Skip to content

Conversation

jparrill
Copy link

- What I did
Add new kubelet-selinux-bools service to disable selinuxuser_execstack at node level

- How to verify it
Once deploy a new OCP Cluster, check the booleans at the node level following this steps:

# semanage boolean -l | grep -e execmem -e execstack | grep selinuxuser_execstack

That boolean should be (off, off)

- Description for the changelog
Add kubelet-selinux-bools service to disable selinuxuser_execstack boolean, preventing potential stack-based code execution attacks. This enhances security by ensuring users cannot execute code on the stack through SELinux policies.

Add kubelet-selinux-bools service to disable selinuxuser_execstack
boolean, preventing potential stack-based code execution attacks.
This enhances security by ensuring users cannot execute code on
the stack through SELinux policies.

Fixes: OCPBUGS-43633
Signed-off-by: Juan Manuel Parrilla Madrid <[email protected]>
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 24, 2025
@openshift-ci-robot
Copy link
Contributor

@jparrill: This pull request references Jira Issue OCPBUGS-43633, which is invalid:

  • expected the weakness to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

- What I did
Add new kubelet-selinux-bools service to disable selinuxuser_execstack at node level

- How to verify it
Once deploy a new OCP Cluster, check the booleans at the node level following this steps:

# semanage boolean -l | grep -e execmem -e execstack | grep selinuxuser_execstack

That boolean should be (off, off)

- Description for the changelog
Add kubelet-selinux-bools service to disable selinuxuser_execstack boolean, preventing potential stack-based code execution attacks. This enhances security by ensuring users cannot execute code on the stack through SELinux policies.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Copy link
Contributor

openshift-ci bot commented Sep 24, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jparrill
Once this PR has been reviewed and has the lgtm label, please assign cheesesashimi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jparrill
Copy link
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 24, 2025
@openshift-ci-robot
Copy link
Contributor

@jparrill: This pull request references Jira Issue OCPBUGS-43633, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jparrill jparrill changed the title OCPBUGS-43633: fix(security): disable SELinux execstack for stack protection OCPBUGS-43633: fix(security): disable SELinuxUser execstack for stack protection Sep 24, 2025
@jparrill
Copy link
Author

/retest

Copy link
Contributor

openshift-ci bot commented Sep 29, 2025

@jparrill: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/bootstrap-unit 8dad7b7 link false /test bootstrap-unit
ci/prow/e2e-aws-mco-disruptive 8dad7b7 link false /test e2e-aws-mco-disruptive
ci/prow/e2e-aws-ovn-upgrade 8dad7b7 link true /test e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-op-ocl 8dad7b7 link false /test e2e-gcp-op-ocl
ci/prow/e2e-aws-ovn 8dad7b7 link true /test e2e-aws-ovn
ci/prow/e2e-gcp-mco-disruptive 8dad7b7 link false /test e2e-gcp-mco-disruptive
ci/prow/e2e-azure-ovn-upgrade-out-of-change 8dad7b7 link false /test e2e-azure-ovn-upgrade-out-of-change
ci/prow/e2e-aws-ovn-upgrade-out-of-change 8dad7b7 link false /test e2e-aws-ovn-upgrade-out-of-change
ci/prow/okd-scos-e2e-aws-ovn 8dad7b7 link false /test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants