Available for Rancher 1.6+
For Rancher on RHEL/CentOS and SELinux to work, you will need to have the RPM package
container-selinux-2.14 or higher installed on instances running the Rancher server container as well as any hosts. If there is a lower version installed, you will need to build an additional SELinux module to make Rancher work.
You can validate the version by running this command:
rpm -q container-selinux.
# Check container-selinux version $ rpm -q container-selinux container-selinux-2.19-2.1.el7.noarch
In order to build the additional SELinux module, you will need to install the
$ yum install selinux-policy-devel
Create a file named
virtpatch.te with the following contents.
policy_module(virtpatch, 1.0) gen_require(` type svirt_lxc_net_t; ') allow svirt_lxc_net_t self:netlink_xfrm_socket create_netlink_socket_perms;
Build the module.
$ make -f /usr/share/selinux/devel/Makefile
After running the
make command, a file named
virtpatch.pp should be created if the build was successful.
virtpatch.pp is the compiled SELinux module.
After the SELinux module is built, load the module on instances running the Rancher server container as well as any hosts.
# Load the module $ semodule -i virtpatch.pp # Verify the module is loaded $ semodule -l