Finaly removal of the custom SELinux policy

Jed Lejosne

unread,

Feb 15, 2024, 1:12:08 PM2/15/24

to kubevirt-dev

To run on SELinux-enabled nodes, KubeVirt (specifically virt-launcher) used to require more permissions than what was provided by the commonly used container policy: container-selinux [0]. To address that, a custom SELinux policy was added to KubeVirt, automatically installed by virt-handler on every worker node.

Over the years, developers of KubeVirt and various upstream projects used by KubeVirt worked hard to get rid of those additional permissions.

Yesterday, the last use-case for the custom policy was removed [1], and it is now effectively defunct!

In light of that, I've opened a PR [2] to remove the policy file as well as the remaining code that manages/uses it.

That shouldn't affect anybody, even those who (for some reason) are still forcibly using it, since upgrading KubeVirt will *not* uninstall the policy.

Regards,

Jed

[0] https://github.com/containers/container-selinux

[1] https://github.com/kubevirt/kubevirt/pull/11222

[2] https://github.com/kubevirt/kubevirt/pull/11266

Stu Gott

unread,

Feb 15, 2024, 1:15:26 PM2/15/24

to Jed Lejosne, kubevirt-dev

On Thu, Feb 15, 2024 at 1:12 PM Jed Lejosne <j...@redhat.com> wrote:

To run on SELinux-enabled nodes, KubeVirt (specifically virt-launcher) used to require more permissions than what was provided by the commonly used container policy: container-selinux [0]. To address that, a custom SELinux policy was added to KubeVirt, automatically installed by virt-handler on every worker node.

Over the years, developers of KubeVirt and various upstream projects used by KubeVirt worked hard to get rid of those additional permissions.
Yesterday, the last use-case for the custom policy was removed [1], and it is now effectively defunct!

In light of that, I've opened a PR [2] to remove the policy file as well as the remaining code that manages/uses it.
That shouldn't affect anybody, even those who (for some reason) are still forcibly using it, since upgrading KubeVirt will *not* uninstall the policy.

Brilliant! Thanks for doing this.

Regards,
Jed

[0] https://github.com/containers/container-selinux
[1] https://github.com/kubevirt/kubevirt/pull/11222
[2] https://github.com/kubevirt/kubevirt/pull/11266

--
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubevirt-dev/CACDz6wAYmRMD6Mv%2BpRH69GFWYxGNMg%2B%2BF9kdoaA-YxHx5eX8NA%40mail.gmail.com.

Kathryn Morgan

unread,

Feb 15, 2024, 1:22:12 PM2/15/24

to Jed Lejosne, kubevirt-dev

Bravo 👏👏👏

--

Reply all

Reply to author

Forward