test: skip test on rootless cgroupsv1

skip the test "podman selinux: shared context in (some) namespaces" on
cgroupsv1 when running as rootless since the tests requires
--pid=container:.

If the container runtime cannot use cgroupsv1 and the container has no
pid namespace. then it is not possible to correctly terminate the
container.  Without a cgroup or a pid namespace, the runtime has no
control on what processes are in the container.

Closes: https://github.com/containers/podman/issues/11785

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

2 files changed, 16 insertions, 0 deletions

diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 5ee0e0715..0f7c35c65 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -113,6 +113,10 @@ function check_label() {
 @test "podman selinux: shared context in (some) namespaces" {
     skip_if_no_selinux
 
+    # rootless users have no usable cgroups with cgroupsv1, so containers
+    # must use a pid namespace and not join an existing one.
+    skip_if_rootless_cgroupsv1
+
     run_podman run -d --name myctr $IMAGE top
     run_podman exec myctr cat -v /proc/self/attr/current
     context_c1="$output"
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 28ea924bb..666735b0c 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -428,6 +428,18 @@ function skip_if_cgroupsv1() {
     fi
 }
 
+######################
+#  skip_if_rootless_cgroupsv1  #  ...with an optional message
+######################
+function skip_if_rootless_cgroupsv1() {
+    if is_rootless; then
+        if ! is_cgroupsv2; then
+            local msg=$(_add_label_if_missing "$1" "rootless cgroupvs1")
+            skip "${msg:-not supported as rootless under cgroupsv1}"
+        fi
+    fi
+}
+
 ##################################
 #  skip_if_journald_unavailable  #  rhbz#1895105: rootless journald permissions
 ##################################