-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.13.z
-
None
-
Low
-
No
-
False
-
Description of problem:
A selinux profile could not be installed when a seccomp profile with the same name has been installed
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-05-17-174018 + security-profiles-operator.v0.7.1
How reproducible:
Always
Steps to Reproduce:
1. Install Security Profiles Operator 2. Create a new namespace and create a seccompprofile in the namespace: $ oc new-project test $ oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1beta1 kind: SeccompProfile metadata: name: test spec: defaultAction: SCMP_ACT_ERRNO architectures: - SCMP_ARCH_X86_64 syscalls: - action: SCMP_ACT_ALLOW names: - arch_prctl - brk - capget - capset - chdir - clone - close EOF seccompprofile.security-profiles-operator.x-k8s.io/test created $ oc get sp NAME STATUS AGE test Installed 24s 3. Create a selinux with the same name in the same namespace: $ oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha2 kind: SelinuxProfile metadata: name: test spec: allow: '@self': tcp_socket: - listen http_cache_port_t: tcp_socket: - name_bind node_t: tcp_socket: - node_bind inherit: - kind: System name: container EOF
Actual results:
The selinuxprofile could not be installed. $ oc get selinuxprofiles NAME USAGE STATE test $ oc get event --field-selector reason=CannotUpdatePolicyStatus LAST SEEN TYPE REASON OBJECT MESSAGE 31m Warning CannotUpdatePolicyStatus selinuxprofile/test updating node status: Operation cannot be fulfilled on securityprofilenodestatuses.security-profiles-operator.x-k8s.io "test-ip-10-0-172-91.us-east-2.compute.internal": the object has been modified; please apply your changes to the latest version and try again
Expected results:
The selinux profile could reach installed status.
Additional info: