kubernetes-sigs · k8s-ci-robot · Mar 3, 2025 · Feb 28, 2025 · Feb 28, 2025
diff --git a/api/selinuxprofile/v1alpha2/rawselinuxprofile_types.go b/api/selinuxprofile/v1alpha2/rawselinuxprofile_types.go
@@ -69,7 +69,7 @@ func (sp *RawSelinuxProfile) SetImplementationStatus() {
 // GetPolicyName gets the policy module name in the format that
 // we're expecting for parsing.
 func (sp *RawSelinuxProfile) GetPolicyName() string {
-	return sp.GetName() + "_" + sp.GetNamespace()
+	return sp.GetName()
 }
 
 // GetPolicyUsage is the representation of how a pod will call this

diff --git a/api/selinuxprofile/v1alpha2/selinuxprofile_types.go b/api/selinuxprofile/v1alpha2/selinuxprofile_types.go
@@ -148,7 +148,7 @@ func (sp *SelinuxProfile) SetImplementationStatus() {
 // GetPolicyName gets the policy module name in the format that
 // we're expecting for parsing.
 func (sp *SelinuxProfile) GetPolicyName() string {
-	return sp.GetName() + "_" + sp.GetNamespace()
+	return sp.GetName()
 }
 
 // GetPolicyUsage is the representation of how a pod will call this

diff --git a/installation-usage.md b/installation-usage.md
@@ -1067,10 +1067,10 @@ the resulting CIL policy:
 
 ```shell
 $ kubectl exec -it -c selinuxd spod-fm55x -- sh
-sh-4.4# cat /etc/selinux.d/nginx-secure_nginx-deploy.cil
-(block nginx-secure_nginx-deploy
+sh-4.4# cat /etc/selinux.d/nginx-secure.cil
+(block nginx-secure
 (blockinherit container)
-(allow process nginx-secure_nginx-deploy.process ( tcp_socket ( listen )))
+(allow process nginx-secure.process ( tcp_socket ( listen )))
 (allow process http_cache_port_t ( tcp_socket ( name_bind )))
 (allow process node_t ( tcp_socket ( node_bind )))
 )
@@ -1176,8 +1176,8 @@ kubectl get selinuxprofile
 
 # Output should show the selinux profile.
 
-NAME                              USAGE                                                                STATE
-nginx-recording-nginx-container   nginx-recording-nginx-container_security-profiles-operator.process   partial
+NAME                              USAGE                                     STATE
+nginx-recording-nginx-container   nginx-recording-nginx-container.process   partial
 
 # The content of the profile can be inspected.
 
@@ -1186,7 +1186,7 @@ kubectl get selinuxprofile -o yaml
 
 #### Use SELinux profile
 
-SELinux profiles are referenced based on their `USAGE` type name.
+SELinux profiles are referenced based on their `USAGE` type name, which is `<ProfileName>.process`.
 
 Use this SELinux type in the workload manifest in the `.spec.containers[].securityContext.seLinuxOptions` attribute:
 
@@ -1203,7 +1203,7 @@ spec:
       securityContext:
         seLinuxOptions:
           # NOTE: This uses an appropriate SELinux type
-          type: nginx-recording-nginx-container_security-profiles-operator.process
+          type: nginx-recording-nginx-container.process
 ```
 
 The pod should properly start and run.

diff --git a/internal/pkg/manager/nodestatus/nodestatus.go b/internal/pkg/manager/nodestatus/nodestatus.go
@@ -260,32 +260,16 @@ func (r *StatusReconciler) removeStatusForDeletedNode(ctx context.Context,
 }
 
 func (r *StatusReconciler) getDS(ctx context.Context, namespace string, l logr.Logger) (*appsv1.DaemonSet, error) {
-	dsSelect := labels.NewSelector()
+	spodDS := appsv1.DaemonSet{}
+	spodName := util.NamespacedName("spod", namespace)
 
-	spodDSFilter, err := labels.NewRequirement("spod", selection.Exists, []string{})
-	if err != nil {
-		return nil, fmt.Errorf("cannot create DS list label: %w", err)
-	}
-
-	dsSelect.Add(*spodDSFilter)
-	dsListOpts := client.ListOptions{
-		LabelSelector: dsSelect,
-		Namespace:     namespace,
-	}
-
-	spodDSList := appsv1.DaemonSetList{}
-	if err := r.client.List(ctx, &spodDSList, &dsListOpts); err != nil {
-		return nil, fmt.Errorf("cannot list DS: %w", err)
-	}
-
-	if len(spodDSList.Items) != 1 {
-		retErr := errors.New("did not find exactly one DS")
-		l.Error(retErr, "Expected to find 1 DS", "len(dsList.Items)", len(spodDSList.Items))
+	if err := r.client.Get(ctx, spodName, &spodDS); err != nil {
+		l.Error(err, "Unable to retrieve spod daemonset")
 
-		return nil, fmt.Errorf("listing DS: %w", retErr)
+		return nil, fmt.Errorf("cannot Get DS: %w", err)
 	}
 
-	return &spodDSList.Items[0], nil
+	return &spodDS, nil
 }
 
 func (r *StatusReconciler) getProfileFromStatus(

diff --git a/internal/pkg/manager/workloadannotator/workloadannotator.go b/internal/pkg/manager/workloadannotator/workloadannotator.go
@@ -148,7 +148,7 @@ func (r *PodReconciler) Reconcile(ctx context.Context, req reconcile.Request) (r
 
 	// pod is being created or updated so ensure it is linked to a selinux profile
 	for _, profileIndex := range getSelinuxProfilesFromPod(ctx, r, pod) {
-		profileSuffix := "_" + pod.GetNamespace() + ".process"
+		profileSuffix := ".process"
 		profileName := strings.TrimSuffix(profileIndex, profileSuffix)
 
 		selinuxProfile := &selinuxprofileapi.SelinuxProfile{}
@@ -371,7 +371,7 @@ func isOperatorSelinuxType(ctx context.Context, r *PodReconciler, se *corev1.SEL
 		return false
 	}
 
-	suffix := "_" + ns + ".process"
+	suffix := ".process"
 	selinuxProfileName := strings.TrimSuffix(se.Type, suffix)
 
 	if selinuxProfileName != se.Type {

diff --git a/internal/pkg/translator/obj2cil.go b/internal/pkg/translator/obj2cil.go
@@ -79,7 +79,7 @@ func Object2CIL(
 }
 
 func getCILStart(sp *selxv1alpha2.SelinuxProfile) string {
-	return fmt.Sprintf("(block %s_%s\n", sp.GetName(), sp.GetNamespace())
+	return fmt.Sprintf("(block %s\n", sp.GetName())
 }
 
 func getCILInheritline(i string) string {

diff --git a/internal/pkg/translator/obj2cil_test.go b/internal/pkg/translator/obj2cil_test.go
@@ -40,8 +40,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test errorlogger translation with system inheritance",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo",
-					Namespace: "bar",
+					Name: "foo-bar",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -85,7 +84,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block foo_bar",
+				"\\(block foo-bar",
 				"\\(blockinherit container\\)",
 				// We match on several lines since we don't care about the order
 				"\\(allow process var_log_t \\( dir \\(.*open.*\\)\\)\\)\n",
@@ -107,8 +106,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test translation with @self",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-selinux-recording-nginx",
-					Namespace: "default",
+					Name: "test-selinux-recording-nginx",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -142,13 +140,13 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block test-selinux-recording-nginx_default",
+				"\\(block test-selinux-recording-nginx",
 				"\\(blockinherit container\\)",
 				// We match on several lines since we don't care about the order
 				"\\(allow process http_port_t \\( tcp_socket \\(.*name_bind.*\\)\\)\\)\n",
 				"\\(allow process node_t \\( tcp_socket \\(.*name_bind.*\\)\\)\\)\n",
 				"\\(allow process proc_t \\( filesystem \\(.*associate.*\\)\\)\\)\n",
-				"\\(allow process test-selinux-recording-nginx_default.process \\( tcp_socket " +
+				"\\(allow process test-selinux-recording-nginx.process \\( tcp_socket " +
 					"\\(.*listen.*\\)\\)\\)\n",
 			},
 			inheritsys: []string{
@@ -159,8 +157,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test successful inherit reference",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-selinux-recording-nginx",
-					Namespace: "default",
+					Name: "test-selinux-recording-nginx",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -179,8 +176,8 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block test-selinux-recording-nginx_default",
-				"\\(blockinherit foo_default\\)",
+				"\\(block test-selinux-recording-nginx",
+				"\\(blockinherit foo\\)",
 				"\\(allow process http_port_t \\( tcp_socket \\(.*name_bind.*\\)\\)\\)\\n",
 			},
 			doNotMatch: []string{
@@ -189,8 +186,7 @@ func TestObject2CIL(t *testing.T) {
 			inheritobjs: []selxv1alpha2.SelinuxProfileObject{
 				&selxv1alpha2.SelinuxProfile{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      "foo",
-						Namespace: "default",
+						Name: "foo",
 					},
 				},
 			},
@@ -199,8 +195,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test errorlogger translation with permissive mode",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo-permissive",
-					Namespace: "bar",
+					Name: "foo-permissive-bar",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Permissive: true,
@@ -245,7 +240,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block foo-permissive_bar",
+				"\\(block foo-permissive-bar",
 				"\\(blockinherit container\\)",
 				"\\(typepermissive process\\)",
 				// We match on several lines since we don't care about the order
@@ -268,8 +263,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test translation with another template than container",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo",
-					Namespace: "bar",
+					Name: "foo-bar",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -293,7 +287,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block foo_bar",
+				"\\(block foo-bar",
 				"\\(blockinherit container\\)",
 				"\\(blockinherit net_container\\)",
 				// We match on several lines since we don't care about the order