e2e:must-gather: test gather_selinux

add an e2e to validate script collection format and collected data integrety.

Signed-off-by: Talor Itzhak <[email protected]>

Author: Tal-or

go.mod

@@ -39,6 +39,8 @@ require (
 	sigs.k8s.io/yaml v1.4.0
 )
 
+require github.com/opencontainers/selinux v1.13.1
+
 require (
 	github.com/OneOfOne/xxhash v1.2.9-0.20201014161131-8506fca4db5e // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
@@ -49,6 +51,7 @@ require (
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/coreos/vcontext v0.0.0-20231102161604-685dc7299dc5 // indirect
+	github.com/cyphar/filepath-securejoin v0.5.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect

go.sum

@@ -25,6 +25,8 @@ github.com/coreos/vcontext v0.0.0-20231102161604-685dc7299dc5 h1:sMZSC2BW5LKCdvN
 github.com/coreos/vcontext v0.0.0-20231102161604-685dc7299dc5/go.mod h1:Salmysdw7DAVuobBW/LwsKKgpyCPHUhjyJoMJD+ZJiI=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
+github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -140,6 +142,8 @@ github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg
 github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
 github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
+github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
 github.com/openshift-kni/debug-tools v0.2.5 h1:YDHniE7pvEnveQPXPP2TOHcWbPzfpbcPsMJ2wu4vAEk=
 github.com/openshift-kni/debug-tools v0.2.5/go.mod h1:kBoANbhBO3X7qXwrve0dcEtAM97Enrm7mF58p8RLLJI=
 github.com/openshift/api v0.0.0-20250305013520-e7f23be12279 h1:eYvpiSNyNl7P7kmtNH0d6zAMLlrziyz370m0q1tggJE=

test/e2e/must-gather/must_gather_test.go

@@ -24,8 +24,11 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
+	"strings"
 	"time"
 
+	"github.com/opencontainers/selinux/go-selinux"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 
@@ -184,6 +187,93 @@ var _ = Describe("[must-gather] NRO data collected", func() {
 				Expect(podFolderNames).To(ContainElement(MatchRegexp("^secondary-scheduler*")))
 			}
 		})
+
+		It("check SELinux data files have been collected", func(ctx context.Context) {
+			destDirContent, err := os.ReadDir(destDir)
+			Expect(err).NotTo(HaveOccurred(), "unable to read contents from destDir:%s. error: %w", destDir, err)
+
+			for _, content := range destDirContent {
+				if !content.IsDir() {
+					continue
+				}
+				mgContentFolder := filepath.Join(destDir, content.Name())
+
+				By(fmt.Sprintf("Checking Folder: %q", mgContentFolder))
+				By("Looking for SELinux info directory")
+
+				selinuxInfoFolder := filepath.Join(mgContentFolder, "selinux_info")
+				_, err = os.Stat(selinuxInfoFolder)
+				Expect(err).ToNot(HaveOccurred(), "selinux_info directory should exist")
+
+				selinuxDirContent, err := os.ReadDir(selinuxInfoFolder)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(selinuxDirContent).ToNot(BeEmpty(), "selinux_info directory should contain node directories")
+
+				// Check each node directory
+				for _, nodeDir := range selinuxDirContent {
+					if !nodeDir.IsDir() {
+						// We expect only directories in selinux_info, but check defensively
+						By(fmt.Sprintf("Warning: unexpected non-directory item in selinux_info: %s", nodeDir.Name()))
+						continue
+					}
+
+					nodeName := nodeDir.Name()
+					nodeSelinuxFolder := filepath.Join(selinuxInfoFolder, nodeName)
+					By(fmt.Sprintf("Checking SELinux data for node: %s", nodeName))
+
+					// Check required files exist
+					requiredFiles := []string{
+						"contexts",
+						"kubelet.service",
+						"audit_selinux.log",
+						"audit_podresources.log",
+					}
+					err = checkfilesExist(requiredFiles, nodeSelinuxFolder)
+					Expect(err).ToNot(HaveOccurred(), "required SELinux files should exist for node %s", nodeName)
+
+					// Verify contexts file contains kubelet.sock SELinux context
+					By(fmt.Sprintf("Verifying kubelet.sock SELinux context for node: %s", nodeName))
+					contextsFile := filepath.Join(nodeSelinuxFolder, "contexts")
+					contextsData, err := os.ReadFile(contextsFile)
+					Expect(err).ToNot(HaveOccurred())
+
+					contextsContent := string(contextsData)
+
+					// Parse SELinux context from the kubelet.sock line using official selinux package
+					By(fmt.Sprintf("Parsing SELinux context for kubelet.sock on node: %s", nodeName))
+					found := false
+					for _, line := range strings.Split(contextsContent, "\n") {
+						if strings.Contains(line, "/var/lib/kubelet/pod-resources/kubelet.sock") {
+							// Extract SELinux context from ls -Z output (format: "context filename")
+							parts := strings.Fields(line)
+							if len(parts) >= 2 {
+								selinuxLabel := parts[0]
+								context, err := selinux.NewContext(selinuxLabel)
+								Expect(err).ToNot(HaveOccurred(), "should parse SELinux context: %s", selinuxLabel)
+
+								// Check that the type field contains kubelet_var_lib_t
+								contextType := context["type"]
+								Expect(contextType).To(Equal("kubelet_var_lib_t"), "kubelet.sock should have kubelet_var_lib_t SELinux context type, got: %s", contextType)
+
+								By(fmt.Sprintf("Found valid SELinux context for kubelet.sock: %s (type: %s)", selinuxLabel, contextType))
+								found = true
+								break
+							}
+						}
+					}
+					Expect(found).To(BeTrue(), "should find kubelet.sock with valid SELinux context in contexts file")
+
+					// Verify kubelet.service file has content
+					By(fmt.Sprintf("Verifying kubelet.service content for node: %s", nodeName))
+					kubeletServiceFile := filepath.Join(nodeSelinuxFolder, "kubelet.service")
+					kubeletServiceData, err := os.ReadFile(kubeletServiceFile)
+					Expect(err).ToNot(HaveOccurred())
+
+					kubeletServiceContent := string(kubeletServiceData)
+					Expect(kubeletServiceContent).To(ContainSubstring("/usr/sbin/restorecon"), "kubelet.service should contain restorecon command in ExecStartPre")
+				}
+			}
+		})
 	})
 })