search

k3s-io / k3s-selinux

SELinux policy for k3s
Apache License 2.0
69 stars 20 forks source link

Fedora 32: Rancher deployment fails to ./management-state: permission denied #7

Closed lukasmrtvy closed 3 years ago

lukasmrtvy commented 4 years ago

rancher pod log

panic: error creating binary drop folder: mkdir ./management-state: permission denied

goroutine 2160 [running]:
github.com/rancher/rancher/app.(*Rancher).Start.func1(0x46e8a60, 0xc0017f1840)
        /go/src/github.com/rancher/rancher/app/app.go:245 +0x651
created by github.com/rancher/rancher/vendor/github.com/rancher/wrangler/pkg/leader.run.func1
        /go/src/github.com/rancher/rancher/vendor/github.com/rancher/wrangler/pkg/leader/leader.go:58 +0x46

ausearch -m avc --start recent

time->Fri May  1 16:53:33 2020
type=AVC msg=audit(1588366413.960:7700): avc:  denied  { create } for  pid=31090 comm="rancher" name="management-state" scontext=system_u:system_r:container_t:s0:c132,c330 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0

This also applies to local-path provisioner

type=AVC msg=audit(1588597594.475:170638): avc:  denied  { create } for  pid=565069 comm="mkdir" name="pvc-c55c5fd4-2248-43e3-91dc-f96156030920" scontext=system_u:system_r:container_t:s0:c243,c496 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
dweomer commented 3 years ago

This has been fixed via https://github.com/k3s-io/containerd/commit/f870ec1b8741020375337d5f3516f21a33c777e8