search

dyrnq / kubeadm-vagrant

Run kubernetes cluster with kubeadm on vagrant.
1 stars 5 forks source link

exec container process `/docker-entrypoint.sh`: Permission denied #35

Closed dyrnq closed 2 years ago

dyrnq commented 2 years ago 
2022-07-10T07:19:27.000814467Z: exec container process `/docker-entrypoint.sh`: Permission denied
crictl version
Version:  0.1.0
RuntimeName:  cri-o
RuntimeVersion:  1.23.3
RuntimeApiVersion:  v1alpha2
dyrnq commented 2 years ago 
cat messages  |grep SELinux
Jul  9 23:30:12 localhost kernel: SELinux:  Initializing.
Jul  9 23:30:14 localhost kernel: SELinux:  policy capability network_peer_controls=1
Jul  9 23:30:14 localhost kernel: SELinux:  policy capability open_perms=1
Jul  9 23:30:14 localhost kernel: SELinux:  policy capability extended_socket_class=1
Jul  9 23:30:14 localhost kernel: SELinux:  policy capability always_check_network=0
Jul  9 23:30:14 localhost kernel: SELinux:  policy capability cgroup_seclabel=1
Jul  9 23:30:14 localhost kernel: SELinux:  policy capability nnp_nosuid_transition=1
Jul  9 23:30:14 localhost kernel: SELinux:  policy capability genfs_seclabel_symlinks=0
Jul  9 23:30:14 localhost systemd[1]: Successfully loaded SELinux policy in 51.392ms.
Jul 10 11:31:42 n210 kernel: SELinux:  Initializing.
Jul 10 11:31:44 n210 kernel: SELinux:  policy capability network_peer_controls=1
Jul 10 11:31:44 n210 kernel: SELinux:  policy capability open_perms=1
Jul 10 11:31:44 n210 kernel: SELinux:  policy capability extended_socket_class=1
Jul 10 11:31:44 n210 kernel: SELinux:  policy capability always_check_network=0
Jul 10 11:31:44 n210 kernel: SELinux:  policy capability cgroup_seclabel=1
Jul 10 11:31:44 n210 kernel: SELinux:  policy capability nnp_nosuid_transition=1
Jul 10 11:31:44 n210 kernel: SELinux:  policy capability genfs_seclabel_symlinks=0
Jul 10 11:31:44 n210 systemd[1]: Successfully loaded SELinux policy in 54.267ms.
Jul 10 15:13:46 n210 setroubleshoot[53280]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:13:46 n210 setroubleshoot[53280]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:13:47 n210 setroubleshoot[53280]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:13:47 n210 setroubleshoot[53280]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:14:04 n210 setroubleshoot[53441]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:14:04 n210 setroubleshoot[53441]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:14:28 n210 setroubleshoot[53757]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:14:28 n210 setroubleshoot[53757]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:15:11 n210 setroubleshoot[54059]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:15:11 n210 setroubleshoot[54059]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:16:34 n210 setroubleshoot[54684]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:16:34 n210 setroubleshoot[54684]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:19:28 n210 setroubleshoot[55871]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:19:28 n210 setroubleshoot[55871]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:24:42 n210 setroubleshoot[58015]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 98c3e378-3292-4357-9a3f-20183bbc6b9f
Jul 10 15:24:42 n210 setroubleshoot[58015]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:28:59 n210 setroubleshoot[60346]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 421b1d71-4cc6-4895-a66b-c45080da95ef
Jul 10 15:28:59 n210 setroubleshoot[60346]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:29:00 n210 setroubleshoot[60346]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 421b1d71-4cc6-4895-a66b-c45080da95ef
Jul 10 15:29:00 n210 setroubleshoot[60346]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:29:12 n210 setroubleshoot[60529]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 421b1d71-4cc6-4895-a66b-c45080da95ef
Jul 10 15:29:12 n210 setroubleshoot[60529]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:29:37 n210 setroubleshoot[60709]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 421b1d71-4cc6-4895-a66b-c45080da95ef
Jul 10 15:29:37 n210 setroubleshoot[60709]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:30:32 n210 setroubleshoot[61258]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 421b1d71-4cc6-4895-a66b-c45080da95ef
Jul 10 15:30:32 n210 setroubleshoot[61258]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
Jul 10 15:31:53 n210 setroubleshoot[61804]: SELinux is preventing / from using the transition access on a process. For complete SELinux messages run: sealert -l 421b1d71-4cc6-4895-a66b-c45080da95ef
Jul 10 15:31:53 n210 setroubleshoot[61804]: SELinux is preventing / from using the transition access on a process.#012#012*****  Plugin restorecon_source (99.5 confidence) suggests   *****************#012#012If you want to fix the label. #012/ default label should be default_t.#012Then you can run restorecon.#012Do#012# /sbin/restorecon -v /#012#012*****  Plugin catchall (1.49 confidence) suggests   **************************#012#012If you believe that  should be allowed transition access on processes labeled container_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '3' --raw | audit2allow -M my-3#012# semodule -X 300 -i my-3.pp#012
dyrnq commented 2 years ago 
sed -i 's/enforcing/disabled/' /etc/selinux/config
reboot