Implement e2e test for Rancher Monitoring SELinux context validation

This commit introduces an end-to-end test `e2eRancherMonitoring` to verify the correct SELinux context is applied to the node-exporter container within the Rancher Monitoring system. The test performs the following checks: * Presence of the `prom_node_exporter_t` SELinux type. * Correct application of the `prom_node_exporter_t` type to the running node-exporter container. * Absence of any AVC denials related to the `prom_node_exporter_t` type.
andypitcher · Feb 21, 2025 · 7b9849a · 7b9849a
1 parent 899faf1
commit 7b9849a
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/hack/e2e/centos9.yaml b/hack/e2e/centos9.yaml
@@ -24,4 +24,4 @@ provision:
   script: |
     #!/bin/sh
 
-    yum in -y git container-selinux
+    yum in -y git container-selinux setools
diff --git a/hack/e2e/setup-vm.sh b/hack/e2e/setup-vm.sh
@@ -103,13 +103,44 @@ function E2E(){
     echo "<!-- Execute some RM op here -->"
 }
 
+function e2eRancherMonitoring(){
+
+    CHART_CONTAINER_SLTYPE="prom_node_exporter_t"
+    CHART_CONTAINER="node-exporter"
+    CHART_CONTAINER_PID=$(pgrep ${CHART_CONTAINER})
+    CHART_POD=$(kubectl get pods -n cattle-monitoring-system -o custom-columns=NAME:.metadata.name | grep ${CHART_CONTAINER})
+
+    echo "> Verify the presence of ${CHART_CONTAINER_SLTYPE}"
+    if [[ "$(seinfo -t ${CHARTCHART_CONTAINER_SLTYPE})" == "prom_node_exporter_t" ]]; then
+        echo "SELinux type is present: ${SELINUX_TYPE}"
+    else
+        echo "SELinux type is not present: ${SELINUX_TYPE}"
+    fi
+
+    echo "> Verify expected SELinux context type ${CHART_CONTAINER_SLTYPE} for container ${CHART_CONTAINER} (PID: ${CHART_CONTAINER_PID})"
+    SELINUX_TYPE=$(kubectl get pod ${CHART_POD} -n cattle-monitoring-system -o json | jq -r '.spec.securityContext.seLinuxOptions.type')
+    if [[ "${SELINUX_TYPE}" == "prom_node_exporter_t" ]]; then
+        echo "SELinux type is correct: ${SELINUX_TYPE}"
+    else
+        echo "SELinux type is incorrect or not set: ${SELINUX_TYPE}"
+    fi
+
+    echo ">Look for any AVCs related to ${CHART_CONTAINER_SLTYPE}"
+    if ausearch -m AVC,USER_AVC | grep -q ${CHART_CONTAINER_SLTYPE}; then
+        echo "AVCs found for ${CHART_CONTAINER_SLTYPE}"
+        ausearch -m AVC,USER_AVC | grep ${CHART_CONTAINER_SLTYPE}
+        exit 1
+    else
+        echo "No AVCs found for ${CHART_CONTAINER_SLTYPE}"
+}
+
 function main(){
     enforceSELinux
     installDependencies
     installRKE2
     installRancher
     installRancherMonitoring
-
+    e2eRancherMonitoring
     E2E
 }