tests: add tests for systemd + kubernetes_file_t labels

Adds two tests for the ability of `systemd` to read and watch files labeled with `kubernetes_file_t`. See: https://bugzilla.redhat.com/show_bug.cgi?id=1973418 See: coreos/fedora-coreos-tracker#861 See: containers/container-selinux#135
coreos · Jun 23, 2021 · 5da2969 · 5da2969
1 parent bed3837
commit 5da2969
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 1 deletion.
diff --git a/tests/kola/misc-ign-ro/config.fcc b/tests/kola/misc-ign-ro/config.fcc
@@ -1,6 +1,12 @@
 variant: fcos
-version: 1.1.0
+version: 1.2.0
 storage:
+  directories:
+    # This is for verifying that `kubernetes_file_t` labeled files can be
+    # watched by systemd
+    # See: https://github.com/coreos/fedora-coreos-tracker/issues/861
+    # See: https://github.com/containers/container-selinux/issues/135
+    - path: /etc/kubernetes
   files:
     - path: /etc/systemd/zram-generator.conf
       mode: 0644
@@ -33,3 +39,49 @@ storage:
           AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt
           9g==
           -----END CERTIFICATE-----
+    - path: /etc/kubernetes/envfile
+      # This is for verifying that `kubernetes_file_t` labeled files can be
+      # read by systemd
+      # See: https://bugzilla.redhat.com/show_bug.cgi?id=1973418
+      mode: 0644
+      contents:
+        inline: |
+          KUBE="FCOS"
+systemd:
+  units:
+    - name: kube-env.service
+      # This is for verifying that `kubernetes_file_t` labeled files can be
+      # read by systemd
+      # See: https://bugzilla.redhat.com/show_bug.cgi?id=1973418
+      enabled: true
+      contents: |
+        [Service]
+        EnvironmentFile=/etc/kubernetes/envfile
+        ExecStart=/usr/bin/echo ${KUBE}
+        RemainAfterExit=yes
+        Type=oneshot
+        [Install]
+        WantedBy=multi-user.target
+    - name: kube-watch.service
+      # This is for verifying that `kubernetes_file_t` labeled files can be
+      # watched by systemd
+      # See: https://github.com/coreos/fedora-coreos-tracker/issues/861
+      # See: https://github.com/containers/container-selinux/issues/135
+      contents: |
+        [Service]
+        ExecStart=/usr/bin/echo "Found it"
+        RemainAfterExit=yes
+        Type=oneshot
+        [Install]
+        WantedBy=multi-user.target
+    - name: kube-watch.path
+      # This is for verifying that `kubernetes_file_t` labeled files can be
+      # watched by systemd
+      # See: https://github.com/coreos/fedora-coreos-tracker/issues/861
+      # See: https://github.com/containers/container-selinux/issues/135
+      enabled: true
+      contents: |
+        [Path]
+        PathExists=/etc/kubernetes/kubeconfig
+        [Install]
+        WantedBy=multi-user.target
diff --git a/tests/kola/misc-ign-ro/test.sh b/tests/kola/misc-ign-ro/test.sh
@@ -36,3 +36,42 @@ if [ "$context" != "system_u:object_r:net_conf_t:s0" ]; then
     fatal "SELinux context on stub-resolv.conf is wrong"
 fi
 ok "SELinux context on stub-resolv.conf is correct"
+
+# In order to verify that `kubernetes_file_t` labeled files can be read by
+# systemd, we check to see if the `kube-env` service started successfully
+# and that the service wrote to the journal successfully.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1973418
+if [ "$(systemctl is-failed kube-env.service)" != "active" ]; then
+    fatal "kube-env.service failed unexpectedly"
+fi
+ok "kube-env.service successfully started"
+
+# Verify that 'FCOS' was wrtitten to the journal
+if [ "$(journalctl -o cat -u kube-env.service | sed -n 2p)" != "FCOS" ]; then
+    fatal "kube-env.service did not write 'FCOS' to journal"
+fi
+ok "kube-env.service ran and wrote 'FCOS' to the journal"
+
+# This is for verifying that `kubernetes_file_t` labeled files can be
+# watched by systemd
+# See: https://github.com/coreos/fedora-coreos-tracker/issues/861
+# See: https://github.com/containers/container-selinux/issues/135
+if [ "$(systemctl is-active kube-watch.path)" != "active" ]; then
+    fatal "kube-watch.path did not activate successfully"
+fi
+ok "kube-watch.path successfully activated"
+
+if [ "$(touch /etc/kubernetes/kubeconfig)" ]; then
+    fatal "Unable to create /etc/kubernetes/kubeconfig"
+fi
+ok "successfully created /etc/kubernetes/kubeconfig"
+
+if [ "$(systemctl is-active kube-watch.service)" != "active" ]; then
+    fatal "kube-watch.service did not successfully activate"
+fi
+ok "kube-watch.service activated successfully"
+
+if [ "$(journalctl -o cat -u kube-watch.service | sed -n 2p)" != "Found it" ]; then
+    fatal "kube-watch.service did not print message to journal"
+fi
+ok "Found message from kube-watch.service in journal"