Bug 1795975

Summary: Revert temporary custom KubeVirt type in container-selinux
Product: Red Hat Enterprise Linux 8 Reporter: Fabian Deutsch <fdeutsch>
Component: container-selinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: atomic-bugs, dwalsh, jnovy, lvrabec, tsweeney, vromanso
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1795964 Environment:
Last Closed: 2020-06-09 08:06:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1795964    
Bug Blocks:    

Description Fabian Deutsch 2020-01-29 11:33:00 UTC
This bug is to revert the following temporary workaround:

+++ This bug was initially created as a clone of Bug #1795964 +++

Description of problem:
Today KubeVirt (part of CNV) is using custom selinux types/rules to confine the container which is running the user workload (virt-launcher).
On regular hosts this policy (.cil) is injected dynamically at runtime into the host kernel.
But this is not possible on RHCOS - there a policy needs to be part of the kernel from the beginning.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use custom policy on pod on RHCOS
2.
3.

Actual results:
Fails to find policy and fails to launch the containre

Expected results:
Can launch the container

Additional info:
This is a temporary solution.
On the long run we are aiming to move kubevirt to reuse the svirt types which are already present (at least in the rhel policy).
Once it is completed, this temporary policy can be dropped again.

Comment 1 Tom Sweeney 2020-01-29 18:30:26 UTC
Just to make sure I have this right, this BZ is being used as a place holder to come up with a permanent solution to this problem and to potentially undo the temporary work around in https://bugzilla.redhat.com/show_bug.cgi?id=1795964 ?

Comment 3 Daniel Walsh 2020-06-08 20:26:27 UTC
This Bug has little information in it.  I have no idea what is being asked of me.

Comment 4 Vladik Romanovsky 2020-06-08 21:04:58 UTC
According to [1], no changes have been introduced in BZ1795964
and [2] has never been merged.

Therefore, I think it is safe to close this BZ.
What do you think Fabian?


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1795964#c16
[2] https://github.com/containers/container-selinux/pull/87

Comment 5 Fabian Deutsch 2020-06-09 08:06:21 UTC
Agreed.

I'm closing this bug, as there is nothing to follow up on.