Details
-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.12.z
-
None
-
Important
-
No
-
2
-
CMP Sprint 71
-
1
-
False
-
-
Telco customer, was on watchlist last week, using inheritance with SPO, which is not a common behavior
Description
Description of problem:
SelinuxProfiles do not inherit the custom SelinuxProfiles from the same namespace.
Version-Release number of selected component (if applicable):
OCP 4.12 + SPO 0.7.1
How reproducible:
>> Yes reproducible
Steps to Reproduce:
1.Create a selinuxProfile in any namespace as per the attachment cdmrf-common
2. Inherit the cdmrf-common SelinuxProfile to other SelinuxProfile cdmrf-hook in the same namespace
~~~
inherit:
- kind: SelinuxProfile
name: cdmrf-common
~~~
3. It will go into the Error state as follows:
~~~
"status": {
"conditions": [
{
"lastTransitionTime": "2023-08-01T16:00:27Z",
"reason": "Unavailable",
"status": "False",
"type": "Ready"
}
],
"status": "Error",
"usage": "cdmrf-hooks_openshift-security-profiles.process"
}
}
~~~
4. Also found the following error in the events:
~~~
Profile failed validation on ip-10-0-159-170.ap-south-1.compute.internal: SelinuxProfile/cdmrf-common: unknown inherit kind for entry
~~~
Actual results:
SelinuxProfile cdmrf-common is not inherited with cdmrf-hook SelinuxProfile created in the same namespace
Expected results:
During inheritance, there should not be any errors.
Additional info:
Found SelinuxPolicy kind in the code[1] which should be fixed. We have tested with SelinuxPolicy kind but not worked. ~~~ Error "Unsupported value: "SelinuxPolicy": supported values: "System", "SelinuxProfile"" for field "spec.inherit[0].kind". ~~~ It would be also fixed in the document[1] code[1]: https://github.com/openshift/security-profiles-operator/blob/main/internal/pkg/daemon/selinuxprofile/selinuxprofile.go#L133-L140 Here is the slack Thread discussion: https://redhat-internal.slack.com/archives/CHCRR73PF/p1690819591084249
Attachments
Issue Links
- links to
-
RHBA-2023:5958
OpenShift Security Profiles Operator bug fix update
