SERVER-118537 Always apply SELinux policy before installing mongodb package on SELinux tests (#47304)

GitOrigin-RevId: 0fac80cf934c70803e10233f1abdc3c3e20187e2

.github/CODEOWNERS

@@ -436,6 +436,7 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
 /evergreen/packager_crypt_py_run.sh @10gen/devprod-build @svc-auto-approve-bot
 /evergreen/perf-submission.sh @10gen/devprod-performance-analysis @svc-auto-approve-bot
 /evergreen/streams* @10gen/streams-engine @svc-auto-approve-bot
+/evergreen/selinux_* @10gen/server-security @svc-auto-approve-bot
 /evergreen/generate_sast_report.sh @10gen/devprod-release-infrastructure @svc-auto-approve-bot
 /evergreen/write_sast_report_env_file.sh @10gen/devprod-release-infrastructure @svc-auto-approve-bot
 /evergreen/generate_symbol_check_report.py @10gen/devprod-build @svc-auto-approve-bot
@@ -1636,6 +1637,9 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
 # The following patterns are parsed from ./jstests/resmoke_selftest/OWNERS.yml
 /jstests/resmoke_selftest/**/* @10gen/devprod-correctness @svc-auto-approve-bot
 
+# The following patterns are parsed from ./jstests/selinux/OWNERS.yml
+/jstests/selinux/**/* @10gen/server-security @svc-auto-approve-bot
+
 # The following patterns are parsed from ./jstests/serial_run/OWNERS.yml
 /jstests/serial_run/**/allow_partial_results_with_maxTimeMS* @10gen/query-execution-router @svc-auto-approve-bot
 /jstests/serial_run/**/out_max_time_ms.js @10gen/query-execution-classic @svc-auto-approve-bot

evergreen/OWNERS.yml

@@ -42,6 +42,9 @@ filters:
   - "streams*":
     approvers:
       - 10gen/streams-engine
+  - "selinux_*":
+    approvers:
+      - 10gen/server-security
   - "generate_sast_report.sh":
     approvers:
       - 10gen/devprod-release-infrastructure

evergreen/selinux_test_setup.sh

@@ -23,22 +23,13 @@ if [ -L /tmp ]; then
     sudo --non-interactive systemctl start tmp.mount
 fi
 
-# selinux policy should work both when applied before and after install
-# we will randomly apply it before or after installation is completed
-SEORDER="$(($(od -An -N1 -tu1 /dev/urandom) % 2))"
-if [ "$SEORDER" == "0" ]; then
-    apply_selinux_policy
-fi
+apply_selinux_policy
 
 pkg="$(find "$HOME"/repo -name 'mongodb-*-server-*.x86_64.rpm' | tee /dev/stderr)"
 if ! sudo --non-interactive rpm --install --verbose --verbose --hash --nodeps "$pkg"; then
     if [ "$?" -gt "1" ]; then exit 1; fi # exit code 1 is OK
 fi
 
-if [ "$SEORDER" == "1" ]; then
-    apply_selinux_policy
-fi
-
 # install packages needed by check_has_tag.py
 PYTHON=/opt/mongodbtoolchain/v5/bin/python3
 if [[ (-f "$PYTHON" || -L "$PYTHON") && -x "$PYTHON" ]]; then

jstests/selinux/OWNERS.yml

@@ -0,0 +1,5 @@
+version: 1.0.0
+filters:
+  - "*":
+    approvers:
+      - 10gen/server-security

jstests/selinux/default.js

@@ -10,6 +10,10 @@ export class TestDefinition extends SelinuxBaseTest {
         // - that process is running in correct SELinux context
 
         assert(db);
+        jsTest.log("checking mongod service is still running..");
+        assert.eq(0, run("bash", "-c", "ps -efZ | grep -P 'mongod[ ]+[0-9]+'"));
+
+        jsTest.log("checking mongod service has the correct security label..");
         assert.eq(0, run("bash", "-c", "ps -efZ | grep -P 'system_u:system_r:mongod_t:s0[ ]+mongod'"));
 
         jsTest.log("success");