Skip to content

Conversation

@saschagrunert
Copy link
Member

What type of PR is this?

/kind failing-test

What this PR does / why we need it:

Add SELinux policy module to allow systemd to run BPF programs from the container runtime context. This fixes container creation failures in Fedora 39 where crun would fail with "systemd failed to install eBPF device filter on cgroup" errors.

The fix involves installing a custom SELinux policy that grants init_t the prog_run permission for container_runtime_t BPF programs.

Also update nixpkgs to latest revision and migrate from libbpf_1 to libbpf in the nix derivations.

Which issue(s) this PR fixes:

None

Does this PR have test?

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

None

Add SELinux policy module to allow systemd to run BPF programs from
the container runtime context. This fixes container creation failures
in Fedora 39 where crun would fail with "systemd failed to install
eBPF device filter on cgroup" errors.

The fix involves installing a custom SELinux policy that grants
init_t the prog_run permission for container_runtime_t BPF programs.

Also update nixpkgs to latest revision and migrate from libbpf_1 to
libbpf in the nix derivations.

Signed-off-by: Sascha Grunert <[email protected]>
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 25, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 25, 2025
@saschagrunert
Copy link
Member Author

/retest

@codecov-commenter
Copy link

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 24.15%. Comparing base (11d77f4) to head (09329bc).
⚠️ Report is 1045 commits behind head on main.

Additional details and impacted files
@@             Coverage Diff             @@
##             main    #3051       +/-   ##
===========================================
- Coverage   45.50%   24.15%   -21.35%     
===========================================
  Files          79      125       +46     
  Lines        7782    17770     +9988     
===========================================
+ Hits         3541     4293      +752     
- Misses       4099    13193     +9094     
- Partials      142      284      +142     
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@saschagrunert
Copy link
Member Author

@kubernetes-sigs/security-profiles-operator-maintainers PTAL

@saschagrunert saschagrunert added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 28, 2025
@k8s-ci-robot k8s-ci-robot merged commit afb3c81 into kubernetes-sigs:main Nov 28, 2025
33 checks passed
@saschagrunert saschagrunert deleted the fix-vagrant-selinux-ebpf branch November 28, 2025 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants