Cosmin Cojocar
Cosmin Cojocar
I think the https://github.com/containers/selinuxd needs some update.
I tried to investigate the issue a bit and I see in the logs the profile is arriving correctly for recording: ``` I1204 16:30:36.572465 7735 profilerecorder.go:284] "Recording profile" logger="recorder-spod" namespace="security-profiles-operator"...
There is a dedicated `selinuxrecording.process` type for recording which needs to be applied to the security context of the container/pod being recorded. This is an example for `nginx` which works:...
> I don't quite follow you. Do we first apply the ProfileRecording resource and then delete the Pod and recreate it with the SELinux recorded profile? Or am I misunderstanding...
You have to use that type since that policy is loaded by the selinuxd init container, otherwise the selinux will not log the audit messages for it. I'll update the...
Interesting idea, I am thinking we can build on to of the existing features to achieve something similar. We can extend the `ProfileBindings` with OCI Artifact based profile support. In...
> Extending the binding sounds like a good feature to me, but that's not exactly matching the point of "in addition to as CRDs". I think the point is that...
/remove-lifecycle roten
/remove-lifecycle rotten
On this, I think we need to start the __Obfuscated Go Integer Overflow Contest__. 😄