Description of problem: On a fresh installed cluster I have feature gate added to kubevirt: > $ oc describe kubevirt -n openshift-cnv | grep DisableCustomSELinuxPolicy > DisableCustomSELinuxPolicy but custom policy still present on nodes: > $ sh-5.1# semodule -l | grep virt_launcher > virt_launcher Version-Release number of selected component (if applicable): 4.13 How reproducible: 100% Steps to Reproduce: 1. Install CNV 2. Check feature gate added by default 3. check custom selinux policy Actual results: custom selinux policy for virt_launcher exists Expected results: no custom selinux policy for virt_launcher Additional info:
I'm estimating the severity of this to be medium because there's no danger of loss of data or functionality from a user perspective. The policy is just not being used. We suspect the issue is introduced by HCO's handling of feature gates, thus we're re-assigning this to the Installation component. Please feel free to move this if that's not correct.
This was wrongly assumed (by me) as being an HCO issue. This is actually a KubeVirt bug. A fix has been PRed (linked to issue).
Verified on v4.13.1.rhel9-79 feature gate is added by default to Kubevirt [akriti@fedora ~]$ oc describe kubevirt -n openshift-cnv | grep DisableCustomSELinuxPolicy DisableCustomSELinuxPolicy no custom selinux policy for virt_launcher on nodes sh-4.4# chroot /host sh-5.1# semodule -l | grep virt_launcher sh-5.1#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.13.3 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:4664