Addition of /opt/rke2 to file context?

[dopice]

Would it be consider a possibility to also add the correct file context for /opt/rke2?

The reasoning behind this is that with TAR based installations it's not possible to run the node with SELinux enabled on SLE Micro and MicroOS. RKE2 is installed into /opt/rke2 since /usr/local is a separate file system. Brad Davidson was kind enough to point to the explanation (here). Why we don't install RKE2 via RPM is due to the cluster being provisioned as custom clusters in Rancher Manager and we want to be able to utilize the additional features that comes with letting Rancher Manager do this instead of importing the existing cluster.

Thanks!

[davidcassany]

In Elemental we are also facing this issue or a closely related one. In Elemental we are always installing from a tarball (to /opt/rke2 path) and what we note is that after the installation the SELinux labels are not properly set for /var/lib/rancher. The SELinux policy is already installed and active in the OS before the installation, hence our expectation in that a relabeling shouldn't be needed and the correct labels to be applied as files are expanded. Some more specific details are exposed here https://github.com/rancher/elemental/issues/1362#issuecomment-2110428280.

We have no vision about how the installation in /opt/rke2 feeds the binaries in /var/lib/rancher but in that process some labels and contexts are not properly applied, not sure if this is an issue of the policy per se or an issue of the rke2 expanding process.