Change SELinux to Permissive and remove PID check verif

andypitcher · Mar 3, 2025 · 3f88d41 · 3f88d41
1 parent 7b60863
commit 3f88d41
Showing 1 changed file with 13 additions and 59 deletions.
diff --git a/hack/e2e/setup-vm.sh b/hack/e2e/setup-vm.sh
@@ -2,12 +2,13 @@
 
 set -euxo pipefail
 
-function enforceSELinux(){
-    echo "> Check SELinux status"
-    # Short circuit if SELinux is not being enforced.
-    getenforce | grep -q Enforcing
-
-    sudo semodule -DB #Remove dontaudits from policy for debugging
+function installRancherPolicy(){
+    echo "> Set SELinux to Permissive mode"
+    # Setting SELinux in Permissive to capture all AVCS generated.
+    sudo setenforce 0
+    #Remove dontaudits from policy for debugging
+    sudo semodule -DB
+    echo "> Install rancher-selinux policy"
     sudo dnf install -y /tmp/rancher-selinux.rpm
 }
 
@@ -130,36 +131,11 @@ function installRancherLogging(){
     kubectl wait --for=condition=ready -n cattle-logging-system pod -l app.kubernetes.io/name=fluentbit --timeout=60s
 }
 
-function E2E(){
-    echo "<!-- Execute some RM op here -->"
-}
-
 function e2eRancherMonitoring(){
 
-    # Wait for node-exporter process
-    timeout_seconds=180  # 2 minutes timeout
-    start_time=$(date +%s)
-
-    while true; do
-      current_time=$(date +%s)
-      elapsed_time=$((current_time - start_time))
-
-      if pgrep node_exporter > /dev/null; then
-        echo "node_exporter process found!"
-        break
-      elif [[ $elapsed_time -ge $timeout_seconds ]]; then
-        echo "Timeout reached. node_exporter process not found after $timeout_seconds seconds."
-        exit 1
-      else
-        echo "node_exporter process not found. Waiting..."
-        sleep 30  # Wait for 30 seconds between checks
-      fi
-    done
-
-    CHART_CONTAINER_EXPECTED_SLTYPE="prom_node_exporter_t"
     CHART_CONTAINER_RUNNING_SLTYPE=""
+    CHART_CONTAINER_EXPECTED_SLTYPE="prom_node_exporter_t"
     CHART_CONTAINER="node-exporter"
-    CHART_CONTAINER_PID=$(pgrep node_exporter)
     CHART_POD_NAMESPACE="cattle-monitoring-system"
     CHART_POD=$(kubectl get pods -n ${CHART_POD_NAMESPACE} -o custom-columns=NAME:.metadata.name | grep ${CHART_CONTAINER})
 
@@ -170,7 +146,7 @@ function e2eRancherMonitoring(){
         echo "SELinux type is not present: ${CHART_CONTAINER_EXPECTED_SLTYPE}"
     fi
 
-    echo "> Verify expected SELinux context type ${CHART_CONTAINER_EXPECTED_SLTYPE} for container ${CHART_CONTAINER} (PID: ${CHART_CONTAINER_PID})"
+    echo "> Verify expected SELinux context type ${CHART_CONTAINER_EXPECTED_SLTYPE} for container ${CHART_CONTAINER}"
     CHART_CONTAINER_RUNNING_SLTYPE=$(kubectl get pod ${CHART_POD} -n ${CHART_POD_NAMESPACE} -o json | jq -r '.spec.securityContext.seLinuxOptions.type')
     if [[ "${CHART_CONTAINER_RUNNING_SLTYPE}" == "${CHART_CONTAINER_EXPECTED_SLTYPE}" ]]; then
         echo "SELinux type is correct: ${CHART_CONTAINER_RUNNING_SLTYPE}"
@@ -179,7 +155,7 @@ function e2eRancherMonitoring(){
     fi
 
     echo ">Look for any AVCs related to ${CHART_CONTAINER_RUNNING_SLTYPE}"
-    if ausearch -m AVC,USER_AVC | grep -q ${CHART_CONTAINER_RUNNING_SLTYPE} > /dev/null; then
+    if ausearch -m AVC,USER_AVC | grep ${CHART_CONTAINER_RUNNING_SLTYPE} > /dev/null; then
         echo "AVCs found for ${CHART_CONTAINER_RUNNING_SLTYPE}"
         ausearch -m AVC,USER_AVC | grep ${CHART_CONTAINER_RUNNING_SLTYPE}
         exit 1
@@ -190,30 +166,9 @@ function e2eRancherMonitoring(){
 
 function e2eRancherLogging(){
 
-    # Wait for fluentbit process
-    timeout_seconds=180  # 2 minutes timeout
-    start_time=$(date +%s)
-
-    while true; do
-      current_time=$(date +%s)
-      elapsed_time=$((current_time - start_time))
-
-      if pgrep fluent-bit > /dev/null; then
-        echo "fluent-bit process found!"
-        break
-      elif [[ $elapsed_time -ge $timeout_seconds ]]; then
-        echo "Timeout reached. node_exporter process not found after $timeout_seconds seconds."
-        exit 1
-      else
-        echo "fluentbit process not found. Waiting..."
-        sleep 30  # Wait for 30 seconds between checks
-      fi
-    done
-
-    CHART_CONTAINER_EXPECTED_SLTYPE="rke_logreader_t"
     CHART_CONTAINER_RUNNING_SLTYPE=""
+    CHART_CONTAINER_EXPECTED_SLTYPE="rke_logreader_t"
     CHART_CONTAINER="fluentbit"
-    CHART_CONTAINER_PID=$(pgrep fluent-bit)
     CHART_POD_NAMESPACE="cattle-logging-system"
     CHART_POD=$(kubectl get pods -n ${CHART_POD_NAMESPACE} -o custom-columns=NAME:.metadata.name | grep "${CHART_CONTAINER}")
 
@@ -233,7 +188,7 @@ function e2eRancherLogging(){
     fi
 
     echo ">Look for any AVCs related to ${CHART_CONTAINER_RUNNING_SLTYPE}"
-    if ausearch -m AVC,USER_AVC | grep -q ${CHART_CONTAINER_RUNNING_SLTYPE} > /dev/null; then
+    if ausearch -m AVC,USER_AVC | grep ${CHART_CONTAINER_RUNNING_SLTYPE} > /dev/null; then
         echo "AVCs found for ${CHART_CONTAINER_RUNNING_SLTYPE}"
         ausearch -m AVC,USER_AVC | grep ${CHART_CONTAINER_RUNNING_SLTYPE}
         exit 1
@@ -243,15 +198,14 @@ function e2eRancherLogging(){
 }
 
 function main(){
-    enforceSELinux
+    installRancherPolicy
     installDependencies
     installRKE2
     installRancher
     installRancherMonitoring
     installRancherLogging
     e2eRancherMonitoring
     e2eRancherLogging
-    E2E
 }
 
 # This is needed as Rocky does not include it in the PATH,