CMP-3628: fixed rule to allow kubelet to kubelet to be unconfined

[vickeybrown]

Description:

Re-enable selinux_confinement_of_daemons rule for RHCOS4 with kubelet
exclusion. This rule was temporarily disabled in February 2023 because kubelet
ran with unconfined_service_t in OCP 4.12, causing the rule to fail. This
PR updates the OVAL check to exclude kubelet processes, allowing the rule to
pass whether kubelet runs as unconfined_service_t (OCP 4.12) or kubelet_t
(OCP 4.13+).

The OVAL check now uses an OR condition:

1. Pass if NO processes have unconfined_service_t
2. Pass if all unconfined_service_t processes are kubelet

Rationale:

Disabling the rule completely means that ANY daemon could run unconfined
without triggering a compliance failure. By re-enabling the rule with a
kubelet exclusion, we restore security coverage while accounting for kubelet's
legitimate use of unconfined_service_t in OCP 4.12.

Fixes https://redhat.atlassian.net/browse/CMP-3628

Review Hints:

• Test on OCP 4.12 cluster (where kubelet has unconfined_service_t):

  • Verify: ps -eZ | grep kubelet shows system_u:system_r:unconfined_service_t:s0

• Test on OCP 4.13+ cluster (where kubelet has kubelet_t):

  • Verify: ps -eZ | grep kubelet shows system_u:system_r:kubelet_t:s0

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons' differs.
--- oval:ssg-selinux_confinement_of_daemons:def:1
+++ oval:ssg-selinux_confinement_of_daemons:def:1
@@ -1,2 +1,3 @@
-criteria AND
-criterion oval:ssg-test_selinux_confinement_of_daemons:tst:1
+criteria OR
+criterion oval:ssg-test_no_unconfined_service_t_processes:tst:1
+criterion oval:ssg-test_only_kubelet_unconfined:tst:1

[Mab879]

$ ./automatus.py rule --datastream ../build/ssg-rhel9-ds.xml [vm name] --remediate-using bash selinux_confinement_of_daemons
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/github.com/ComplianceAsCode/content/tests/logs/rule-custom-2026-05-08-1354/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
INFO - Script kubelet_unconfined.pass.sh using profile (all) OK
INFO - Script no_unconfined_daemons.pass.sh using profile (all) OK
ERROR - Script unconfined_daemon.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons'.

Please double check the tests for this rule.

[openshift-ci]

@vickeybrown: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	151f0b6	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.