t"
 }
 
 @test "podman selinux: privileged container" {
-    skip_if_rootless
-
     check_label "--privileged --userns=host" "spc_t"
 }
 
+@test "podman selinux: init container" {
+    check_label "--systemd=always" "container_init_t"
+}
+
 @test "podman selinux: pid=host" {
     # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0
     # (this is ugly, but better than an unconditional skip)
@@ -74,6 +74,18 @@ function check_label() {
     check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
 }
 
+@test "podman selinux: inspect kvm labels" {
+    skip_if_no_selinux
+    skip_if_remote "runtime flag is not passed over remote"
+    if [ ! -e /usr/bin/kata-runtime ]; then
+        skip "kata-runtime not available"
+    fi
+
+    run_podman create --runtime=kata --name myc $IMAGE
+    run_podman inspect --format='{{ .ProcessLabel }}' myc
+    is "$output" ".*container_kvm_t.*"
+}
+
 # pr #6752
 @test "podman selinux: inspect multiple labels" {
     skip_if_no_selinux