ssc: update correct SELinux option

set the SSC with the correct SELinux option,
given we use custom policy or not.

Signed-off-by: Talor Itzhak <[email protected]>

controllers/numaresourcesoperator_controller.go

@@ -481,6 +481,7 @@ func (r *NUMAResourcesOperatorReconciler) syncNUMAResourcesOperatorResources(ctx
 		}
 		rteupdate.DaemonSetHashAnnotation(r.RTEManifests.DaemonSet, cmHash)
 	}
+	rteupdate.SecurityContextConstraintSetSELinuxOption(r.RTEManifests.SecurityContextConstraint, instance.IsCustomPolicyEnabled())
 
 	existing := rtestate.FromClient(ctx, r.Client, r.Platform, r.RTEManifests, instance, trees, r.Namespace)
 	for _, objState := range existing.State(r.RTEManifests, instance, daemonsetUpdater) {

pkg/objectupdate/rte/rte.go

@@ -25,6 +25,9 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/klog/v2"
 
+	securityv1 "github.com/openshift/api/security/v1"
+
+	"github.com/k8stopologyawareschedwg/deployer/pkg/assets/selinux"
 	"github.com/k8stopologyawareschedwg/deployer/pkg/flagcodec"
 	k8swgobjupdate "github.com/k8stopologyawareschedwg/deployer/pkg/objectupdate"
 	k8swgrteupdate "github.com/k8stopologyawareschedwg/deployer/pkg/objectupdate/rte"
@@ -219,6 +222,15 @@ func AddVolumeMountMemory(podSpec *corev1.PodSpec, cnt *corev1.Container, mountN
 	)
 }
 
+func SecurityContextConstraintSetSELinuxOption(scc *securityv1.SecurityContextConstraints, legacyRTEContext bool) {
+	if legacyRTEContext {
+		scc.SELinuxContext.SELinuxOptions.Type = selinux.RTEContextTypeLegacy
+		return
+	}
+	scc.SELinuxContext.SELinuxOptions.Type = selinux.RTEContextType
+
+}
+
 func isPodFingerprintEnabled(conf *nropv1.NodeGroupConfig) (bool, string) {
 	cfg := nropv1.DefaultNodeGroupConfig()
 	if conf == nil || conf.PodsFingerprinting == nil {