From d568bb50fc809b28115aa240c082c872e8842cbe Mon Sep 17 00:00:00 2001
From: Evans Mungai <evans@replicated.com>
Date: Fri, 29 Sep 2023 15:04:56 +0100
Subject: [PATCH 1/3] Analyser to check if SELinux is exabled

---
 host/default.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/host/default.yaml b/host/default.yaml
index 8c42242..3ffd312 100644
--- a/host/default.yaml
+++ b/host/default.yaml
@@ -151,6 +151,9 @@ spec:
         collectorName: "sysctl"
         command: "sysctl"
         args: ["-a"]
+    - copy:
+        collectorName: selinux-config
+        path: /etc/selinux/config
     # Systemctl service statuses for CRI, Kubelet, and Firewall
     - run:
         collectorName: "systemctl-firewalld-status"
@@ -739,3 +742,15 @@ spec:
           - pass:
               when: "true"
               message: "'localhost' resolves to 127.0.0.1 ip address"
+    - textAnalyze:
+        checkName: Check if SELinux is enabled
+        fileName: host-collectors/selinux-config/config
+        regex: 'SELINUX=enforcing'
+        ignoreIfNoFiles: true
+        outcomes:
+          - fail:
+              when: "true"
+              message: "SELinux is enabled when it should be disabled for kubernetes to work properly"
+          - pass:
+              when: "false"
+              message: "SELinux is disabled as expected"

From 574eafe7a7d276f885a83e8d2648dcfdcbc546dc Mon Sep 17 00:00:00 2001
From: Evans Mungai <evans@replicated.com>
Date: Fri, 29 Sep 2023 15:10:32 +0100
Subject: [PATCH 2/3] Improve SELinux analyser regex

---
 host/default.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/default.yaml b/host/default.yaml
index 3ffd312..ae5b8da 100644
--- a/host/default.yaml
+++ b/host/default.yaml
@@ -745,7 +745,7 @@ spec:
     - textAnalyze:
         checkName: Check if SELinux is enabled
         fileName: host-collectors/selinux-config/config
-        regex: 'SELINUX=enforcing'
+        regex: '(?m)^SELINUX=enforcing'
         ignoreIfNoFiles: true
         outcomes:
           - fail:

From c16a077feb0a0006895b86527cf13a0a1dfbf5e3 Mon Sep 17 00:00:00 2001
From: Evans Mungai <evans@replicated.com>
Date: Fri, 29 Sep 2023 16:44:51 +0100
Subject: [PATCH 3/3] Update selinux analyser and remove duplicate collector

---
 host/default.yaml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/host/default.yaml b/host/default.yaml
index ae5b8da..e04ae75 100644
--- a/host/default.yaml
+++ b/host/default.yaml
@@ -87,6 +87,7 @@ spec:
         collectorName: "iostat"
         command: "iostat"
         args: ["-x"]
+    # SELinux status
     - run:
         collectorName: "sestatus"
         command: "sestatus"
@@ -151,9 +152,6 @@ spec:
         collectorName: "sysctl"
         command: "sysctl"
         args: ["-a"]
-    - copy:
-        collectorName: selinux-config
-        path: /etc/selinux/config
     # Systemctl service statuses for CRI, Kubelet, and Firewall
     - run:
         collectorName: "systemctl-firewalld-status"
@@ -744,8 +742,8 @@ spec:
               message: "'localhost' resolves to 127.0.0.1 ip address"
     - textAnalyze:
         checkName: Check if SELinux is enabled
-        fileName: host-collectors/selinux-config/config
-        regex: '(?m)^SELINUX=enforcing'
+        fileName: host-collectors/run-host/sestatus.txt
+        regex: '(?m)^Current mode:\s+enforcing'
         ignoreIfNoFiles: true
         outcomes:
           - fail: