Description of problem: selinux-policy seems to set selinuxuser_execmod=off by default on Power systems This results in issues when running OpenShift with privileged pods. sh-5.1# rpm -q container-selinux container-selinux-2.219.0-1.rhaos4.13.el9.noarch sh-5.1# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent -i | audit2allow #============= spc_t ============== #!!!! This avc can be allowed using the boolean 'selinuxuser_execmod' allow spc_t container_ro_file_t:file execmod; See https://bugzilla.redhat.com/show_bug.cgi?id=2230462 for the error in the package consumed by OpenShift. Version-Release number of selected component (if applicable): How reproducible: We've been running openshift-tests on Power systems with the latest builds of RHCOS. Steps to Reproduce: 1. Deploy openshift 2. Run openShift tests 3. Audit results for selinux denials Actual results: sh-5.1# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent -i | audit2allow #============= spc_t ============== #!!!! This avc can be allowed using the boolean 'selinuxuser_execmod' allow spc_t container_ro_file_t:file execmod; Expected results: No errors Additional info: This seems only to be set off on Power. Other architectures are able to run privileged containers without issue.
As an aside - Dan provided a full list of differences between the architecture defaults (between x86_64 and ppc64le) x86 settings selinuxuser_direct_dri_enabled --> on selinuxuser_execheap --> off selinuxuser_execmod --> on selinuxuser_execstack --> on selinuxuser_mysql_connect_enabled --> off selinuxuser_ping --> on selinuxuser_postgresql_connect_enabled --> off selinuxuser_rw_noexattrfile --> on selinuxuser_share_music --> off selinuxuser_tcp_server --> off selinuxuser_udp_server --> off selinuxuser_use_ssh_chroot --> off (See https://redhat-internal.slack.com/archives/C017UFPQA4X/p1692019449004529?thread_ts=1690991302.943759&cid=C017UFPQA4X) Not sure if any of these should be set for power as well.