diff --git a/hack/e2e/centos9.yaml b/hack/e2e/centos9.yaml index 4ca440d..02eb772 100644 --- a/hack/e2e/centos9.yaml +++ b/hack/e2e/centos9.yaml @@ -24,4 +24,4 @@ provision: script: | #!/bin/sh - yum in -y git container-selinux + yum in -y git container-selinux setools diff --git a/hack/e2e/setup-vm.sh b/hack/e2e/setup-vm.sh index aa9a26f..4b5686f 100755 --- a/hack/e2e/setup-vm.sh +++ b/hack/e2e/setup-vm.sh @@ -103,13 +103,44 @@ function E2E(){ echo "" } +function e2eRancherMonitoring(){ + + CHART_CONTAINER_SLTYPE="prom_node_exporter_t" + CHART_CONTAINER="node-exporter" + CHART_CONTAINER_PID=$(pgrep ${CHART_CONTAINER}) + CHART_POD=$(kubectl get pods -n cattle-monitoring-system -o custom-columns=NAME:.metadata.name | grep ${CHART_CONTAINER}) + + echo "> Verify the presence of ${CHART_CONTAINER_SLTYPE}" + if [[ "$(seinfo -t ${CHARTCHART_CONTAINER_SLTYPE})" == "prom_node_exporter_t" ]]; then + echo "SELinux type is present: ${SELINUX_TYPE}" + else + echo "SELinux type is not present: ${SELINUX_TYPE}" + fi + + echo "> Verify expected SELinux context type ${CHART_CONTAINER_SLTYPE} for container ${CHART_CONTAINER} (PID: ${CHART_CONTAINER_PID})" + SELINUX_TYPE=$(kubectl get pod ${CHART_POD} -n cattle-monitoring-system -o json | jq -r '.spec.securityContext.seLinuxOptions.type') + if [[ "${SELINUX_TYPE}" == "prom_node_exporter_t" ]]; then + echo "SELinux type is correct: ${SELINUX_TYPE}" + else + echo "SELinux type is incorrect or not set: ${SELINUX_TYPE}" + fi + + echo ">Look for any AVCs related to ${CHART_CONTAINER_SLTYPE}" + if ausearch -m AVC,USER_AVC | grep -q ${CHART_CONTAINER_SLTYPE}; then + echo "AVCs found for ${CHART_CONTAINER_SLTYPE}" + ausearch -m AVC,USER_AVC | grep ${CHART_CONTAINER_SLTYPE} + exit 1 + else + echo "No AVCs found for ${CHART_CONTAINER_SLTYPE}" +} + function main(){ enforceSELinux installDependencies installRKE2 installRancher installRancherMonitoring - + e2eRancherMonitoring E2E }