From 432ee04c558aaf76c50ce1d299ee36a9cf77d26a Mon Sep 17 00:00:00 2001
From: Steven Taylor <steven@taylormuff.co.uk>
Date: Wed, 3 Feb 2021 00:27:48 +0000
Subject: [PATCH] play kube selinux label test case

test case added to e2e test suite to validate process label being correctly set
on play kube

Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
---
 test/e2e/play_kube_test.go | 58 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 5930462d5b..9fbedc0739 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -26,6 +26,49 @@ spec:
   hostname: unknown
 `
 
+var selinuxLabelPodYaml = `
+apiVersion: v1
+kind: Pod
+metadata:
+  creationTimestamp: "2021-02-02T22:18:20Z"
+  labels:
+    app: label-pod
+  name: label-pod
+spec:
+  containers:
+  - command:
+    - top
+    - -d
+    - "1.5"
+    env:
+    - name: PATH
+      value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+    - name: TERM
+      value: xterm
+    - name: container
+      value: podman
+    - name: HOSTNAME
+      value: label-pod
+    image: quay.io/libpod/alpine:latest
+    name: test
+    securityContext:
+      allowPrivilegeEscalation: true
+      capabilities:
+        drop:
+        - CAP_MKNOD
+        - CAP_NET_RAW
+        - CAP_AUDIT_WRITE
+      privileged: false
+      readOnlyRootFilesystem: false
+      seLinuxOptions:
+        user: unconfined_u
+        role: system_r
+        type: spc_t
+        level: s0
+    workingDir: /
+status: {}
+`
+
 var configMapYamlTemplate = `
 apiVersion: v1
 kind: ConfigMap
@@ -803,6 +846,21 @@ var _ = Describe("Podman play kube", func() {
 
 	})
 
+	It("podman play kube fail with custom selinux label", func() {
+		err := writeYaml(selinuxLabelPodYaml, kubeYaml)
+		Expect(err).To(BeNil())
+
+		kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube.ExitCode()).To(Equal(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", "label-pod-test", "--format", "'{{ .ProcessLabel }}'"})
+		inspect.WaitWithDefaultTimeout()
+		label := inspect.OutputToString()
+
+		Expect(label).To(ContainSubstring("nconfined_u:system_r:spc_t:s0"))
+	})
+
 	It("podman play kube fail with nonexistent authfile", func() {
 		err := generateKubeYaml("pod", getPod(), kubeYaml)
 		Expect(err).To(BeNil())