Error Compiling Modules on CentOS 8.6

[ccravens]

Looks like the semodule errors when installing on latest of CentOS 8:

Rancher RKE2 Common (stable)                                                                                               12 kB/s | 2.4 kB     00:00    
Importing GPG key 0xE257814A:
 Userid     : "Rancher (CI) <ci@rancher.com>"
 Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
 From       : https://rpm.rancher.io/public.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                  1/1 
  Running scriptlet: container-selinux-2:2.195.1-1.module_el8.8.0+1254+78119b6e.noarch                                                                1/4 
  Installing       : container-selinux-2:2.195.1-1.module_el8.8.0+1254+78119b6e.noarch                                                                1/4 
  Running scriptlet: container-selinux-2:2.195.1-1.module_el8.8.0+1254+78119b6e.noarch                                                                1/4 
  Running scriptlet: rke2-selinux-0.11-1.el8.noarch                                                                                                   2/4 
  Installing       : rke2-selinux-0.11-1.el8.noarch                                                                                                   2/4 
  Running scriptlet: rke2-selinux-0.11-1.el8.noarch                                                                                                   2/4 
Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/400/rke2/cil:324
Failed to generate binary
semodule:  Failed!

OS Info:

$ sudo uname -r
4.18.0-448.el8.x86_64
$ sudo uname -a
Linux ip-192-168-32-10.us-gov-east-1.compute.internal 4.18.0-448.el8.x86_64 #1 SMP Wed Jan 18 15:02:46 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ sudo rpm -q centos-stream-release
centos-stream-release-8.6-1.el8.noarch

[brandond]

• Same issue as https://github.com/k3s-io/k3s-selinux/issues/36 cc @galal-hussein

[mysticaltech]

@galal-hussein @brandond Please folks, we will soon be installing rke2 on MicroOS and will need this to be fixed. Can we do anything to help?

[mysticaltech]

@galal-hussein Please, that's one of our main blocker in adopting rke2!

[galal-hussein]

@mysticaltech @ccravens I am currently investigating the issue, I beileve I have a fix for microos and centos9

[galal-hussein]

To give you more context on the issue, it seems that container-selinux has updated some of their macros definitions starting from container-selinux v2.195 and that particular macro container_domain_template specifically this line:

https://github.com/containers/container-selinux/commit/6e0cb6e1dcb0c16a6cd6018e69871245c02a0dd6#diff-d87cfd6c86daf9204f212619e52210d06d7575d9b4ad27b41966ab3e1b80e2a8R891

which basically includes a new argument to the definition, and since we only pass one argument you will see a lot of error of missing context like _file_t which it should be container_file_t. currently I am passing the missing argument into the selinux policy for all distros and this fix the issue

[galal-hussein]

@rancher-max @mysticaltech @ccravens new rpms in the testing channel has been released that will include the fix for newer container-selinux versions

[mysticaltech]

Wonderful, thanks @galal-hussein! 🙏

[ccravens]

@galal-hussein yes thank you!

[johanneskastl]

@galal-hussein 1.12testing.1 builds successfully on openSUSE. Thanks for the work!

[rancher-max]

Hussein covered all of the good details in this thread, but we have concluded testing on this now! I gave some details in https://github.com/rancher/rke2/issues/4285#issuecomment-1562086153, but the tl;dr is that this should be available to use via the install script at https://get.rke2.io and the testing channel.

For el8 in particular, as that was the original issue here, we opted for requiring a container-selinux version less than 191 since not all of the el8 distros have updated yet to the latest.

I am going to close this out as the changes will find their way into the latest and stable channels in line with the May patch releases (very soon). Thank you everyone for your reports and help with validations here!

[mysticaltech]

Thanks @rancher-max!