From 151f0b6857d4186aa54f9966afe36956cd22e831 Mon Sep 17 00:00:00 2001
From: Vickey Brown <vibrown@redhat.com>
Date: Fri, 8 May 2026 11:47:59 -0500
Subject: [PATCH] fixed rule to allow kubelet to kubelet to be unconfined

---
 controls/nist_rhcos4.yml                      | 12 ++--
 .../oval/shared.xml                           | 63 ++++++++++++++++---
 .../tests/kubelet_unconfined.pass.sh          | 36 +++++++++++
 .../tests/no_unconfined_daemons.pass.sh       |  5 +-
 .../tests/unconfined_daemon.fail.sh           | 15 +++--
 5 files changed, 108 insertions(+), 23 deletions(-)
 create mode 100644 linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/kubelet_unconfined.pass.sh

diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml
index b152c281059e..f361f62461f8 100644
--- a/controls/nist_rhcos4.yml
+++ b/controls/nist_rhcos4.yml
@@ -480,8 +480,7 @@ controls:
       rules:
           - var_selinux_policy_name=targeted
           - selinux_policytype
-  # (jhrozek): Disabled because of https://issues.redhat.com/browse/OCPBUGS-6968
-  #- selinux_confinement_of_daemons
+          - selinux_confinement_of_daemons
           - var_selinux_state=enforcing
           - selinux_state
           - coreos_enable_selinux_kernel_argument
@@ -822,8 +821,7 @@ controls:
 
           https://issues.redhat.com/browse/CMP-115
       rules:
-  # (jhrozek): Disabled because of https://issues.redhat.com/browse/OCPBUGS-6968
-  #- selinux_confinement_of_daemons
+          - selinux_confinement_of_daemons
           - no_shelllogin_for_systemaccounts
           - sysctl_kernel_perf_event_paranoid
           - sysctl_kernel_unprivileged_bpf_disabled
@@ -4919,8 +4917,7 @@ controls:
           - audit_rules_privileged_commands_userhelper
           - audit_rules_networkconfig_modification
           - audit_rules_etc_shadow_openat
-  # (jhrozek): Disabled because of https://issues.redhat.com/browse/OCPBUGS-6968
-  #- selinux_confinement_of_daemons
+          - selinux_confinement_of_daemons
           - audit_rules_etc_gshadow_open_by_handle_at
           - audit_rules_etc_gshadow_open
           - var_auditd_space_left_action=syslog
@@ -5166,8 +5163,7 @@ controls:
           - service_bluetooth_disabled
           - kernel_module_tipc_disabled
           - sysctl_net_ipv6_conf_all_accept_redirects
-  # (jhrozek): Disabled because of https://issues.redhat.com/browse/OCPBUGS-6968
-  #- selinux_confinement_of_daemons
+          - selinux_confinement_of_daemons
           - sysctl_net_ipv4_tcp_syncookies
           - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
           - coreos_vsyscall_kernel_argument
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml
index a4f93b1cad47..8c00a5a849ff 100644
--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml
@@ -1,21 +1,64 @@
 <def-group>
-  <definition class="compliance" id="selinux_confinement_of_daemons" version="1">
-    {{{ oval_metadata("All pids in /proc should be assigned an SELinux security context other than 'unconfined_service_t'.", rule_title=rule_title) }}}
-    <criteria>
-      <criterion comment="no unconfined_service_t in /proc" test_ref="test_selinux_confinement_of_daemons" />
+  <definition class="compliance" id="selinux_confinement_of_daemons" version="2">
+    {{{ oval_metadata("All pids in /proc should be assigned an SELinux security context other than 'unconfined_service_t' (kubelet excluded).", rule_title=rule_title) }}}
+    <criteria operator="OR">
+      <criterion comment="no unconfined_service_t processes exist" test_ref="test_no_unconfined_service_t_processes" />
+      <criterion comment="only kubelet has unconfined_service_t" test_ref="test_only_kubelet_unconfined" />
     </criteria>
   </definition>
-  <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="none satisfy unconfined_service_t in /proc" id="test_selinux_confinement_of_daemons" version="2">
+
+  <!-- Test 1: Check if NO processes have unconfined_service_t -->
+  <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist"
+    comment="no processes with unconfined_service_t" id="test_no_unconfined_service_t_processes" version="1">
     <linux:object object_ref="object_selinux_confinement_of_daemons" />
-    <linux:state state_ref="state_selinux_confinement_of_daemons" />
+    <linux:state state_ref="state_unconfined_service_t" />
   </linux:selinuxsecuritycontext_test>
-  <linux:selinuxsecuritycontext_object comment="find unconfined_service_t in /proc" id="object_selinux_confinement_of_daemons" version="1">
+
+  <!-- Test 2: Check that all unconfined_service_t processes are kubelet -->
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+    comment="all unconfined_service_t processes are kubelet" id="test_only_kubelet_unconfined" version="1">
+    <ind:object object_ref="object_unconfined_service_t_cmdlines" />
+    <ind:state state_ref="state_cmdline_is_kubelet" />
+  </ind:textfilecontent54_test>
+
+  <!-- Object: Find all processes in /proc -->
+  <linux:selinuxsecuritycontext_object comment="find all processes in /proc" id="object_selinux_confinement_of_daemons" version="2">
     <linux:behaviors max_depth="1" recurse_direction="down" />
     <linux:path>/proc</linux:path>
-    <linux:filename operation="pattern match">^.*$</linux:filename>
-    <filter action="include">state_selinux_confinement_of_daemons</filter>
+    <linux:filename operation="pattern match">^[0-9]+$</linux:filename>
   </linux:selinuxsecuritycontext_object>
-  <linux:selinuxsecuritycontext_state comment="state unconfined_service_t" id="state_selinux_confinement_of_daemons" version="1">
+
+  <!-- Object: Read cmdline for processes with unconfined_service_t -->
+  <ind:textfilecontent54_object comment="cmdline of unconfined_service_t processes" id="object_unconfined_service_t_cmdlines" version="1">
+    <ind:filepath operation="equals" var_ref="var_unconfined_cmdline_paths" var_check="at least one"/>
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Variable: Build /proc/PID/cmdline paths for unconfined processes -->
+  <local_variable id="var_unconfined_cmdline_paths" datatype="string" comment="cmdline paths for unconfined_service_t PIDs" version="1">
+    <concat>
+      <literal_component>/proc/</literal_component>
+      <object_component object_ref="object_unconfined_selinux_contexts" item_field="pid"/>
+      <literal_component>/cmdline</literal_component>
+    </concat>
+  </local_variable>
+
+  <!-- Object: SELinux contexts filtered to unconfined_service_t -->
+  <linux:selinuxsecuritycontext_object comment="unconfined_service_t contexts" id="object_unconfined_selinux_contexts" version="1">
+    <linux:behaviors max_depth="1" recurse_direction="down" />
+    <linux:path>/proc</linux:path>
+    <linux:filename operation="pattern match">^[0-9]+$</linux:filename>
+    <filter action="include">state_unconfined_service_t</filter>
+  </linux:selinuxsecuritycontext_object>
+
+  <!-- State: Match unconfined_service_t type -->
+  <linux:selinuxsecuritycontext_state comment="state unconfined_service_t" id="state_unconfined_service_t" version="1">
     <linux:type datatype="string" operation="equals">unconfined_service_t</linux:type>
   </linux:selinuxsecuritycontext_state>
+
+  <!-- State: Match kubelet in cmdline -->
+  <ind:textfilecontent54_state comment="kubelet cmdline" id="state_cmdline_is_kubelet" version="1">
+    <ind:subexpression operation="pattern match">.*kubelet.*</ind:subexpression>
+  </ind:textfilecontent54_state>
 </def-group>
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/kubelet_unconfined.pass.sh b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/kubelet_unconfined.pass.sh
new file mode 100644
index 000000000000..3780c66e353e
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/kubelet_unconfined.pass.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# This test simulates kubelet running with unconfined_service_t (OCP 4.12 scenario)
+
+# Create a mock kubelet process that will run as unconfined_service_t
+cat > /usr/local/bin/mock-kubelet << 'EOF'
+#!/bin/bash
+while true; do
+    sleep 3600
+done
+EOF
+chmod +x /usr/local/bin/mock-kubelet
+
+# Create systemd service
+cat > /etc/systemd/system/mock-kubelet.service << 'EOF'
+[Unit]
+Description=Mock Kubelet Service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/mock-kubelet
+Restart=no
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl start mock-kubelet.service
+
+# Wait for service to start
+sleep 2
+
+# Exit cleanly - the OVAL check should pass because kubelet is excluded
+# Note: In test environments without SELinux enforcing, this tests the OVAL logic
+exit 0
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/no_unconfined_daemons.pass.sh b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/no_unconfined_daemons.pass.sh
index 7a180adf73b8..f510a831cb34 100644
--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/no_unconfined_daemons.pass.sh
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/no_unconfined_daemons.pass.sh
@@ -2,4 +2,7 @@
 
 # sshd should be running and should have specific rules in SELinux policy
 # so it should not be detected as unconfined_service_t.
-systemctl status sshd.service
+systemctl start sshd.service 2>/dev/null || true
+
+# Exit cleanly - the OVAL check should find no unconfined_service_t processes
+exit 0
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/unconfined_daemon.fail.sh b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/unconfined_daemon.fail.sh
index 8639fc6f9d96..9be9aff65a86 100644
--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/unconfined_daemon.fail.sh
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/tests/unconfined_daemon.fail.sh
@@ -2,7 +2,7 @@
 #
 # remediation = none
 
-cat > /usr/bin/dummydaemon.sh << EOF
+cat > /usr/bin/dummydaemon.sh << 'EOF'
 #!/bin/bash
 
 while true; do
@@ -12,17 +12,24 @@ done
 EOF
 chmod +x /usr/bin/dummydaemon.sh
 
-cat > /etc/systemd/system/dummydaemon.service << EOF
+cat > /etc/systemd/system/dummydaemon.service << 'EOF'
 [Unit]
 Description=Dummy daemon
 
 [Service]
+Type=simple
 ExecStart=/usr/bin/dummydaemon.sh
-Restart=on-failure
+Restart=no
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
+systemctl daemon-reload
 systemctl start dummydaemon.service
-systemctl status dummydaemon.service
+
+# Wait a moment for service to start
+sleep 2
+
+# Exit cleanly - the OVAL check should detect an unconfined daemon and fail
+exit 0