CNF-22621: RAN Hardening (4.23) - Audit SELinux (M4)

[sebrandon1]

Summary

• MEDIUM severity SELinux audit rules (6 rules) for chcon, restorecon, semanage, setfiles, setsebool, seunshare
• Verified on OCP 4.22 (cnfdt16) — all 6 rules active via auditctl -l

Remediation Group

• M4: Audit SELinux

Jira

• CNF-22621
• Epic: CNF-22573 — RAN Hardening for 4.23

Test plan

• Applied MachineConfig to OCP 4.22 cluster
• Verified all 6 SELinux audit rules active via auditctl -l
• MCP rollout completed without errors

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22621 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity SELinux audit rules (6 rules) for chcon, restorecon, semanage, setfiles, setsebool, seunshare
• Verified on OCP 4.22 (cnfdt16) — all 6 rules active via auditctl -l

Remediation Group

• M4: Audit SELinux

Jira

• CNF-22621
• Epic: CNF-22573 — RAN Hardening for 4.23

Test plan

• Applied MachineConfig to OCP 4.22 cluster
• Verified all 6 SELinux audit rules active via auditctl -l
• MCP rollout completed without errors

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign irinamihai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new OpenShift MachineConfig resources are added to configure SELinux audit logging on cluster nodes. The configurations write audit rules targeting SELinux-related commands (chcon, restorecon, semanage, setfiles, setsebool, seunshare) with privilege filtering, deployed separately for master and worker node roles.

Changes

Cohort / File(s)	Summary
SELinux Audit Configuration telco-ran/configuration/machineconfigs/audit/75-audit-selinux-master.yaml, telco-ran/configuration/machineconfigs/audit/75-audit-selinux-worker.yaml	New MachineConfig resources that deploy identical SELinux audit rules to master and worker nodes via Ignition v3.5.0, filtering on auid>=1000 (excluding auid=unset) with key=privileged tagging.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding SELinux audit rules (M4) for RAN hardening in version 4.23, matching the changeset's two new MachineConfig resources.
Description check	✅ Passed	The description is directly related to the changeset, detailing the six SELinux audit rules being added, verification on OCP 4.22, and test plan completion.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

telco-ran/configuration/machineconfigs/audit/75-audit-selinux-master.yaml (1)

23-23: ⚠️ Potential issue | 🟡 Minor

Same stale versioned documentation reference as worker manifest.

This file has the same .../versions/4.21/... link in the embedded payload; please align it with the target hardening release context exactly as in the worker manifest update.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@telco-ran/configuration/machineconfigs/audit/75-audit-selinux-master.yaml` at
line 23, The embedded documentation URL in the data:text/plain payload (the
source field) still points to
".../compliance-scripts/versions/4.21/groups/M4.html"; update that URL in the
source string to the correct target hardening release version (the same version
used in the worker manifest update) so the documentation link inside the source
payload matches the intended release.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@telco-ran/configuration/machineconfigs/audit/75-audit-selinux-worker.yaml`:
- Line 23: The embedded documentation URL in the YAML "source" field currently
points to "/versions/4.21/groups/M4.html"; update that URL to the appropriate
release (e.g., replace "4.21" with "4.22" or "4.23") or switch to a stable
non-versioned reference, ensuring the change is made inside the data:text/plain
payload string where the URL appears so the comment header now references the
correct release context.

---

Duplicate comments:
In `@telco-ran/configuration/machineconfigs/audit/75-audit-selinux-master.yaml`:
- Line 23: The embedded documentation URL in the data:text/plain payload (the
source field) still points to
".../compliance-scripts/versions/4.21/groups/M4.html"; update that URL in the
source string to the correct target hardening release version (the same version
used in the worker manifest update) so the documentation link inside the source
payload matches the intended release.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 508fdb56-d826-44fb-8715-b7895e1977b3

📥 Commits

Reviewing files that changed from the base of the PR and between d65ce23 and 0475bb6.

📒 Files selected for processing (2)

• telco-ran/configuration/machineconfigs/audit/75-audit-selinux-master.yaml
• telco-ran/configuration/machineconfigs/audit/75-audit-selinux-worker.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update the embedded documentation URL to the current release context.

The payload still points to .../versions/4.21/..., while this PR is for 4.22/4.23 hardening. Keeping an older versioned compliance link can create audit traceability confusion during evidence reviews. Please switch to the correct version (or a stable non-versioned reference).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@telco-ran/configuration/machineconfigs/audit/75-audit-selinux-worker.yaml` at
line 23, The embedded documentation URL in the YAML "source" field currently
points to "/versions/4.21/groups/M4.html"; update that URL to the appropriate
release (e.g., replace "4.21" with "4.22" or "4.23") or switch to a stable
non-versioned reference, ensuring the change is made inside the data:text/plain
payload string where the URL appears so the comment header now references the
correct release context.