From bcc6bb8ec97edf335555dca22a6440d139dd8782 Mon Sep 17 00:00:00 2001
From: Marat Salakhutdinov <marat.salakhutdinov@sysdig.com>
Date: Wed, 22 Oct 2025 12:29:10 -0500
Subject: [PATCH] set seLinuxOptions type to control_t for unprivleged
 deployemnt of the host shield to be able to support response actions on
 BottleRocket

---
 charts/shield/Chart.yaml                            | 2 +-
 charts/shield/templates/host/_helpers.tpl           | 2 ++
 charts/shield/tests/host/daemonset_test.yaml        | 2 ++
 charts/shield/tests/host/security_context_test.yaml | 2 ++
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
index 9b315199c..b7ecbae0f 100644
--- a/charts/shield/Chart.yaml
+++ b/charts/shield/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: marcovito.moscaritolo@sysdig.com
 type: application
-version: 1.21.2
+version: 1.21.3
 appVersion: "1.0.0"
diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl
index 3e70e0805..5b0527754 100644
--- a/charts/shield/templates/host/_helpers.tpl
+++ b/charts/shield/templates/host/_helpers.tpl
@@ -201,6 +201,8 @@ capabilities:
 allowPrivilegeEscalation: false
 seccompProfile:
   type: Unconfined
+seLinuxOptions:
+  type: control_t
 capabilities:
   drop:
     - ALL
diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml
index 7152f1fe1..4b58861c4 100644
--- a/charts/shield/tests/host/daemonset_test.yaml
+++ b/charts/shield/tests/host/daemonset_test.yaml
@@ -96,6 +96,8 @@ tests:
             allowPrivilegeEscalation: false
             seccompProfile:
               type: Unconfined
+            seLinuxOptions:
+              type: control_t
             capabilities:
               drop:
                 - ALL
diff --git a/charts/shield/tests/host/security_context_test.yaml b/charts/shield/tests/host/security_context_test.yaml
index 7364ead9b..0a24e5e03 100644
--- a/charts/shield/tests/host/security_context_test.yaml
+++ b/charts/shield/tests/host/security_context_test.yaml
@@ -47,6 +47,8 @@ tests:
             allowPrivilegeEscalation: false
             seccompProfile:
               type: Unconfined
+            seLinuxOptions:
+              type: control_t
       - isNotSubset:
           path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
           content: