Merge pull request #2914 from dhellmann/USHIFT-2208-periodic-rpm-stan…

…dard-415

[release-4.15] USHIFT-2208: add periodic test scenario for the standard tests on rpm-based system

packaging/selinux/microshift.fc

@@ -1,10 +1,10 @@
-# vim: sw=8:ts=8:et
-/var/lib/microshift-backups(/.*)?                               gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/microshift.saved(/.*)?                                 gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/microshift(/.*)?                                       gen_context(system_u:object_r:container_var_lib_t,s0)
-/etc/microshift(/.*)?                                           gen_context(system_u:object_r:kubernetes_file_t,s0)
-/usr/lib/microshift(/.*)?                                       gen_context(system_u:object_r:kubernetes_file_t,s0)
-/usr/local/bin/microshift                                   --  gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/bin/microshift                                         --  gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/local/bin/microshift-etcd                              --  gen_context(system_u:object_r:kubelet_exec_t,s0)
-/usr/bin/microshift-etcd                                    --  gen_context(system_u:object_r:kubelet_exec_t,s0)
+#	vim:	sw=8:ts=8:et
+/var/lib/microshift-backups(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/microshift\.saved(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/microshift(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/etc/microshift(/.*)?			gen_context(system_u:object_r:kubernetes_file_t,s0)
+/usr/lib/microshift(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)
+/usr/local/bin/microshift	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/bin/microshift		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/bin/microshift-etcd	--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/bin/microshift-etcd	--	gen_context(system_u:object_r:kubelet_exec_t,s0)

packaging/selinux/microshift.te

@@ -4,8 +4,7 @@ type microshift_t;
 domain_type(microshift_t);
 
 gen_require(`
-    type kubelet_t, var_lib_t, container_var_lib_t, init_exec_t;
-    class file { open read };
+	type kubelet_t, var_lib_t, container_var_lib_t;
 ')
 
 # When microshift creates backup folders in /var/lib/microshift-backups, the correct labels are applied

test/resources/selinux.py

@@ -1,8 +1,9 @@
-from robot.libraries.BuiltIn import BuiltIn
-from libostree import remote_sudo_rc, remote_sudo
-from typing import List
-from packaging.version import Version
 import re
+from typing import List
+
+from robot.libraries.BuiltIn import BuiltIn
+
+from libostree import remote_sudo, remote_sudo_rc
 
 ACCESS_CHECK_MAP = {
     "/var/lib/microshift/version": ["cat"],
@@ -30,43 +31,6 @@
     ],
 }
 
-# This list should only ever change if we alter the SELinux policy or
-# upstream container linux package changes something in these contexts,
-# those events should be rare. However, if anything changes these contexts, the test should
-# fail so we can decide what that means for MicroShift and update the list then.
-EXPECTED_FCONTEXT_LIST = [
-    "/etc/kubernetes(/.*)?",
-    "/etc/microshift(/.*)?",
-    "/exports(/.*)?",
-    "/usr/bin/microshift",
-    "/usr/bin/microshift-etcd",
-    "/usr/lib/microshift(/.*)?",
-    "/usr/local/bin/microshift",
-    "/usr/local/bin/microshift-etcd",
-    "/usr/local/s?bin/hyperkube.*",
-    "/usr/local/s?bin/kubelet.*",
-    "/usr/s?bin/hyperkube.*",
-    "/usr/s?bin/kubelet.*",
-    "/var/lib/buildkit(/.*)?",
-    "/var/lib/cni(/.*)?",
-    "/var/lib/containerd(/.*)?",
-    "/var/lib/containers(/.*)?",
-    "/var/lib/docker(/.*)?",
-    "/var/lib/docker-latest(/.*)?",
-    "/var/lib/kubelet(/.*)?",
-    "/var/lib/lxc(/.*)?",
-    "/var/lib/lxd(/.*)?",
-    "/var/lib/microshift(/.*)?",
-    "/var/lib/microshift-backups(/.*)?",
-    "/var/lib/microshift.saved(/.*)?",
-    "/var/lib/ocid(/.*)?",
-    "/var/lib/registry(/.*)?",
-]
-
-EXPECTED_FCONTEXT_LIST_EL93 = [
-    "/var/cache/containers(/.*)?",
-]
-
 SOURCE_TARGET_TRANSITION = {
     "container_t": ["container_var_lib_t"]
 }
@@ -78,14 +42,6 @@
 }
 
 
-def get_expected_ocp_microshift_fcontext_list() -> List[str]:
-    host_version = Version(remote_sudo("bash -c 'source /etc/os-release && echo $VERSION_ID'"))
-    if host_version >= Version("9.3"):
-        return EXPECTED_FCONTEXT_LIST + EXPECTED_FCONTEXT_LIST_EL93
-
-    return EXPECTED_FCONTEXT_LIST
-
-
 # Here we care about matching what our SELinux policy says with what the host says for contexts.
 # The contexts that effect us and OCP are `kubernetes_file_t|container_var_lib_t|kubelet_exec_t|container_t`
 # we query and filter for those contexts to validate against our expected list.

test/resources/selinux.resource

@@ -23,7 +23,7 @@ Validate SELinux
     Containers Should Not Have Access To Container Var Lib Labels
     Context Traversal Should Not Gain More Access
     Folders Should Have Expected Fcontext Types
-    Semanage Fcontext Should Have Combined List Of OCP And MicroShift Rules
+    Semanage Fcontext Should Have MicroShift Rules
     Audit Log Should Be Empty For MicroShift
 
 Containers Should Not Have Access To Container Var Lib Labels
@@ -51,13 +51,19 @@ Folders Should Have Expected Fcontext Types
     ${err_list}=    Run Fcontext Check
     Should Be Empty    ${err_list}
 
-Semanage Fcontext Should Have Combined List Of OCP And MicroShift Rules
-    [Documentation]    Validates that the fcontext data is the combined set for
-    ...    OCP and MicroShift
-
+Semanage Fcontext Should Have MicroShift Rules
+    [Documentation]    Validates that the fcontext data includes the MicroShift rules
+    # Refer to ${reporoot}/packaging/selinux/microshift.fc
     ${result}=    Get Fcontext List
-    ${expected}=    Get Expected Ocp Microshift Fcontext List
-    Lists Should Be Equal    ${result}    ${expected}    ignore_order=True
+    List Should Contain Value    ${result}    /etc/microshift(/.*)?
+    List Should Contain Value    ${result}    /usr/bin/microshift
+    List Should Contain Value    ${result}    /usr/bin/microshift-etcd
+    List Should Contain Value    ${result}    /usr/lib/microshift(/.*)?
+    List Should Contain Value    ${result}    /usr/local/bin/microshift
+    List Should Contain Value    ${result}    /usr/local/bin/microshift-etcd
+    List Should Contain Value    ${result}    /var/lib/microshift(/.*)?
+    List Should Contain Value    ${result}    /var/lib/microshift-backups(/.*)?
+    List Should Contain Value    ${result}    /var/lib/microshift\\.saved(/.*)?
 
 Audit Log Should Be Empty For MicroShift
     [Documentation]    Checks that no permission denials have occured during running MicroShift

test/scenarios-periodics/el92-src@rpm-standard1.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+scenario_create_vms() {
+    prepare_kickstart host1 kickstart-liveimg.ks.template ""
+    launch_vm host1 "rhel-9.2-microshift-source-isolated"
+}
+
+scenario_remove_vms() {
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    run_tests host1 suites/standard1
+}

test/scenarios-periodics/el92-src@rpm-standard2.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+scenario_create_vms() {
+    prepare_kickstart host1 kickstart-liveimg.ks.template ""
+    launch_vm host1 "rhel-9.2-microshift-source-isolated"
+}
+
+scenario_remove_vms() {
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    run_tests host1 suites/standard2
+}