Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-12879

selinux: Allow using other container-selinux policy templates than container

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 4.12.0
    • Security Profiles Operator
    • None
    • No
    • 2
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, a Security Profiles Operator (SPO) SELinux policy did not inherit low-level policy definitions from the container template if you selected another template, such as `net_container`. The policy would not work because it required low-level policy definitions that only existed in the container template. This issue occured when the SPO SELinux policy attempted to translate SELinux policies from the SPO custom format to the Common Intermediate Language (CIL) format. With this update, the container template appends to any SELinux policies that require translation from SPO to CIL. Additionally, the SPO SELinux policy can inherit low-level policy definitions from any supported policy template. (link:https://issues.redhat.com/browse/OCPBUGS-12879[*OCPBUGS-12879*])


      Show
      Previously, a Security Profiles Operator (SPO) SELinux policy did not inherit low-level policy definitions from the container template if you selected another template, such as `net_container`. The policy would not work because it required low-level policy definitions that only existed in the container template. This issue occured when the SPO SELinux policy attempted to translate SELinux policies from the SPO custom format to the Common Intermediate Language (CIL) format. With this update, the container template appends to any SELinux policies that require translation from SPO to CIL. Additionally, the SPO SELinux policy can inherit low-level policy definitions from any supported policy template. (link: https://issues.redhat.com/browse/OCPBUGS-12879 [* OCPBUGS-12879 *])
    • Release Note Not Required
    • Done

    Description

      Description of problem:

      When a selinuxprofile was created based on another base profile than "container", the policy would not be installed

      Version-Release number of selected component (if applicable):

      0.5

      How reproducible:

      always

      Steps to Reproduce:

      1. Create a selinuxpolicy from the following manifest:
apiVersion: security-profiles-operator.x-k8s.io/v1alpha2
kind: SelinuxProfile
metadata:
  name: errorlogger
spec:
  inherit:
    - name: net_container
  allow:
   var_run_t:
     sock_file
     - write 
2.
3.

      Actual results:

      the policy failed to create

      Expected results:

      the policy should be created

      Additional info:

      the key in this bug is the inherit, in older SPO releases, only container worked

      Attachments

        Activity

          People

            jhrozek@redhat.com Jakub Hrozek
            jhrozek@redhat.com Jakub Hrozek
            Xiaojie Yuan Xiaojie Yuan
            Darragh Fitzmaurice Darragh Fitzmaurice
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: