From 7c0cfadaee3768c1dcce06e0fce4e8b67699bcd3 Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Mon, 29 May 2023 06:58:07 -0600 Subject: [PATCH] Add some more logging Signed-off-by: Andrew Harding --- pkg/driver/driver.go | 27 +++++++++++++++++++-------- pkg/driver/driver_test.go | 7 +++++++ 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/pkg/driver/driver.go b/pkg/driver/driver.go index 0a50356..757dd9f 100644 --- a/pkg/driver/driver.go +++ b/pkg/driver/driver.go @@ -22,10 +22,12 @@ const ( var ( // We replace these in tests since bind mounting generally requires root. - bindMountRW = mount.BindMountRW - unmount = mount.Unmount - isMountPoint = mount.IsMountPoint - chcon = selinux.Chcon + bindMountRW = mount.BindMountRW + unmount = mount.Unmount + isMountPoint = mount.IsMountPoint + chcon = selinux.Chcon + seLinuxEnabled = selinux.GetEnabled + seLinuxEnforceMode = selinux.EnforceMode ) // Config is the configuration for the driver @@ -60,12 +62,21 @@ func New(config Config) (*Driver, error) { // mount to be used within OpenShift, for example. This will fail if the // Workload API socket directory is mounted read-only, but that will only // result in a failure if SELinux is enabled and enforcing. - if err := chcon(config.WorkloadAPISocketDir, seLinuxContainerFileLabel, true); err != nil { - if selinux.GetEnabled() && selinux.EnforceMode() == selinux.Enforcing { + seLinuxEnabled := seLinuxEnabled() + seLinuxEnforceMode := seLinuxEnforceMode() + seLinuxProcessLabel, seLinuxFileLabel := selinux.ContainerLabels() + config.Log.Info("SELinux status", + "enabled", seLinuxEnabled, + "enforceMode", seLinuxEnforceMode, + "processLabel", seLinuxProcessLabel, + "fileLabel", seLinuxFileLabel, + ) + if seLinuxEnabled && seLinuxEnforceMode == selinux.Enforcing { + if err := chcon(config.WorkloadAPISocketDir, seLinuxContainerFileLabel, true); err != nil { return nil, fmt.Errorf("failed to set the container file label on the Workload API socket directory: %v", err) + } else { + config.Log.Info("Set the container file label on the Workload API socket directory") } - } else { - config.Log.Info("Set the container file label on the Workload API socket directory") } return &Driver{ diff --git a/pkg/driver/driver_test.go b/pkg/driver/driver_test.go index 19aa6b5..79ea08c 100644 --- a/pkg/driver/driver_test.go +++ b/pkg/driver/driver_test.go @@ -14,6 +14,7 @@ import ( "github.com/container-storage-interface/spec/lib/go/csi" "github.com/go-logr/logr" + "github.com/opencontainers/selinux/go-selinux" "github.com/spiffe/spiffe-csi/internal/version" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -35,6 +36,12 @@ func init() { return os.Remove(metaPath(dst)) } chcon = writeSELinuxLabel + seLinuxEnabled = func() bool { + return true + } + seLinuxEnforceMode = func() int { + return selinux.Enforcing + } } func TestNew(t *testing.T) {