kola/cluster: add DropLabeledFile for SELinux relabeling

jlebon · openshift-merge-robot · commit 15b9e3e40ae5 · 2020-04-17T11:02:48.000-04:00
As a follow-up to the previous patch, SELinux labeling should be done
before moving the file to its final location so that other apps don't
try to access the file with its label incorrect.
diff --git a/mantle/kola/cluster/cluster.go b/mantle/kola/cluster/cluster.go
@@ -92,8 +92,9 @@ func (t *TestCluster) ListNativeFunctions() []string {
 	return t.NativeFuncs
 }
 
-// DropFile places file from localPath to ~/ on every machine in cluster
-func DropFile(machines []platform.Machine, localPath string) error {
+// DropLabeledFile places file from localPath to ~/ on every machine in
+// cluster, potentially with a custom SELinux label.
+func DropLabeledFile(machines []platform.Machine, localPath, selabel string) error {
 	in, err := os.Open(localPath)
 	if err != nil {
 		return err
@@ -111,13 +112,23 @@ func DropFile(machines []platform.Machine, localPath string) error {
 		if err := platform.InstallFile(in, m, partial); err != nil {
 			return err
 		}
+		if selabel != "" {
+			if out, stderr, err := m.SSH(fmt.Sprintf("sudo chcon -t %s %s.partial", selabel, base)); err != nil {
+				return errors.Wrapf(err, "running chcon on %s.partial: %s: %s", base, out, stderr)
+			}
+		}
 		if out, stderr, err := m.SSH(fmt.Sprintf("mv %[1]s.partial %[1]s", base)); err != nil {
 			return errors.Wrapf(err, "running mv %[1]s.partial %[1]s: %s: %s", base, out, stderr)
 		}
 	}
 	return nil
 }
 
+// DropFile places file from localPath to ~/ on every machine in cluster
+func DropFile(machines []platform.Machine, localPath string) error {
+	return DropLabeledFile(machines, localPath, "")
+}
+
 // SSH runs a ssh command on the given machine in the cluster. It differs from
 // Machine.SSH in that stderr is written to the test's output as a 'Log' line.
 // This ensures the output will be correctly accumulated under the correct
diff --git a/mantle/kola/harness.go b/mantle/kola/harness.go
@@ -815,17 +815,9 @@ func scpKolet(machines []platform.Machine) error {
 	} {
 		kolet := filepath.Join(d, "kolet")
 		if _, err := os.Stat(kolet); err == nil {
-			if err := cluster.DropFile(machines, kolet); err != nil {
+			if err := cluster.DropLabeledFile(machines, kolet, "bin_t"); err != nil {
 				return errors.Wrapf(err, "dropping kolet binary")
 			}
-			// If in the future we want to care about machines without SELinux, let's
-			// do basically test -d /sys/fs/selinux or run `getenforce`.
-			for _, machine := range machines {
-				out, stderr, err := machine.SSH("sudo chcon -t bin_t kolet")
-				if err != nil {
-					return errors.Wrapf(err, "running chcon on kolet: %s: %s", out, stderr)
-				}
-			}
 			return nil
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -815,17 +815,9 @@ func scpKolet(machines []platform.Machine) error {`
`815`	`815`	`} {`
`816`	`816`	`kolet := filepath.Join(d, "kolet")`
`817`	`817`	`if _, err := os.Stat(kolet); err == nil {`
`818`		`- if err := cluster.DropFile(machines, kolet); err != nil {`
	`818`	`+ if err := cluster.DropLabeledFile(machines, kolet, "bin_t"); err != nil {`
`819`	`819`	`return errors.Wrapf(err, "dropping kolet binary")`
`820`	`820`	`}`
`821`		`- // If in the future we want to care about machines without SELinux, let's`
`822`		- // do basically test -d /sys/fs/selinux or run `getenforce`.
`823`		`- for _, machine := range machines {`
`824`		`- out, stderr, err := machine.SSH("sudo chcon -t bin_t kolet")`
`825`		`- if err != nil {`
`826`		`- return errors.Wrapf(err, "running chcon on kolet: %s: %s", out, stderr)`
`827`		`- }`
`828`		`- }`
`829`	`821`	`return nil`
`830`	`822`	`}`
`831`	`823`	`}`