SelinuxProfile never finishes reconcilation and causes semodule to use 100% cpu

[novaesis]

What happened:

When applying an SelinuxProfile to a K8s cluster running the security-profiles-operator, the semodule process on the node uses 100% cpu. This appears to be caused by the operator constantly detecting a drift between the applied policy on the node and what is stored in the CRD. For each detection of a drift, the operator attempts to install the policy again. However, since the operator does not currently care about order in the Selinux policy it changes each time which triggers another drift. Since the policy is constantly changing, semodule runs constantly and attempts to install the selinux policy.

What you expected to happen:

The operator to only install / change the policy if the upstream CRD has changed and therefore semodule only runs for actual changed policy.

How to reproduce it (as minimally and precisely as possible):

Apply an SelinuxProfile CRD with selinux in enforcement mode.

Anything else we need to know?:

no

Environment:

RHEL8

[novaesis]

I will add further that the root cause seems to be the use of map in https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/api/selinuxprofile/v1alpha2/selinuxprofile_types.go#L83 obviously does not maintain order. So the order defined in the map compared to what is on the node will rarely ever be equal.