From a2e3f11d227e09aca5635c33870869cbca1d26a3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 7 Dec 2021 23:09:31 +0100
Subject: [PATCH] Add content about SELinux recording and moved selinuxd

---
 .../index.md                                  | 30 +++++++++++++++----
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/content/en/blog/_posts/2021-12-13-security-profiles-operator-v0.4.0/index.md b/content/en/blog/_posts/2021-12-13-security-profiles-operator-v0.4.0/index.md
index 8d70283e00..c85694824a 100644
--- a/content/en/blog/_posts/2021-12-13-security-profiles-operator-v0.4.0/index.md
+++ b/content/en/blog/_posts/2021-12-13-security-profiles-operator-v0.4.0/index.md
@@ -59,15 +59,33 @@ which has changed is that the seccomp profile type `Architectures` now points to
 
 ### SELinux enhancements
 
-<!--
-- Selinuxd now uses containers from quay.io/security-profiles-operator (#750, @jhrozek)
--->
+Managing SELinux policies (an equivalent to using `semodule` that
+you would normally call on a single server) is not done by SPO
+itself, but by another container called selinuxd to provide better
+isolation. This release switched to using selinuxd containers from
+a personal reposiroty to images located under [our team's quay.io repository](https://quay.io/organization/security-profiles-operator).
+The selinuxd repo has moved as well to [the containers github organization](https://github.com/containers/selinuxd).
+
+Please note that selinuxd links dynamically to libsemanage and mounts the
+SELinux directories from the nodes, which means that the selinuxd container
+must be running the same distribution as the cluster nodes. SPO defaults
+to using CentOS-8 based containers, but we also build Fedora based ones.
+If you are using another distribution and would like us to add support for
+it, please file [an issue against selinuxd](https://github.com/containers/selinuxd/issues).
 
 #### Profile Recording
 
-<!--
-- #592, @jhrozek
--->
+This release adds support for recording of SELinux profiles.
+The recording itself is managed via an instance of a `ProfileRecording` CR
+as seen in an [example](https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/examples/profilerecording-selinux-logs.yaml)
+in our repo and from user's point of view works pretty much the same as
+recording of seccomp profiles.
+
+Under the hood, to know what the workload is doing SPO installs a special
+permissive policy called [selinuxrecording](https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/deploy/base/profiles/selinuxrecording.cil)
+on startup which allows everything and logs all AVCs to audit.log.
+These AVC messages are scraped by the log enricher component and when
+the recorded workload exits, the policy is created.
 
 #### `SELinuxProfile` CRD graduation