selinux mode is maybe not enabled by default?

[dmeiselman]

Environment: Rocky 8.8 'server' only fresh install, internet connected. Freshly collected airgap zst, moved to another internet connected host in my lab. I'm seeing a failure during the rke2-selinux-0.11-1.el8.noarch install step.

[root@cluster2-node1 rancher]#  yum install -y /opt/rancher/rke2_$RKE_VERSION/rke2-common-$RKE_VERSION.rke2r1-0.x86_64.rpm /opt/rancher/rke2_$RKE_VERSION/rke2-selinux-0.11-1.el8.noarch.rpm
.. snip ..
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                          1/1
  Running scriptlet: rke2-selinux-0.11-1.el8.noarch                                                                                                                                                                           1/2
  Installing       : rke2-selinux-0.11-1.el8.noarch                                                                                                                                                                           1/2
  Running scriptlet: rke2-selinux-0.11-1.el8.noarch                                                                                                                                                                           1/2
Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/400/rke2/cil:324
Failed to generate binary
semodule:  Failed!

  Installing       : rke2-common-1.24.13~rke2r1-0.x86_64                                                                                                                                                                      2/2
  Running scriptlet: rke2-selinux-0.11-1.el8.noarch                                                                                                                                                                           2/2
  Verifying        : rke2-common-1.24.13~rke2r1-0.x86_64                                                                                                                                                                      1/2
  Verifying        : rke2-selinux-0.11-1.el8.noarch                                                                                                                                                                           2/2

Installed:
  rke2-common-1.24.13~rke2r1-0.x86_64                                                                                rke2-selinux-0.11-1.el8.noarch

Complete!

after this step rke2-server.service hangs and fails with a few errors - chief among them is that etcd fails to start, and it complains that RKE2 is not running in selinux mode

msg="Container for etcd not found (no matching container found), retrying"

msg="SELinux is enabled on this host, but rke2 has not been started with --selinux - containerd SELinux support is disabled"

I was able to get it working by adding

selinux: true

to /etc/rancher/rke2/rke2.yaml

Hope this tells you something helpful! Please let me know if there's any further logs or details that i can share that may be helpful.

[dmeiselman]

I think this was a misconfiguration on my end. I'm going to confirm that this is broken and reopen if relevant.

[clemenko]

There have been several upstream selinux bugs https://github.com/rancher/rke2-selinux/issues/36 and https://github.com/rancher/rke2-selinux/issues/43 for longhorn. I will update the script when all the bugs are squashed. Cool?

[dmeiselman]

I wasn't aware of the upstream bugs, this explains why I came to the conclusion that the problem was in my config!

Thanks for the update, much appreciated.

On Thu, Jun 1, 2023, 9:36 PM Andy Clemenko @.***> wrote:

There have been several upstream selinux bugs rancher/rke2-selinux#36 https://github.com/rancher/rke2-selinux/issues/36 and rancher/rke2-selinux#43 https://github.com/rancher/rke2-selinux/issues/43 for longhorn. I will update the script when all the bugs are squashed. Cool?

— Reply to this email directly, view it on GitHub https://github.com/clemenko/rke_airgap_install/issues/5#issuecomment-1573005523, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK7RE32NZZJRXXWR645CXFLXJE7R7ANCNFSM6AAAAAAYV364NA . You are receiving this because you modified the open/close state.Message ID: @.***>