search

rancher / rke2-selinux

RKE2 selinux + RPM packaging for selinux
Apache License 2.0
21 stars 21 forks source link

Local-path provisioner on RKE2 fails to deploy volumes due to selinux #62

Open e-minguez opened 11 months ago

e-minguez commented 11 months ago 
bootstraper:~ # cat /etc/os-release
NAME="SLE Micro"
VERSION="5.4"
VERSION_ID="5.4"
PRETTY_NAME="SUSE Linux Enterprise Micro 5.4"
ID="sle-micro"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sle-micro:5.4"
bootstraper:~ # rpm -qa |grep -i selinux
cockpit-selinux-251.3-150400.2.1.noarch
rke2-selinux-0.16-1.slemicro.noarch
python3-selinux-3.4-150400.1.8.x86_64
selinux-policy-20221019-150400.2.6.noarch
container-selinux-2.188.0-150400.1.13.noarch
patterns-microos-selinux-5.4.0-150400.1.1.x86_64
selinux-policy-targeted-20221019-150400.2.6.noarch
libselinux1-3.4-150400.1.8.x86_64
selinux-tools-3.4-150400.1.8.x86_64
type=AVC msg=audit(1702630180.971:13745): avc:  denied  { write } for  pid=4959 comm="mkdir" name="local-path-provisioner" dev="sda3" ino=289 scontext=system_u:system_r:container_t:s0:c307,c538 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1702630189.855:13748): avc:  denied  { write } for  pid=5390 comm="mkdir" name="local-path-provisioner" dev="sda3" ino=289 scontext=system_u:system_r:container_t:s0:c324,c870 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1702630314.862:13780): avc:  denied  { write } for  pid=7712 comm="mkdir" name="local-path-provisioner" dev="sda3" ino=289 scontext=system_u:system_r:container_t:s0:c411,c516 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1702630325.406:13783): avc:  denied  { write } for  pid=8167 comm="mkdir" name="local-path-provisioner" dev="sda3" ino=289 scontext=system_u:system_r:container_t:s0:c296,c569 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1702630465.345:13791): avc:  denied  { write } for  pid=10867 comm="mkdir" name="local-path-provisioner" dev="sda3" ino=289 scontext=system_u:system_r:container_t:s0:c402,c882 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
dereknola commented 10 months ago

This is a known issue with local-path-provisioner https://github.com/rancher/local-path-provisioner/issues/362