selinux fixes for varlink (#38404)

- fixes `mac_selinux_unit_access_check_varlink` macro
- more usage of `log_selinux_enforcing_errno()` for consistency

docs/ENVIRONMENT.md

@@ -353,12 +353,13 @@ All tools:
   default is not appropriate for a given system. Defaults to `5`, accepts
   positive integers.
 
-* `$SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_INTERVAL_SEC` — can be set to override the mount
-  units interval rate limit for parsing `/proc/self/mountinfo`. Similar to
-  `$SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST`, the interval limit maybe adjusted when
-  the default is not appropriate for a given system. The default value is 1 and the
-  default application time unit is second, and the time unit can beoverriden as usual
-  by specifying it explicitly, see the systemd.time(7) man page.
+* `$SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_INTERVAL_SEC` — can be set to override the
+  mount units interval rate limit for parsing `/proc/self/mountinfo`. Similar
+  to `$SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST`, the interval limit maybe
+  adjusted when the default is not appropriate for a given system. The default
+  value is 1, the default application time unit is second, and the time unit
+  can be overridden as usual by specifying it explicitly, see the
+  systemd.time(7) man page.
 
 `systemd-remount-fs`:
 

man/loader.conf.xml

@@ -21,47 +21,50 @@
   </refnamediv>
 
   <refsynopsisdiv>
-    <para><filename><replaceable>ESP</replaceable>/loader/loader.conf</filename>,
-    <filename><replaceable>ESP</replaceable>/loader/entries/*.conf</filename>
-    <filename><replaceable>XBOOTLDR</replaceable>/loader/entries/*.conf</filename>
-    </para>
+    <para><filename><replaceable>ESP</replaceable>/loader/loader.conf</filename></para>
   </refsynopsisdiv>
 
   <refsect1>
     <title>Description</title>
 
     <para>
-    <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> will
-    read <filename><replaceable>ESP</replaceable>/loader/loader.conf</filename>, and any files with the
-    <literal>.conf</literal> extension under
-    <filename><replaceable>ESP</replaceable>/loader/entries/</filename> on the EFI system partition (ESP),
-    and <filename><replaceable>XBOOTLDR</replaceable>/loader/entries/</filename> on the extended boot loader
-    partition (XBOOTLDR) as defined by <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader
-    Specification</ulink>.
-    </para>
+    <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> reads
+    <filename><replaceable>ESP</replaceable>/loader/loader.conf</filename>. This file configures whether the
+    menu is shown and for how long, the font, audible beep, types of menu entries to show, the default
+    choice, and some aspects of Secure Boot enrollment and firmware handling. See the list of available
+    options below.</para>
 
-    <para>Each of these configuration files must consist of series of newline (i.e. ASCII code 10) separated
-    lines, each consisting of an option name, followed by whitespace, and the option
-    value. <literal>#</literal> may be used to start a comment line. Empty and comment lines are ignored. The
-    files use UTF-8 encoding.</para>
+    <para>The file uses UTF-8 encoding and consists of series of lines separated by "line feed" (i.e. ASCII
+    code 10). Lines that are empty or start with the comment sign (<literal>#</literal>) are ignored. Other
+    lines consist of an option name, followed by whitespace, and the option value.
+    </para>
 
     <para>Boolean arguments may be written as
-    <literal>yes</literal>/<literal>y</literal>/<literal>true</literal>/<literal>t</literal>/<literal>on</literal>/<literal>1</literal> or
+    <literal>yes</literal>/<literal>y</literal>/<literal>true</literal>/<literal>t</literal>/<literal>on</literal>/<literal>1</literal>
+    or
     <literal>no</literal>/<literal>n</literal>/<literal>false</literal>/<literal>f</literal>/<literal>off</literal>/<literal>0</literal>.
     </para>
+
+    <para>Note: <command>systemd-boot</command> will also read boot loader entry files,
+    type #1 (<filename><replaceable>ESP</replaceable>/loader/entries/*.conf</filename> and
+    <filename><replaceable>XBOOTLDR</replaceable>/loader/entries/*.conf</filename>)
+    and type #2 (<filename><replaceable>ESP</replaceable>/EFI/Linux/*.uki</filename>
+    and <filename><replaceable>XBOOTLDR</replaceable>/EFI/Linux/*.uki</filename>).
+    Those files are described by the
+    <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader
+    Specification</ulink>.</para>
+
+    <para>Note: the behaviour of <command>systemd-boot</command> is also influenced by EFI variables. Some of
+    the settings specified in this file can be overridden by those, for example the default boot menu entry
+    or the menu timeouts. See
+    <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
+    details.</para>
   </refsect1>
 
   <refsect1>
     <title>Options</title>
 
-    <para>The configuration options supported by
-    <filename><replaceable>ESP</replaceable>/loader/entries/*.conf</filename> and
-    <filename><replaceable>XBOOTLDR</replaceable>/loader/entries/*.conf</filename> files are defined as part
-    of the <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader
-    Specification</ulink>.</para>
-
-    <para>The following configuration are supported by the <filename>loader.conf</filename> configuration
-    file:</para>
+    <para>The following configuration are supported in <filename>loader.conf</filename>:</para>
 
     <variablelist>
       <varlistentry>
@@ -254,8 +257,9 @@
       <varlistentry>
         <term>beep</term>
 
-        <listitem><para>Takes a boolean argument. If timeout enabled beep every second, otherwise beep n times when n-th entry in boot menu is selected (default disabled).
-        Currently, only x86 is supported, where it uses the PC speaker.</para>
+        <listitem><para>Takes a boolean argument. If timeout enabled beep every second, otherwise beep n
+        times when n-th entry in boot menu is selected (default disabled). Currently, only x86 is supported,
+        where it uses the PC speaker.</para>
 
         <xi:include href="version-info.xml" xpointer="v251"/></listitem>
       </varlistentry>
@@ -402,8 +406,8 @@ sbvarsign --attr "${attr}" --key KEK.key --cert KEK.pem --output db.auth db db.e
         <listitem><para>Caveat: This feature is experimental, and is likely to be changed (or removed in its
         current form) in a future version of systemd.</para>
 
-        <para>Work around BitLocker requiring a recovery key when the boot loader was
-        updated (disabled by default).</para>
+        <para>Work around BitLocker requiring a recovery key when the boot loader was updated (disabled by
+        default).</para>
 
         <para>Try to detect BitLocker encrypted drives along with an active TPM. If both are found and
         Windows Boot Manager is selected in the boot menu, set the <literal>BootNext</literal> EFI variable
@@ -442,8 +446,11 @@ sbvarsign --attr "${attr}" --key KEK.key --cert KEK.pem --output db.auth db db.e
           <varlistentry>
             <term><option>auto</option></term>
             <listitem>
-            <para>Perform the reboot if and only if boot counting is enabled for this entry and the tries left counter wasn't already at 0.</para>
-            <para>This is the default, as it is typically a safe option, that ensures a clean measurement log on each boot attempt, but also does not risk an unbounded reboot loop.</para>
+            <para>Perform the reboot if and only if boot counting is enabled for this entry and the tries
+            left counter wasn't already at 0.</para>
+
+            <para>This is the default, as it is typically a safe option, that ensures a clean measurement log
+            on each boot attempt, but also does not risk an unbounded reboot loop.</para>
             </listitem>
           </varlistentry>
 

man/systemd-boot.xml

@@ -149,6 +149,8 @@
         <term><keycap>d</keycap></term>
         <listitem><para>Make selected entry the default</para>
 
+        <para>An EFI variable is set to allow this setting to persist.</para>
+
         <xi:include href="version-info.xml" xpointer="v239"/></listitem>
       </varlistentry>
 
@@ -164,6 +166,8 @@
         <term><keycap>t</keycap></term>
         <listitem><para>Increase the timeout before default entry is booted</para>
 
+        <para>An EFI variable is set to allow this setting to persist.</para>
+
         <xi:include href="version-info.xml" xpointer="v239"/></listitem>
       </varlistentry>
 
@@ -172,6 +176,8 @@
         <term><keycap>T</keycap></term>
         <listitem><para>Decrease the timeout</para>
 
+        <para>An EFI variable is set to allow this setting to persist.</para>
+
         <xi:include href="version-info.xml" xpointer="v239"/></listitem>
       </varlistentry>
 
@@ -179,6 +185,8 @@
         <term><keycap>r</keycap></term>
         <listitem><para>Change screen resolution, skipping any unsupported modes.</para>
 
+        <para>An EFI variable is set to allow this setting to persist.</para>
+
         <xi:include href="version-info.xml" xpointer="v250"/></listitem>
       </varlistentry>
 
@@ -186,6 +194,8 @@
         <term><keycap>R</keycap></term>
         <listitem><para>Reset screen resolution to firmware or configuration file default.</para>
 
+        <para>An EFI variable is set to allow this setting to persist.</para>
+
         <xi:include href="version-info.xml" xpointer="v250"/></listitem>
       </varlistentry>
 
@@ -280,15 +290,15 @@
     </variablelist>
 
     <para>The boot menu is shown when a non-zero menu timeout has been configured. If the menu timeout has
-    been set to zero, it is sufficient to press any key — before the boot loader initializes — to bring up
-    the boot menu, except for the keys listed immediately above as they directly boot into the selected boot
-    menu item. Note that depending on the firmware implementation the time window where key presses are
-    accepted before the boot loader initializes might be short. If the window is missed, reboot and try
-    again, possibly pressing a suitable key (e.g. the space bar) continuously; on most systems it should be
-    possible to hit the time window after a few attempts. To avoid this problem, consider setting a non-zero
-    timeout, thus showing the boot menu unconditionally. Some desktop environments might offer an option to
-    directly boot into the boot menu, to avoid the problem altogether. Alternatively, use the command line
-    <command>systemctl reboot --boot-loader-menu=0</command> from the shell.</para>
+    been set to zero, hold down a key (<keycap>space</keycap> is recommended) before the boot loader
+    initializes to bring up the boot menu. Note that depending on the firmware implementation the time window
+    where key presses are accepted before the boot loader initializes might be short. If the window is
+    missed, reboot and try again, possibly repeatedly pressing a suitable key; on most systems it should be
+    possible to hit the time window after a few attempts. Keys other than the space bar may be used, except
+    for the keys listed above. If showing the menu on demand doesn't work well, consider setting a non-zero
+    timeout to show the boot menu unconditionally. Some desktop environments might offer an option to boot
+    directly into the boot menu, which also avoids the problem altogether. Alternatively, use the command
+    line <command>systemctl reboot --boot-loader-menu=</command> with a non-zero value from the shell.</para>
 
     <para>In the editor, most keys simply insert themselves, but the following keys
     may be used to perform additional actions:</para>
@@ -389,16 +399,16 @@
   <refsect1>
     <title>EFI Variables</title>
 
-    <para>The following EFI variables are defined, set and read by <command>systemd-boot</command>, under the
-    vendor UUID <literal>4a67b082-0a4c-41cf-b6c7-440b29bb8c4f</literal>, for communication between the boot
-    loader and the OS:</para>
+    <para>The following EFI variables are defined, and may be set or read by <command>systemd-boot</command>
+    for communication between the boot loader and the OS. The vendor UUID
+    <literal>4a67b082-0a4c-41cf-b6c7-440b29bb8c4f</literal> is used in all cases.</para>
 
     <variablelist class='efi-variables'>
       <varlistentry>
         <term><varname>LoaderBootCountPath</varname></term>
-        <listitem><para>If boot counting is enabled, contains the path to the file in whose name the boot counters are
-        encoded. Set by the boot
-        loader. <citerefentry><refentrytitle>systemd-bless-boot.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        <listitem><para>If boot counting is enabled, contains the path to the file in whose name the boot
+        counters are encoded. Set by the boot loader.
+        <citerefentry><refentrytitle>systemd-bless-boot.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
         uses this information to mark a boot as successful as determined by the successful activation of the
         <filename>boot-complete.target</filename> target unit.</para>
 
@@ -465,13 +475,13 @@
         <term><varname>LoaderEntrySysFail</varname></term>
         <term><varname>LoaderEntryOneShot</varname></term>
 
-        <listitem><para>The identifier of the default boot loader entry. Set primarily by the OS and read by the boot
+        <listitem><para>The identifier of the default boot loader entry. Can be set in the OS and the boot
         loader. <varname>LoaderEntryOneShot</varname> sets the default entry for the next boot only, while
-        <varname>LoaderEntryDefault</varname> sets it persistently for all future
-        boots. <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
-        <option>set-default</option> and <option>set-oneshot</option> commands make use of these variables. The boot
-        loader modifies <varname>LoaderEntryDefault</varname> on request, when the <keycap>d</keycap> key is used, see
-        above.</para>
+        <varname>LoaderEntryDefault</varname> sets it persistently for all future boots.
+        <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+        <option>set-default</option> and <option>set-oneshot</option> commands make use of these variables.
+        The boot loader modifies <varname>LoaderEntryDefault</varname> on request, when the
+        <keycap>d</keycap> key is used, see above.</para>
 
         <xi:include href="version-info.xml" xpointer="v240"/></listitem>
       </varlistentry>

src/bootctl/bootctl-status.c

@@ -83,6 +83,17 @@ static int status_entries(
                 printf(", %s$BOOT%s", ansi_green(), ansi_normal());
         printf(")");
 
+        if (config->loader_conf_status != 0) {
+                assert(esp_path);
+                printf("\n       config: %s%s/%s%s",
+                       ansi_grey(), esp_path, ansi_normal(), "/loader/loader.conf");
+                if (config->loader_conf_status < 0)
+                        printf(": %s%s%s",
+                               config->loader_conf_status == -ENOENT ? ansi_grey() : ansi_highlight_yellow(),
+                               STRERROR(config->loader_conf_status),
+                               ansi_normal());
+        }
+
         if (xbootldr_path) {
                 printf("\n     XBOOTLDR: %s (", xbootldr_path);
                 if (!sd_id128_is_null(xbootldr_partition_uuid))

src/core/selinux-access.c

@@ -156,12 +156,11 @@ static int access_init(sd_bus_error *error) {
         if (avc_open(NULL, 0) != 0) {
                 r = -errno;  /* Save original errno for later */
 
-                bool enforce = security_getenforce() != 0;
-                log_full_errno(enforce ? LOG_ERR : LOG_WARNING, r, "Failed to open the SELinux AVC: %m");
-
-                /* If enforcement isn't on, then let's suppress this error, and just don't do any AVC checks.
-                 * The warning we printed is hence all the admin will see. */
-                if (!enforce)
+                r = log_selinux_enforcing_errno(r, "Failed to open the SELinux AVC: %m");
+                if (r == 0)
+                        /* log_selinux_enforcing_errno() can return 0 if the enforcement isn't on.
+                         * In this case don't do any AVC checks.
+                         * The warning we printed is hence all the admin will see. */
                         return 0;
 
                 /* Return an access denied error based on the original errno, if we couldn't load the AVC but
@@ -347,14 +346,15 @@ int mac_selinux_access_check_varlink_internal(
 
         r = access_init(/* error= */ NULL);
         if (r <= 0)
-                return log_debug_errno(r, "Failed to init SELinux: %m");
+                /* access_init() does log_selinux_enforcing_errno() */
+                return r;
 
         /* delay call until we checked in `access_init()` if SELinux is actually enabled */
         bool enforce = mac_selinux_enforcing();
 
         int fd = sd_varlink_get_fd(link);
         if (fd < 0)
-                return log_debug_errno(fd, "Failed to get varlink peer fd: %m");
+                return log_selinux_enforcing_errno(fd, "Failed to get varlink peer fd: %m");
 
         /* We should call mac_selinux_get_peer_label() here similarly to get_our_contexts().
          * See the explanation there why not. */

src/core/selinux-access.h

@@ -16,4 +16,4 @@ int mac_selinux_access_check_varlink_internal(sd_varlink *link, const Unit *unit
         mac_selinux_access_check_varlink_internal((link), NULL, (permission), __func__)
 
 #define mac_selinux_unit_access_check_varlink(unit, link, permission) \
-        mac_selinux_access_check_bus_internal((link), (unit), (permission), __func__)
+        mac_selinux_access_check_varlink_internal((link), (unit), (permission), __func__)

src/shared/bootspec.c

@@ -533,6 +533,7 @@ static int boot_loader_read_conf_path(BootConfig *config, const char *root, cons
         assert(path);
 
         r = chase_and_fopen_unlocked(path, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, "re", &full, &f);
+        config->loader_conf_status = r < 0 ? r : true;
         if (r == -ENOENT)
                 return 0;
         if (r < 0)

src/shared/bootspec.h

@@ -67,6 +67,8 @@ typedef struct BootEntry {
         }
 
 typedef struct BootConfig {
+        int loader_conf_status;  /* 0 → before loading, 1 → loaded, negative → error. */
+
         char *default_pattern;
 
         char *entry_oneshot;

test/units/TEST-03-JOBS.sh

@@ -17,25 +17,16 @@ systemctl daemon-reexec
 
 systemctl start --no-block hello-after-sleep.target
 
-systemctl list-jobs >/root/list-jobs.txt
-until grep 'sleep\.service.*running' /root/list-jobs.txt; do
-    systemctl list-jobs >/root/list-jobs.txt
-done
-
+timeout 10 bash -c "until systemctl list-jobs | tee /root/list-jobs.txt | grep 'sleep\.service.*running'; do sleep .1; done"
 grep 'hello\.service.*waiting' /root/list-jobs.txt
 
 # This is supposed to finish quickly, not wait for sleep to finish.
-START_SEC=$(date -u '+%s')
-systemctl start --job-mode=ignore-dependencies hello
-END_SEC=$(date -u '+%s')
-ELAPSED=$((END_SEC-START_SEC))
-
-test "$ELAPSED" -lt 3
+timeout 10 systemctl start --job-mode=ignore-dependencies hello
 
 # sleep should still be running, hello not.
 systemctl list-jobs >/root/list-jobs.txt
 grep 'sleep\.service.*running' /root/list-jobs.txt
-grep 'hello\.service' /root/list-jobs.txt && exit 1
+(! grep 'hello\.service' /root/list-jobs.txt)
 systemctl stop sleep.service hello-after-sleep.target
 
 # Some basic testing that --show-transaction does something useful
@@ -62,13 +53,13 @@ ACTIVATING_ID_PRE=$(systemctl show -P InvocationID always-activating.service)
 systemctl -T start always-activating.socket # Wait for the socket to come up
 systemctl -T restart always-activating.socket
 ACTIVATING_ID_POST=$(systemctl show -P InvocationID always-activating.service)
-[ "$ACTIVATING_ID_PRE" != "$ACTIVATING_ID_POST" ] || exit 1
+[[ "$ACTIVATING_ID_PRE" != "$ACTIVATING_ID_POST" ]]
 
 # Test for irreversible jobs
 systemctl start unstoppable.service
 
 # This is expected to fail with 'job cancelled'
-systemctl stop unstoppable.service && exit 1
+(! systemctl stop unstoppable.service)
 # But this should succeed
 systemctl stop --job-mode=replace-irreversibly unstoppable.service
 
@@ -93,27 +84,28 @@ EOF
 
 # wait2 succeeds
 START_SEC=$(date -u '+%s')
-systemctl start --wait wait2.service
+timeout 10 systemctl start --wait wait2.service
 END_SEC=$(date -u '+%s')
 ELAPSED=$((END_SEC-START_SEC))
-[[ "$ELAPSED" -ge 2 ]] && [[ "$ELAPSED" -le 4 ]] || exit 1
+[[ "$ELAPSED" -ge 2 ]]
 
 # wait5fail fails, so systemctl should fail
 START_SEC=$(date -u '+%s')
 (! systemctl start --wait wait2.service wait5fail.service)
 END_SEC=$(date -u '+%s')
 ELAPSED=$((END_SEC-START_SEC))
-[[ "$ELAPSED" -ge 5 ]] && [[ "$ELAPSED" -le 7 ]] || exit 1
+[[ "$ELAPSED" -ge 5 ]]
 
 # Test time-limited scopes
 START_SEC=$(date -u '+%s')
 set +e
-systemd-run --scope --property=RuntimeMaxSec=3s sleep 10
+systemd-run --scope --property=RuntimeMaxSec=3s sleep 30
 RESULT=$?
 END_SEC=$(date -u '+%s')
 ELAPSED=$((END_SEC-START_SEC))
-[[ "$ELAPSED" -ge 3 ]] && [[ "$ELAPSED" -le 5 ]] || exit 1
-[[ "$RESULT" -ne 0 ]] || exit 1
+[[ "$ELAPSED" -ge 3 ]]
+[[ "$ELAPSED" -le 10 ]]
+[[ "$RESULT" -ne 0 ]]
 
 # Test transactions with cycles
 # Provides coverage for issues like https://github.com/systemd/systemd/issues/26872

test/units/TEST-46-HOMED.sh

@@ -6,9 +6,9 @@ set -eux
 set -o pipefail
 
 # Check if homectl is installed, and if it isn't bail out early instead of failing
-if ! test -x /usr/bin/homectl ; then
-        echo "no homed" >/skipped
-        exit 77
+if ! command -v homectl >/dev/null; then
+    echo "no homed" >/skipped
+    exit 77
 fi
 
 inspect() {
@@ -29,19 +29,11 @@ inspect() {
 }
 
 wait_for_exist() {
-    # 2min max
-    for i in {1..60}; do
-        (( i > 1 )) && sleep 2
-        homectl inspect "$1" && break
-    done
+    timeout 2m bash -c "until homectl inspect '${1:?}'; do sleep 2; done"
 }
 
 wait_for_state() {
-    # 2min max
-    for i in {1..60}; do
-        (( i > 1 )) && sleep 2
-        homectl inspect "$1" | grep -qF "State: $2" && break
-    done
+    timeout 2m bash -c "until homectl inspect '${1:?}' | grep -qF 'State: $2'; do sleep 2; done"
 }
 
 FSTYPE="$(stat --file-system --format "%T" /)"
@@ -123,32 +115,32 @@ inspect test-user
 # Do some keyring tests, but only on real kernels, since keyring access inside of containers will fail
 # (See: https://github.com/systemd/systemd/issues/17606)
 if ! systemd-detect-virt -cq ; then
-        PASSWORD=xEhErW0ndafV4s homectl activate test-user
-        inspect test-user
+    PASSWORD=xEhErW0ndafV4s homectl activate test-user
+    inspect test-user
 
-        # Key should now be in the keyring
-        homectl update test-user --real-name "Keyring Test"
-        inspect test-user
+    # Key should now be in the keyring
+    homectl update test-user --real-name "Keyring Test"
+    inspect test-user
 
-        # These commands shouldn't use the keyring
-        (! timeout 5s homectl authenticate test-user )
-        (! NEWPASSWORD="foobar" timeout 5s homectl passwd test-user )
+    # These commands shouldn't use the keyring
+    (! timeout 5s homectl authenticate test-user )
+    (! NEWPASSWORD="foobar" timeout 5s homectl passwd test-user )
 
-        homectl lock test-user
-        inspect test-user
+    homectl lock test-user
+    inspect test-user
 
-        # Key should be gone from keyring
-        (! timeout 5s homectl update test-user --real-name "Keyring Test 2" )
+    # Key should be gone from keyring
+    (! timeout 5s homectl update test-user --real-name "Keyring Test 2" )
 
-        PASSWORD=xEhErW0ndafV4s homectl unlock test-user
-        inspect test-user
+    PASSWORD=xEhErW0ndafV4s homectl unlock test-user
+    inspect test-user
 
-        # Key should have been re-instantiated into the keyring
-        homectl update test-user --real-name "Keyring Test 3"
-        inspect test-user
+    # Key should have been re-instantiated into the keyring
+    homectl update test-user --real-name "Keyring Test 3"
+    inspect test-user
 
-        homectl deactivate test-user
-        inspect test-user
+    homectl deactivate test-user
+    inspect test-user
 fi
 
 # Do some resize tests, but only if we run on real kernels and are on btrfs, as quota inside of containers
@@ -242,13 +234,13 @@ homectl remove test-user
 # blob directory tests
 # See docs/USER_RECORD_BLOB_DIRS.md
 checkblob() {
-        test -f "/var/cache/systemd/home/blob-user/$1"
-        stat -c "%u %#a" "/var/cache/systemd/home/blob-user/$1" | grep "^0 0644"
-        test -f "/home/blob-user/.identity-blob/$1"
-        stat -c "%u %#a" "/home/blob-user/.identity-blob/$1" | grep "^12345 0644"
+    test -f "/var/cache/systemd/home/blob-user/$1"
+    stat -c "%u %#a" "/var/cache/systemd/home/blob-user/$1" | grep "^0 0644"
+    test -f "/home/blob-user/.identity-blob/$1"
+    stat -c "%u %#a" "/home/blob-user/.identity-blob/$1" | grep "^12345 0644"
 
-        diff "/var/cache/systemd/home/blob-user/$1" "$2"
-        diff "/var/cache/systemd/home/blob-user/$1" "/home/blob-user/.identity-blob/$1"
+    diff "/var/cache/systemd/home/blob-user/$1" "$2"
+    diff "/var/cache/systemd/home/blob-user/$1" "/home/blob-user/.identity-blob/$1"
 }
 
 mkdir /tmp/blob1 /tmp/blob2
@@ -640,6 +632,7 @@ EOF
         homedsshtest@localhost env
 
     wait_for_state homedsshtest inactive
+    homectl remove homedsshtest
 fi
 
 NEWPASSWORD=hunter4711 homectl create aliastest --storage=directory --alias=aliastest2 --alias=aliastest3 --realm=myrealm
@@ -665,6 +658,8 @@ getent passwd aliastest@myrealm
 getent passwd aliastest2@myrealm
 getent passwd aliastest3@myrealm
 
+homectl remove aliastest
+
 NEWPASSWORD=quux homectl create tmpfsquota --storage=subvolume --dev-shm-limit=50K --tmp-limit=50K -P
 for p in /dev/shm /tmp; do
     if findmnt -n -o options "$p" | grep -q usrquota; then

test/units/TEST-64-UDEV-STORAGE.sh

@@ -1186,6 +1186,12 @@ EOF
     helper_check_device_units
     # Cleanup
     mdadm -v --stop "$raid_dev"
+
+    # Clear superblocks to make the MD device will not be restarted even if the VM is restarted.
+    # This is a workaround for issue #38240.
+    mdadm -v --zero-superblock --force "${devices[@]}"
+    udevadm settle --timeout=30
+
     # Check if all expected symlinks were removed after the cleanup
     udevadm wait --settle --timeout=30 --removed "${expected_symlinks[@]}"
     helper_check_device_units
@@ -1243,6 +1249,12 @@ testcase_mdadm_lvm() {
     # Cleanup
     lvm vgchange -an "$vgroup"
     mdadm -v --stop "$raid_dev"
+
+    # Clear superblocks to make the MD device will not be restarted even if the VM is restarted.
+    # This is a workaround for issue #38240.
+    mdadm -v --zero-superblock --force "${devices[@]}"
+    udevadm settle --timeout=30
+
     # Check if all expected symlinks were removed after the cleanup
     udevadm wait --settle --timeout=30 --removed "${expected_symlinks[@]}"
     helper_check_device_units