search

rancher / rke2-selinux

RKE2 selinux + RPM packaging for selinux
Apache License 2.0
21 stars 21 forks source link

RKE2 on CoreOS fails to start if selinux=truee in config.yaml. #78

Open depeo opened 4 hours ago

depeo commented 4 hours ago

Hello!

RKE2 fails to start if I set selinux=true in config.yaml:

[2139]: time="2024-11-24T10:53:54Z" level=info msg="Failed to test data store connection: context deadline exceeded"
rke2[2139]: {"level":"warn","ts":"2024-11-24T10:53:55.681262Z","logger":"etcd-client","caller":"v3@v3.5.13-k3s1/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0001d63c0/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: Error while dialing: dial tcp 127.0.0.1:2379: connect: connection refused\""}
rke2[2139]: time="2024-11-24T10:53:55Z" level=error msg="Failed to check local etcd status for learner management: context deadline exceeded"

I built policy/centos9 in a Fedora 40 container and installed rke2.pp on CoreOS with semodule -n -i rke2.pp Fedora 40 has the same container-selinux version as CoreOS.

I suspect the issue is with rke2_tls_t, because I cannot restorecon on the tls files:

root@cp1:/var/lib/rancher/rke2/server/tls# restorecon .
restorecon: Could not set context for /var/lib/rancher/rke2/server/tls:  Invalid argument
root@cp1:/var/lib/rancher/rke2/server/tls# ls -ltrZ
total 136
-rw-------. 1 root root system_u:object_r:container_var_lib_t:s0  227 Nov 24 10:52 client-ca.key
-rw-r--r--. 1 root root system_u:object_r:container_var_lib_t:s0  570 Nov 24 10:52 client-ca.nochain.crt
-rw-r--r--. 1 root root system_u:object_r:container_var_lib_t:s0  570 Nov 24 10:52 client-ca.crt
-rw-------. 1 root root system_u:object_r:container_var_lib_t:s0  227 Nov 24 10:52 client-admin.key
...
root@cp1:/var/lib/rancher/rke2/server/tls# semodule -l |grep rke2
rke2
root@cp1:/var/lib/rancher/rke2/server/tls# rpm -q container-selinux
container-selinux-2.233.0-1.fc41.noarch
root@cp1:/var/lib/rancher/rke2/server/tls# uname -a
Linux cp1 6.11.5-300.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 22 20:11:15 UTC 2024 x86_64 GNU/Linux

Any idea how this can be fixed? I'm guessing something changed in the newer version of container-selinux?