From 5f75c39cb0e50faa72444c0432082b2255e1c006 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Mon, 17 Oct 2022 11:25:10 -0400
Subject: [PATCH] Fix SELinux PodSecurity message when only user or role are
 set

---
 .../policy/check_seLinuxOptions.go            | 12 +++----
 .../policy/check_seLinuxOptions_test.go       | 36 +++++++++++++++++++
 2 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
index 0a654352252..ec832ac5c80 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions.go
@@ -137,12 +137,12 @@ func seLinuxOptions_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec)
 				pluralize("type", "types", len(badTypes)),
 				joinQuote(badTypes.List()),
 			))
-			if setUser {
-				badData = append(badData, "user may not be set")
-			}
-			if setRole {
-				badData = append(badData, "role may not be set")
-			}
+		}
+		if setUser {
+			badData = append(badData, "user may not be set")
+		}
+		if setRole {
+			badData = append(badData, "role may not be set")
 		}
 
 		return CheckResult{
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions_test.go
index 20bc46d9435..30fb325d3ba 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_seLinuxOptions_test.go
@@ -118,6 +118,42 @@ func TestSELinuxOptions(t *testing.T) {
 			expectReason: `seLinuxOptions`,
 			expectDetail: `containers "d", "e", "f" set forbidden securityContext.seLinuxOptions: type "bar"; user may not be set; role may not be set`,
 		},
+		{
+			name: "bad type",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						Type: "bad",
+					},
+				},
+			}},
+			expectReason: `seLinuxOptions`,
+			expectDetail: `pod set forbidden securityContext.seLinuxOptions: type "bad"`,
+		},
+		{
+			name: "bad user",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User: "bad",
+					},
+				},
+			}},
+			expectReason: `seLinuxOptions`,
+			expectDetail: `pod set forbidden securityContext.seLinuxOptions: user may not be set`,
+		},
+		{
+			name: "bad role",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						Role: "bad",
+					},
+				},
+			}},
+			expectReason: `seLinuxOptions`,
+			expectDetail: `pod set forbidden securityContext.seLinuxOptions: role may not be set`,
+		},
 	}
 
 	for _, tc := range tests {