search

rancher / rke2

https://docs.rke2.io/
Apache License 2.0
1.56k stars 268 forks source link

Oracle 9.4 Missing SELinux rules prevents network configuration for any CNI #6451

Closed VestigeJ closed 2 months ago

VestigeJ commented 3 months ago

Environmental Info: RKE2 Version: 

$ rke2 -v
rke2 version v1.27.16-rc4+rke2r1 (4f40ff06079f648f3194b344c4199997a970614d)
go version go1.22.5 X:boringcrypto

Node(s) CPU architecture, OS, and Version:

$ uname -a 

Linux ip.us-east-2.compute.internal 5.15.0-208.159.3.2.el9uek.x86_64 #2 SMP Wed Jul 17 12:32:23 PDT 2024 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:

Singe server with selinux set to enforcing 

$ sudo getenforce
Enforcing

Describe the bug:

Steps To Reproduce:

=========== rke2 config ===========
node-external-ip: node-ip
token: YOUR_TOKEN_HERE
write-kubeconfig-mode: 644
debug: true
cni: multus,canal
profile: cis

Expected behavior:

$ sudo INSTALL_RKE2_VERSION=$VERSION INSTALL_RKE2_CHANNEL=testing INSTALL_RKE2_METHOD=rpm INSTALL_RKE2_EXEC=server ./install-rke2.sh

install single node with rke2 profile: cis, selinux: true with any CNI on Oracle 9.4 AMI and selinux set to enforcing

Actual behavior:

Oracle 9.4 with selinux enabled doesn't seem to have the right permissions to stand up the networking stack and interfaces on the node aren't created for the chosen CNI.

Additional context / logs:

When you remove the selinux db the cluster is capable of starting albeit still in a broken state it seeeeems there may be crossover with some previous issues https://github.com/rancher/rke2/issues/1865

libselinux-3.5-1.el9.x86_64
libselinux-utils-3.5-1.el9.x86_64
python3-libselinux-3.5-1.el9.x86_64
selinux-policy-38.1.23-1.0.2.el9_3.2.noarch
selinux-policy-targeted-38.1.23-1.0.2.el9_3.2.noarch
rpm-plugin-selinux-4.16.1.3-27.0.1.el9_3.x86_64
libselinux-3.6-1.el9.x86_64
libselinux-utils-3.6-1.el9.x86_64
python3-libselinux-3.6-1.el9.x86_64
selinux-policy-38.1.35-2.0.1.el9_4.noarch
selinux-policy-targeted-38.1.35-2.0.1.el9_4.noarch
fapolicyd-selinux-1.3.2-100.0.1.el9.noarch
container-selinux-2.229.0-1.el9_3.noarch
rke2-selinux-0.18-2.el9.noarch
801269Z" level=info msg="RemoveContainer for \"d76c992e9e0f914fd810b495b98a8a5f041192aeb3e49b6c65b7c9b5f6537484\""
time="2024-08-01T22:51:53.015222980Z" level=info msg="RemoveContainer for \"6a00048854fa55f958d97b65a69ad5bc95a3ec1ff1e56fd2dd3f66f4fab59c34\""
time="2024-08-01T22:51:53.017955147Z" level=info msg="RemoveContainer for \"d76c992e9e0f914fd810b495b98a8a5f041192aeb3e49b6c65b7c9b5f6537484\" returns successfully"
time="2024-08-01T22:51:53.020312751Z" level=info msg="RemoveContainer for \"6a00048854fa55f958d97b65a69ad5bc95a3ec1ff1e56fd2dd3f66f4fab59c34\""
time="2024-08-01T22:51:53.020355012Z" level=info msg="RemoveContainer for \"6a00048854fa55f958d97b65a69ad5bc95a3ec1ff1e56fd2dd3f66f4fab59c34\" returns successfully"
time="2024-08-01T22:51:53.020393533Z" level=info msg="RemoveContainer for \"6a00048854fa55f958d97b65a69ad5bc95a3ec1ff1e56fd2dd3f66f4fab59c34\" returns successfully"
tail: cannot open '/var/log/containers/cloud-controller-manager-ip-us-east-2.compute.internal_kube-system_cloud-controller-manager-1343570322f2693a57ea470e6f2b538cc10de244f3dd011e00f03f799bfa101e.log' for reading: Permission denied
tail: cannot open '/var/log/containers/cloud-controller-manager-ip-us-east-2.compute.internal_kube-system_cloud-controller-manager-309ef4ccfcb446eb80854c816f5bfa94f593835098c921e3ec23fa3207d5eccc.log' for reading: Permission denied
tail: cannot open '/var/log/containers/etcd-ip-us-east-2.compute.internal_kube-system_etcd-e85d280489a2f81b22480a4adcc0acb9f05a38befa404746559a40abecb5892f.log' for reading: Permission denied
tail: cannot open '/var/log/containers/etcd-ip-us-east-2.compute.internal_kube-system_etcd-fd3002f7801e2c2035eaa7ac240c5b9d849ee847be5c0733a25a2e9e25da92f1.log' for reading: Permission denied
tail: cannot open '/var/log/containers/helm-install-rke2-canal-wjw6v_kube-system_helm-883e852441bb848acdb91dacad58f38c5bbe6772c1e1a9f9b39f31a0b78be598.log' for reading: Permission denied
tail: cannot open '/var/log/containers/helm-install-rke2-coredns-x6wnf_kube-system_helm-fbf764c3ea8438b904a054ab86036a3f5b62e8faf957513cfef361b1655fec2d.log' for reading: Permission denied
tail: cannot open '/var/log/containers/helm-install-rke2-multus-ns99l_kube-system_helm-d6a4bc72b88e9c92dec2100cf0b6f5aaa1a959a1aa111ba52c096300630e4367.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-apiserver-ip-us-east-2.compute.internal_kube-system_kube-apiserver-0ab525c5bf534a56db2cf251af0173a09030304c4246f473dffffbc15601c3a5.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-apiserver-ip-us-east-2.compute.internal_kube-system_kube-apiserver-c7f41021aaf6a46d09bce77926a8ee98fa3a1627cb0551ec1350c1b250cacae6.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-controller-manager-ip-us-east-2.compute.internal_kube-system_kube-controller-manager-492cfa24d3f4db311b275e30bbb2fbbab575c086bc163df0f2854d3307f2790b.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-controller-manager-ip-us-east-2.compute.internal_kube-system_kube-controller-manager-8d1bc06dd6cc0df922546bd5b162dc32b0261672d2506b832af95cd551394f25.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-proxy-ip-us-east-2.compute.internal_kube-system_kube-proxy-1710e60b1eca9d73072025201bab94152991703e3354707345abb89bee04456c.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-proxy-ip-us-east-2.compute.internal_kube-system_kube-proxy-8d39220109a53ef6787e749ebd859865c4d957e8e5943f137cce5b4b46b6e586.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-scheduler-ip-us-east-2.compute.internal_kube-system_kube-scheduler-78cd825db65d23140f59641cb27b07ad4060186f1779e38cd4b3ab4d899e8759.log' for reading: Permission denied
tail: cannot open '/var/log/containers/kube-scheduler-ip-us-east-2.compute.internal_kube-system_kube-scheduler-b099ef7cc56abb5769ca59700a51c78bcab7bf301c3bd38a1eb7c7994d998723.log' for reading: Permission denied
tail: cannot open '/var/log/containers/rke2-canal-d4jqr_kube-system_install-cni-ae5dae75c37930342b97dbe0f127765213b499b322ff061627bb47cc57a1ee94.log' for reading: Permission denied
tail: cannot open '/var/log/containers/rke2-multus-56gb7_kube-system_cni-plugins-45c89670c0b1d376f41ce4294764ec181603e22d59179bc0cf71832f728fce5a.log' for reading: Permission denied
tail: cannot open '/var/log/containers/rke2-multus-56gb7_kube-system_kube-rke2-multus-009f30eead4d509173af603f2471e11504f399d34419a6c60359432ed34ec41c.log' for reading: Permission denied

//typical journalctl output $ sudo journalctl -u rke2-server -f

Aug 01 22:38:05 ip rke2[6936]: time="2024-08-01T22:38:05Z" level=debug msg="Waiting for Ready condition to be updated for Kubelet Port assignment"
Aug 01 22:38:06 ip rke2[6936]: time="2024-08-01T22:38:06Z" level=info msg="Connecting to proxy" url="wss://3.145.164.196:9345/v1-rke2/connect"
Aug 01 22:38:06 ip rke2[6936]: time="2024-08-01T22:38:06Z" level=error msg="Failed to connect to proxy. Empty dialer response" error="dial tcp 3.145.164.196:9345: connect: no route to host"
Aug 01 22:38:06 ip rke2[6936]: time="2024-08-01T22:38:06Z" level=error msg="Remotedialer proxy error; reconnecting..." error="dial tcp 3.145.164.196:9345: connect: no route to host" url="wss://3.145.164.196:9345/v1-rke2/connect"
Aug 01 22:38:06 ip rke2[6936]: time="2024-08-01T22:38:06Z" level=debug msg="Waiting for Ready condition to be updated for Kubelet Port assignment"
Aug 01 22:38:07 ip rke2[6936]: time="2024-08-01T22:38:07Z" level=info msg="Connecting to proxy" url="wss://3.145.164.196:9345/v1-rke2/connect"
Aug 01 22:38:07 ip rke2[6936]: time="2024-08-01T22:38:07Z" level=error msg="Failed to connect to proxy. Empty dialer response" error="dial tcp 3.145.164.196:9345: connect: no route to host"
Aug 01 22:38:07 ip rke2[6936]: time="2024-08-01T22:38:07Z" level=error msg="Remotedialer proxy error; reconnecting..." error="dial tcp 3.145.164.196:9345: connect: no route to host" url="wss://3.145.164.196:9345/v1-rke2/connect"
Aug 01 22:38:07 ip rke2[6936]: time="2024-08-01T22:38:07Z" level=debug msg="Node ip-3e8d43b3 is not changing etcd status condition"
Aug 01 22:38:07 ip rke2[6936]: time="2024-08-01T22:38:07Z" level=debug msg="Waiting for Ready condition to be updated for Kubelet Port assignment"
Aug 01 22:38:08 ip rke2[6936]: time="2024-08-01T22:38:08Z" level=info msg="Connecting to proxy" url="wss://3.145.164.196:9345/v1-rke2/connect"
Aug 01 22:38:08 ip rke2[6936]: time="2024-08-01T22:38:08Z" level=error msg="Failed to connect to proxy. Empty dialer response" error="dial tcp 3.145.164.196:9345: connect: no route to host"
Aug 01 22:38:08 ip rke2[6936]: time="2024-08-01T22:38:08Z" level=error msg="Remotedialer proxy error; reconnecting..." error="dial tcp 3.145.164.196:9345: connect: no route to host" url="wss://3.145.164.196:9345/v1-rke2/connect"
Aug 01 22:38:08 ip rke2[6936]: time="2024-08-01T22:38:08Z" level=debug msg="Waiting for Ready condition to be updated for Kubelet Port assignment"

$ sudo audit2allow -w -a

type=AVC msg=audit(1722550165.832:42): avc:  denied  { checkpoint_restore } for  pid=733 comm="agetty" capability=40  scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722550165.938:43): avc:  denied  { checkpoint_restore } for  pid=732 comm="agetty" capability=40  scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551505.245:789): avc:  denied  { read write } for  pid=5323 comm="unix_chkpwd" path="/dev/pts/1" dev="devpts" ino=4 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.051:815): avc:  denied  { siginh } for  pid=6614 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.051:815): avc:  denied  { rlimitinh } for  pid=6614 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.051:815): avc:  denied  { read write } for  pid=6614 comm="11-dhclient" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.051:815): avc:  denied  { read write } for  pid=6614 comm="11-dhclient" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.051:815): avc:  denied  { noatsecure } for  pid=6614 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.056:816): avc:  denied  { siginh } for  pid=6615 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.056:816): avc:  denied  { rlimitinh } for  pid=6615 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.056:816): avc:  denied  { read write } for  pid=6615 comm="20-chrony-dhcp" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.056:816): avc:  denied  { read write } for  pid=6615 comm="20-chrony-dhcp" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.056:816): avc:  denied  { noatsecure } for  pid=6615 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.061:817): avc:  denied  { siginh } for  pid=6618 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.061:817): avc:  denied  { rlimitinh } for  pid=6618 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.061:817): avc:  denied  { noatsecure } for  pid=6618 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.069:818): avc:  denied  { siginh } for  pid=6619 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.069:818): avc:  denied  { rlimitinh } for  pid=6619 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.069:818): avc:  denied  { read write } for  pid=6619 comm="20-chrony-onoff" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.069:818): avc:  denied  { read write } for  pid=6619 comm="20-chrony-onoff" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.069:818): avc:  denied  { noatsecure } for  pid=6619 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.072:819): avc:  denied  { siginh } for  pid=6620 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.072:819): avc:  denied  { rlimitinh } for  pid=6620 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.072:819): avc:  denied  { noatsecure } for  pid=6620 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.076:820): avc:  denied  { siginh } for  pid=6621 comm="cloud-init-azur" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.076:820): avc:  denied  { rlimitinh } for  pid=6621 comm="cloud-init-azur" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.076:820): avc:  denied  { read write } for  pid=6621 comm="cloud-init-azur" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.076:820): avc:  denied  { read write } for  pid=6621 comm="cloud-init-azur" path="socket:[50853]" dev="sockfs" ino=50853 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551560.076:820): avc:  denied  { noatsecure } for  pid=6621 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551575.729:822): avc:  denied  { read write } for  pid=6929 comm="unix_chkpwd" path="/dev/pts/2" dev="devpts" ino=5 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551575.764:827): avc:  denied  { siginh } for  pid=6932 comm="sh" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551586.193:830): avc:  denied  { read write } for  pid=6988 comm="unix_chkpwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551595.164:845): avc:  denied  { read write } for  pid=7379 comm="unix_chkpwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.045:933): avc:  denied  { siginh } for  pid=8066 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.045:933): avc:  denied  { rlimitinh } for  pid=8066 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.045:933): avc:  denied  { read write } for  pid=8066 comm="11-dhclient" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.045:933): avc:  denied  { read write } for  pid=8066 comm="11-dhclient" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.045:933): avc:  denied  { noatsecure } for  pid=8066 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.049:934): avc:  denied  { siginh } for  pid=8067 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.049:934): avc:  denied  { rlimitinh } for  pid=8067 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.049:934): avc:  denied  { read write } for  pid=8067 comm="20-chrony-dhcp" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.049:934): avc:  denied  { read write } for  pid=8067 comm="20-chrony-dhcp" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.049:934): avc:  denied  { noatsecure } for  pid=8067 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.055:935): avc:  denied  { siginh } for  pid=8070 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.055:935): avc:  denied  { rlimitinh } for  pid=8070 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.055:935): avc:  denied  { noatsecure } for  pid=8070 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.061:936): avc:  denied  { siginh } for  pid=8071 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.061:936): avc:  denied  { rlimitinh } for  pid=8071 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.061:936): avc:  denied  { read write } for  pid=8071 comm="20-chrony-onoff" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.061:936): avc:  denied  { read write } for  pid=8071 comm="20-chrony-onoff" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.061:936): avc:  denied  { noatsecure } for  pid=8071 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.064:937): avc:  denied  { siginh } for  pid=8072 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.064:937): avc:  denied  { rlimitinh } for  pid=8072 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.064:937): avc:  denied  { noatsecure } for  pid=8072 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.070:938): avc:  denied  { siginh } for  pid=8073 comm="cloud-init-azur" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.070:938): avc:  denied  { rlimitinh } for  pid=8073 comm="cloud-init-azur" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.070:938): avc:  denied  { read write } for  pid=8073 comm="cloud-init-azur" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.070:938): avc:  denied  { read write } for  pid=8073 comm="cloud-init-azur" path="socket:[55993]" dev="sockfs" ino=55993 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551630.070:938): avc:  denied  { noatsecure } for  pid=8073 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551642.487:968): avc:  denied  { read write } for  pid=8422 comm="unix_chkpwd" path="/dev/pts/2" dev="devpts" ino=5 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551654.930:987): avc:  denied  { read write } for  pid=8662 comm="unix_chkpwd" path="/dev/pts/2" dev="devpts" ino=5 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.124:1005): avc:  denied  { siginh } for  pid=9181 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.124:1005): avc:  denied  { rlimitinh } for  pid=9181 comm="11-dhclient" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.124:1005): avc:  denied  { read write } for  pid=9181 comm="11-dhclient" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.124:1005): avc:  denied  { read write } for  pid=9181 comm="11-dhclient" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.124:1005): avc:  denied  { noatsecure } for  pid=9181 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.130:1006): avc:  denied  { siginh } for  pid=9182 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.130:1006): avc:  denied  { rlimitinh } for  pid=9182 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.130:1006): avc:  denied  { read write } for  pid=9182 comm="20-chrony-dhcp" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.130:1006): avc:  denied  { read write } for  pid=9182 comm="20-chrony-dhcp" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.130:1006): avc:  denied  { noatsecure } for  pid=9182 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.135:1007): avc:  denied  { siginh } for  pid=9185 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.135:1007): avc:  denied  { rlimitinh } for  pid=9185 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.135:1007): avc:  denied  { noatsecure } for  pid=9185 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.141:1008): avc:  denied  { siginh } for  pid=9186 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.141:1008): avc:  denied  { rlimitinh } for  pid=9186 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.141:1008): avc:  denied  { read write } for  pid=9186 comm="20-chrony-onoff" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.141:1008): avc:  denied  { read write } for  pid=9186 comm="20-chrony-onoff" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.141:1008): avc:  denied  { noatsecure } for  pid=9186 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.143:1009): avc:  denied  { siginh } for  pid=9187 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.143:1009): avc:  denied  { rlimitinh } for  pid=9187 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.143:1009): avc:  denied  { noatsecure } for  pid=9187 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.147:1010): avc:  denied  { siginh } for  pid=9188 comm="cloud-init-azur" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.147:1010): avc:  denied  { rlimitinh } for  pid=9188 comm="cloud-init-azur" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.147:1010): avc:  denied  { read write } for  pid=9188 comm="cloud-init-azur" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.147:1010): avc:  denied  { read write } for  pid=9188 comm="cloud-init-azur" path="socket:[63248]" dev="sockfs" ino=63248 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551700.147:1010): avc:  denied  { noatsecure } for  pid=9188 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1722551728.056:1026): avc:  denied  { read write } for  pid=9515 comm="unix_chkpwd" path="/dev/pts/2" dev="devpts" ino=5 scontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.
VestigeJ commented 2 months ago

Looks like there was indeed something wrong with the AMI that I had used at the time - re-testing the non-rc non-testing rpm channel results in a healthy node

NAME                                              STATUS   ROLES                       AGE     VERSION
node/ip-ip.us-east-2.compute.internal             Ready    control-plane,etcd,master   2m46s   v1.27.16+rke2r2

NAMESPACE     NAME                                                                      READY   STATUS      RESTARTS      AGE
kube-system   pod/cilium-ctq6t                                                          1/1     Running     0             2m12s
kube-system   pod/cilium-envoy-slffr                                                    1/1     Running     0             2m12s
kube-system   pod/cilium-operator-68f6b788c4-8ss86                                      0/1     Pending     0             2m12s
kube-system   pod/cilium-operator-68f6b788c4-pmxwb                                      1/1     Running     0             2m12s
kube-system   pod/cloud-controller-manager-ip-ip.us-east-2.compute.internal             1/1     Running     0             2m33s
kube-system   pod/etcd-ip-ip.us-east-2.compute.internal                                 1/1     Running     0             2m39s
kube-system   pod/helm-install-rke2-cilium-mbjwq                                        0/1     Completed   0             2m24s
kube-system   pod/helm-install-rke2-coredns-r4vjw                                       0/1     Completed   0             2m24s
kube-system   pod/helm-install-rke2-ingress-nginx-z9wp8                                 0/1     Completed   0             2m24s
kube-system   pod/helm-install-rke2-metrics-server-vx7lf                                0/1     Completed   0             2m23s
kube-system   pod/helm-install-rke2-multus-sfgrh                                        0/1     Completed   0             2m21s
kube-system   pod/helm-install-rke2-snapshot-controller-26j6p                           0/1     Completed   0             2m20s
kube-system   pod/helm-install-rke2-snapshot-controller-crd-4jq69                       0/1     Completed   0             2m21s
kube-system   pod/helm-install-rke2-snapshot-validation-webhook-krnc4                   0/1     Completed   0             2m20s
kube-system   pod/kube-apiserver-ip-ip.us-east-2.compute.internal                       1/1     Running     0             2m33s
kube-system   pod/kube-controller-manager-ip-ip.us-east-2.compute.internal              1/1     Running     0             2m35s
kube-system   pod/kube-proxy-ip-ip.us-east-2.compute.internal                           1/1     Running     0             2m32s
kube-system   pod/kube-scheduler-ip-ip.us-east-2.compute.internal                       1/1     Running     0             2m35s
kube-system   pod/rke2-coredns-rke2-coredns-864fbd7785-gfpbj                            1/1     Running     0             2m13s
kube-system   pod/rke2-coredns-rke2-coredns-autoscaler-6c87968579-g5x49                 1/1     Running     0             2m13s
kube-system   pod/rke2-ingress-nginx-controller-9lnck                                   1/1     Running     0             41s
kube-system   pod/rke2-metrics-server-7f745dbddf-mwwsp                                  1/1     Running     0             64s
kube-system   pod/rke2-multus-7mwwm                                                     1/1     Running     3 (99s ago)   2m14s
kube-system   pod/rke2-snapshot-controller-7d6476d7cb-6x8sv                             1/1     Running     0             65s
kube-system   pod/rke2-snapshot-validation-webhook-5649fbd66c-6prm9                     1/1     Running     0             64s

NAMESPACE     NAME                                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
default       service/kubernetes                                ClusterIP   10.43.0.1       <none>        443/TCP         2m46s
kube-system   service/rke2-coredns-rke2-coredns                 ClusterIP   10.43.0.10      <none>        53/UDP,53/TCP   2m13s
kube-system   service/rke2-ingress-nginx-controller-admission   ClusterIP   10.43.224.147   <none>        443/TCP         41s
kube-system   service/rke2-metrics-server                       ClusterIP   10.43.214.172   <none>        443/TCP         64s
kube-system   service/rke2-snapshot-validation-webhook          ClusterIP   10.43.114.248   <none>        443/TCP         64s