Bug 2188144
Summary: | Custom SELinux policy for virt_launcher still present on CNV with DisableCustomSELinuxPolicy feature gate enabled | ||
---|---|---|---|
Product: | Container Native Virtualization (CNV) | Reporter: | Denys Shchedrivyi <dshchedr> |
Component: | Virtualization | Assignee: | Jed Lejosne <jlejosne> |
Status: | CLOSED ERRATA | QA Contact: | Akriti Gupta <akrgupta> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.13.0 | CC: | acardace, jlejosne, kbidarka, stirabos |
Target Milestone: | --- | ||
Target Release: | 4.13.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | hco-bundle-registry-container-v4.13.1.rhel9-79 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-08-16 14:09:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Denys Shchedrivyi
2023-04-19 21:05:32 UTC
I'm estimating the severity of this to be medium because there's no danger of loss of data or functionality from a user perspective. The policy is just not being used. We suspect the issue is introduced by HCO's handling of feature gates, thus we're re-assigning this to the Installation component. Please feel free to move this if that's not correct. This was wrongly assumed (by me) as being an HCO issue. This is actually a KubeVirt bug. A fix has been PRed (linked to issue). Verified on v4.13.1.rhel9-79 feature gate is added by default to Kubevirt [akriti@fedora ~]$ oc describe kubevirt -n openshift-cnv | grep DisableCustomSELinuxPolicy DisableCustomSELinuxPolicy no custom selinux policy for virt_launcher on nodes sh-4.4# chroot /host sh-5.1# semodule -l | grep virt_launcher sh-5.1# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.13.3 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:4664 |