Skip to content

Resolve selinux installation issues #2394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Resolve selinux installation issues #2394

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
9cca82c
run restorecon after materialising files
hedge-sparrow Jun 30, 2025
c182dce
don't care about selinux enforcing
hedge-sparrow Jun 30, 2025
0cd59ae
set specific bin_t context on bins dir
hedge-sparrow Jun 30, 2025
bbbd686
path
hedge-sparrow Jun 30, 2025
7eace5f
Correct match group
hedge-sparrow Jun 30, 2025
f10bebc
add selinux preflight
hedge-sparrow Jul 3, 2025
d805f95
message formatting
hedge-sparrow Jul 3, 2025
a00a23e
Merge remote-tracking branch 'origin/main' into ash/restorecon
hedge-sparrow Jul 3, 2025
b8560c5
explicitly check for restorecon binary
hedge-sparrow Jul 3, 2025
ba74d7b
Merge remote-tracking branch 'origin/main' into ash/restorecon
hedge-sparrow Jul 8, 2025
f5b7038
Merge remote-tracking branch 'origin/main' into ash/restorecon
hedge-sparrow Jul 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions pkg-new/hostutils/initialize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"fmt"
"os"
"os/exec"
"path/filepath"

"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
Expand Down Expand Up @@ -39,6 +40,26 @@ func (h *HostUtils) ConfigureHost(ctx context.Context, rc runtimeconfig.RuntimeC
}
}

h.logger.Debugln("checking for semanage binary in $PATH")
if _, err := exec.LookPath("semanage"); err != nil {
h.logger.Debugln("semanage not found")
} else {

// Set selinux fcontext for embedded-cluster binary directory to bin_t
out, err := exec.Command("semanage", "fcontext", "-a", "-s", "system_u", "-t", "bin_t", rc.EmbeddedClusterBinsSubDir()+"(/.*)?").CombinedOutput()
if err != nil {
h.logger.Debugf("unable to set contexts on binary directory: %v", err)
h.logger.Debugln(out)
}

// Relabel whole embedded-cluster data directory since it's created with unconfined_u
out, err = exec.Command("restorecon", "-RvF", rc.EmbeddedClusterHomeDirectory()).CombinedOutput()
if err != nil {
h.logger.Debugf("unable to run restorecon: %v", err)
h.logger.Debugln(out)
}
}

h.logger.Debugf("configuring sysctl")
if err := h.ConfigureSysctl(); err != nil {
h.logger.Debugf("unable to configure sysctl: %v", err)
Expand Down
17 changes: 0 additions & 17 deletions pkg-new/preflights/host-preflight.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1180,23 +1180,6 @@ spec:
when: "connected"
message: "Successful TCP connection to {{ $element }}."
{{- end}}
- textAnalyze:
checkName: SELinux Mode
fileName: host-collectors/run-host/selinux-mode.txt
regexGroups: '(?P<Mode>Enforcing|Permissive|Disabled|Missing)'
outcomes:
- fail:
when: "Mode == Enforcing"
message: SELinux must be disabled or run in permissive mode. To run SELinux in permissive mode, edit /etc/selinux/config, change the line 'SELINUX=enforcing' to 'SELINUX=permissive', save the file, and reboot. You can run getenforce to verify the change."
- pass:
when: "Mode == Permissive"
message: SELinux is running in permissive mode.
- pass:
when: "Mode == Disabled"
message: SELinux is disabled.
- pass:
when: "Mode == Missing"
message: SELinux is not installed.
- textAnalyze:
checkName: Data Directory Permissions
fileName: host-collectors/run-host/check-data-dir-permissions.txt
Expand Down
Loading