diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index fa7b5905505..588e90f3eb1 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -436,6 +436,7 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot /evergreen/packager_crypt_py_run.sh @10gen/devprod-build @svc-auto-approve-bot /evergreen/perf-submission.sh @10gen/devprod-performance-analysis @svc-auto-approve-bot /evergreen/streams* @10gen/streams-engine @svc-auto-approve-bot +/evergreen/selinux_* @10gen/server-security @svc-auto-approve-bot /evergreen/generate_sast_report.sh @10gen/devprod-release-infrastructure @svc-auto-approve-bot /evergreen/write_sast_report_env_file.sh @10gen/devprod-release-infrastructure @svc-auto-approve-bot /evergreen/generate_symbol_check_report.py @10gen/devprod-build @svc-auto-approve-bot @@ -1636,6 +1637,9 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot # The following patterns are parsed from ./jstests/resmoke_selftest/OWNERS.yml /jstests/resmoke_selftest/**/* @10gen/devprod-correctness @svc-auto-approve-bot +# The following patterns are parsed from ./jstests/selinux/OWNERS.yml +/jstests/selinux/**/* @10gen/server-security @svc-auto-approve-bot + # The following patterns are parsed from ./jstests/serial_run/OWNERS.yml /jstests/serial_run/**/allow_partial_results_with_maxTimeMS* @10gen/query-execution-router @svc-auto-approve-bot /jstests/serial_run/**/out_max_time_ms.js @10gen/query-execution-classic @svc-auto-approve-bot diff --git a/evergreen/OWNERS.yml b/evergreen/OWNERS.yml index 659b58ebef5..1e0c14b31fa 100644 --- a/evergreen/OWNERS.yml +++ b/evergreen/OWNERS.yml @@ -42,6 +42,9 @@ filters: - "streams*": approvers: - 10gen/streams-engine + - "selinux_*": + approvers: + - 10gen/server-security - "generate_sast_report.sh": approvers: - 10gen/devprod-release-infrastructure diff --git a/evergreen/selinux_test_setup.sh b/evergreen/selinux_test_setup.sh index 5f0aa24fecb..ea82b141696 100755 --- a/evergreen/selinux_test_setup.sh +++ b/evergreen/selinux_test_setup.sh @@ -23,22 +23,13 @@ if [ -L /tmp ]; then sudo --non-interactive systemctl start tmp.mount fi -# selinux policy should work both when applied before and after install -# we will randomly apply it before or after installation is completed -SEORDER="$(($(od -An -N1 -tu1 /dev/urandom) % 2))" -if [ "$SEORDER" == "0" ]; then - apply_selinux_policy -fi +apply_selinux_policy pkg="$(find "$HOME"/repo -name 'mongodb-*-server-*.x86_64.rpm' | tee /dev/stderr)" if ! sudo --non-interactive rpm --install --verbose --verbose --hash --nodeps "$pkg"; then if [ "$?" -gt "1" ]; then exit 1; fi # exit code 1 is OK fi -if [ "$SEORDER" == "1" ]; then - apply_selinux_policy -fi - # install packages needed by check_has_tag.py PYTHON=/opt/mongodbtoolchain/v5/bin/python3 if [[ (-f "$PYTHON" || -L "$PYTHON") && -x "$PYTHON" ]]; then diff --git a/jstests/selinux/OWNERS.yml b/jstests/selinux/OWNERS.yml new file mode 100644 index 00000000000..4e18d97ae99 --- /dev/null +++ b/jstests/selinux/OWNERS.yml @@ -0,0 +1,5 @@ +version: 1.0.0 +filters: + - "*": + approvers: + - 10gen/server-security diff --git a/jstests/selinux/default.js b/jstests/selinux/default.js index 5f68ad6f6d0..891cb452d31 100644 --- a/jstests/selinux/default.js +++ b/jstests/selinux/default.js @@ -10,6 +10,10 @@ export class TestDefinition extends SelinuxBaseTest { // - that process is running in correct SELinux context assert(db); + jsTest.log("checking mongod service is still running.."); + assert.eq(0, run("bash", "-c", "ps -efZ | grep -P 'mongod[ ]+[0-9]+'")); + + jsTest.log("checking mongod service has the correct security label.."); assert.eq(0, run("bash", "-c", "ps -efZ | grep -P 'system_u:system_r:mongod_t:s0[ ]+mongod'")); jsTest.log("success");