Available for Rancher 1.6+
If you are running Rancher on RHEL/CentOS and want to enable SELinux, you will be required to install an additional SELinux module.
The steps in this document are a necessary workaround until the changes present in the module are shipped in RHEL and CentOS. Once these changes are made in RHEL and CentOS then these steps will no longer be required.
These steps must occur on the instances that are running the Rancher server container as well as any hosts.
In order to build the additional SELinux module, you will need to install the
$ yum install selinux-policy-devel
Create a file named
virtpatch.te with the following contents.
policy_module(virtpatch, 1.0) gen_require(` type svirt_lxc_net_t; ') allow svirt_lxc_net_t self:netlink_xfrm_socket create_netlink_socket_perms;
Build the module.
$ make -f /usr/share/selinux/devel/Makefile
After running the
make command, a file named
virtpatch.pp should be created if the build was successful.
virtpatch.pp is the compiled SELinux module.
After the SELinux module is built, load the module.
# Load the module $ semodule -i virtpatch.pp # Verify the module is loaded $ semodule -l