@@ -63,6 +63,16 @@ import (
6363// - The test requires SELinuxMountReadWriteOncePod, Feature:SELinuxChangePolicy and SELinuxMount enabled.
6464//
6565// All other feature gate combinations should be invalid.
66+
67+ var (
68+ defaultSELinuxLabels = map [string ]struct { defaultProcessLabel , defaultFileLabel string }{
69+ "debian" : {"svirt_lxc_net_t" , "svirt_lxc_file_t" },
70+ "ubuntu" : {"svirt_lxc_net_t" , "svirt_lxc_file_t" },
71+ // Assume "custom" means Fedora and derivates. `e2e.test --node-os-distro=` does not have "fedora" or "rhel".
72+ "custom" : {"container_t" , "container_file_t" },
73+ }
74+ )
75+
6676var _ = utils .SIGDescribe ("CSI Mock selinux on mount" , func () {
6777 f := framework .NewDefaultFramework ("csi-mock-volumes-selinux" )
6878 f .NamespacePodSecurityLevel = admissionapi .LevelPrivileged
@@ -71,21 +81,22 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
7181 mount := v1 .SELinuxChangePolicyMountOption
7282
7383 f .Context ("SELinuxMount [LinuxOnly]" , feature .SELinux , func () {
84+ processLabel , fileLabel := getDefaultContainerSELinuxLabels ()
7485 // Make sure all options are set so system specific defaults are not used.
7586 seLinuxOpts1 := v1.SELinuxOptions {
7687 User : "system_u" ,
7788 Role : "system_r" ,
78- Type : "container_t" ,
89+ Type : processLabel ,
7990 Level : "s0:c0,c1" ,
8091 }
81- seLinuxMountOption1 := "context=\" system_u:object_r:container_file_t :s0:c0,c1\" "
92+ seLinuxMountOption1 := fmt . Sprintf ( "context=\" system_u:object_r:%s :s0:c0,c1\" " , fileLabel )
8293 seLinuxOpts2 := v1.SELinuxOptions {
8394 User : "system_u" ,
8495 Role : "system_r" ,
85- Type : "container_t" ,
96+ Type : processLabel ,
8697 Level : "s0:c98,c99" ,
8798 }
88- seLinuxMountOption2 := "context=\" system_u:object_r:container_file_t :s0:c98,c99\" "
99+ seLinuxMountOption2 := fmt . Sprintf ( "context=\" system_u:object_r:%s :s0:c98,c99\" " , fileLabel )
89100
90101 tests := []struct {
91102 name string
@@ -259,8 +270,8 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
259270 for _ , t := range tests {
260271 t := t
261272 testFunc := func (ctx context.Context ) {
262- if framework . NodeOSDistroIs ( "windows" ) {
263- e2eskipper .Skipf ("SELinuxMount is only applied on linux nodes -- skipping" )
273+ if processLabel == "" {
274+ e2eskipper .Skipf ("SELinux tests are supported only on %+v" , getSupportedSELinuxDistros () )
264275 }
265276 var nodeStageMountOpts , nodePublishMountOpts []string
266277 var unstageCalls , stageCalls , unpublishCalls , publishCalls atomic.Int32
@@ -406,17 +417,18 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics", func() {
406417
407418 // [Serial]: the tests read global kube-controller-manager metrics, so no other test changes them in parallel.
408419 f .Context ("SELinuxMount metrics [LinuxOnly]" , feature .SELinux , f .WithSerial (), func () {
420+ processLabel , _ := getDefaultContainerSELinuxLabels ()
409421 // Make sure all options are set so system specific defaults are not used.
410422 seLinuxOpts1 := v1.SELinuxOptions {
411423 User : "system_u" ,
412424 Role : "system_r" ,
413- Type : "container_t" ,
425+ Type : processLabel ,
414426 Level : "s0:c0,c1" ,
415427 }
416428 seLinuxOpts2 := v1.SELinuxOptions {
417429 User : "system_u" ,
418430 Role : "system_r" ,
419- Type : "container_t" ,
431+ Type : processLabel ,
420432 Level : "s0:c98,c99" ,
421433 }
422434 recursive := v1 .SELinuxChangePolicyRecursive
@@ -614,12 +626,13 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics", func() {
614626 for _ , t := range tests {
615627 t := t
616628 testFunc := func (ctx context.Context ) {
629+ if processLabel == "" {
630+ e2eskipper .Skipf ("SELinux tests are supported only on %+v" , getSupportedSELinuxDistros ())
631+ }
632+
617633 // Some metrics use CSI driver name as a label, which is "csi-mock-" + the namespace name.
618634 volumePluginLabel := "volume_plugin=\" kubernetes.io/csi/csi-mock-" + f .Namespace .Name + "\" "
619635
620- if framework .NodeOSDistroIs ("windows" ) {
621- e2eskipper .Skipf ("SELinuxMount is only applied on linux nodes -- skipping" )
622- }
623636 grabber , err := e2emetrics .NewMetricsGrabber (ctx , f .ClientSet , nil , f .ClientConfig (), true , false , false , false , false , false )
624637 framework .ExpectNoError (err , "creating the metrics grabber" )
625638
@@ -784,3 +797,18 @@ func addLabels(metricNames sets.Set[string], volumePluginLabel string, accessMod
784797
785798 return ret
786799}
800+
801+ func getDefaultContainerSELinuxLabels () (processLabel string , fileLabel string ) {
802+ defaultLabels := defaultSELinuxLabels [framework .TestContext .NodeOSDistro ]
803+ // This function can return "" for unknown distros!
804+ // SELinux tests should be skipped on those in their ginkgo.It().
805+ return defaultLabels .defaultProcessLabel , defaultLabels .defaultFileLabel
806+ }
807+
808+ func getSupportedSELinuxDistros () []string {
809+ distros := make ([]string , 0 , len (defaultSELinuxLabels ))
810+ for distro := range defaultSELinuxLabels {
811+ distros = append (distros , distro )
812+ }
813+ return distros
814+ }
0 commit comments