Releases: rancher/rke2-selinux
Releases · rancher/rke2-selinux
v0.5.testing.2
Add policy to enable reading container logs (#13) Without this patch, in both RKE1 and RKE2, containers that need to read /var/log/containers (such as the fluentbit containers from the logging operator) are denied by SELinux. In the case of RKE1, regular containers running with type container_t are blocked from reading container logs in /var/log/containers whose file context type are container_log_t, as well as from following those symlinks to the true path of the logs in /var/lib/docker/containers which docker creates with file context type container_var_lib_t. In the case of RKE1, regular containers are blocked from reading container log files and from following symlinks to /var/log/pods. The container-selinux package allows containers to transition to domain container_logreader_t, which solves part of the problem but does not allow containers to follow symlinks or read internal docker state files. This patch adds new policy rules to create a new container_domain type rke_logreader_t which containers can transition to. This domain allows containers to read container log files and to follow symlinks to their true locations. It also allows them to read files with label container_var_lib_t, though this is only required for RKE1 and not RKE2. This RPM will now need to be newly installed on RKE1, so a rename may be necessary.
v0.5.testing.1
fix the centos-8 build (#12) - minimally depend on container-selinux 2.144 - remove sandboxes and shm transitions that are now included in the upstream macro - require container_kvm_var_run_t in the rke2_filetrans_named_content macro so as to sidestep a bug in upstream Signed-off-by: Jacob Blain Christen <dweomer5@gmail.com>
v0.4-1 Stable
Merge pull request #10 from Oats87/el8-path-fix Fix policy upload for centos8
v0.4-1
Merge pull request #10 from Oats87/el8-path-fix Fix policy upload for centos8
v0.4.testing.1
Merge pull request #10 from Oats87/el8-path-fix Fix policy upload for centos8
v0.4-rc1
Merge pull request #10 from Oats87/el8-path-fix Fix policy upload for centos8
v0.3.latest.1
Merge pull request #8 from Oats87/issues/rke2/386 Set the keep flag to 100000 so that we keep the last 100,000 RPMs
v0.3.testing.1
Merge pull request #8 from Oats87/issues/rke2/386 Set the keep flag to 100000 so that we keep the last 100,000 RPMs
v0.2.testing.2
fix etcd failure to start on centos 8: (#7)
addresses errors suchs as: `sudo ausearch -ts recent -c etcd`
```
----
time->Fri Sep 4 23:20:53 2020
type=PROCTITLE msg=audit(1599261653.116:978): proctitle=65746364002D2D636F6E6669672D66696C653D2F7661722F6C69622F72616E636865722F726B65322F7365727665722F64622F657463642F636F6E666967
type=SYSCALL msg=audit(1599261653.116:978): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=280000000 a2=1 a3=8001 items=0 ppid=28621 pid=28674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="etcd" exe="/usr/local/bin/etcd" subj=system_u:system_r:rke2_service_db_t:s0:c240,c412 key=(null)
type=AVC msg=audit(1599261653.116:978): avc: denied { map } for pid=28674 comm="etcd" path="/var/lib/rancher/rke2/server/db/etcd/member/snap/db" dev="vda1" ino=9135551 scontext=system_u:system_r:rke2_service_db_t:s0:c240,c412 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
```
v0.2.testing.1
custom types for static pod containers (#6)
Establish new types suitable for running static pods:
- `rke2_service_t`
- `rke2_service_db_t`
Use `rke2_service_t` for all static pods that need read-only access
to `container_var_lib_t` content under `/var/lib/rancher/rke2/server/{cred,tls}`.
Use `rke2_service_db_t` for the etcd static pod as it needs the same read
access as `rke2_service_t` as well as read/write access to `/var/lib/rancher/rke2/server/db`.