You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have started updating our instances to the latest released version 2023.6.20241010, and this is causing issues on the hosts where we run k3s workloads.
We have been running the enforced mode on these hosts for a long time without problems, but after updating the system to 2023.6.20241010, k3s started dying with audit log selinux messages. Setting selinux to permissive made it work again.
After the update, a simple reinstall of the container-selinux package fails with error Failed to resolve AST:
$ sudo dnf install -y container-selinux
Last metadata expiration check: 0:21:22 ago on Fri Oct 25 08:03:48 2024.
Dependencies resolved.
===========================================================================================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================================================================================
Installing:
container-selinux noarch 2:2.222.0-325.amzn2023 amazonlinux 55 k
Transaction Summary
===========================================================================================================================================================================================================
Install 1 Package
Total download size: 55 k
Installed size: 67 k
Downloading Packages:
container-selinux-2.222.0-325.amzn2023.noarch.rpm 187 kB/s | 55 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 104 kB/s | 55 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: container-selinux-2:2.222.0-325.amzn2023.noarch 1/1
Installing : container-selinux-2:2.222.0-325.amzn2023.noarch 1/1
Running scriptlet: container-selinux-2:2.222.0-325.amzn2023.noarch 1/1
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:2891
Failed to resolve AST
/usr/sbin/semodule: Failed!
Verifying : container-selinux-2:2.222.0-325.amzn2023.noarch 1/1
Installed:
container-selinux-2:2.222.0-325.amzn2023.noarch
Complete!
Interestingly, the dnf command succeeds, even though it clearly failed, and no semodule was installed for container as we can see on hosts where we have not yet updated:
$ sudo semodule --list=full | grep -e container -e cgroup
100 cgroup pp
# No `200 container pp` as expected
The container-selinux available in the repo has Build Date : Thu Oct 5 00:52:53 2023. Building container-selinux-2.222.0-325.amzn2023.src.rpm on Amazon Linux 2023.6.20241010 there is no errors installing the package, and the module is available:
We have started updating our instances to the latest released version
2023.6.20241010
, and this is causing issues on the hosts where we run k3s workloads.We have been running the
enforced
mode on these hosts for a long time without problems, but after updating the system to2023.6.20241010
, k3s started dying with audit log selinux messages. Setting selinux topermissive
made it work again.After the update, a simple reinstall of the
container-selinux
package fails with errorFailed to resolve AST
:Interestingly, the dnf command succeeds, even though it clearly failed, and no semodule was installed for
container
as we can see on hosts where we have not yet updated:The package seems to have been bumped to
2.222.0-325.amzn2023
a long time ago, so we assume this is something with the system update in this release, see release notes for2023.2.20231018
: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.2.20231018.htmlChecking dmesg, we can see the following error, pointing to
user_namespace
not being defined:[ 60.080300] SELinux: Class user_namespace not defined in policy. [ 60.080790] SELinux: the above unknown classes and permissions will be allowed [ 60.081446] SELinux: Converting 341 SID table entries... [ 60.088132] SELinux: policy capability network_peer_controls=1 [ 60.088604] SELinux: policy capability open_perms=1 [ 60.088986] SELinux: policy capability extended_socket_class=1 [ 60.089444] SELinux: policy capability always_check_network=0 [ 60.089889] SELinux: policy capability cgroup_seclabel=1 [ 60.090298] SELinux: policy capability nnp_nosuid_transition=1 [ 60.090748] SELinux: policy capability genfs_seclabel_symlinks=1 [ 60.091212] SELinux: policy capability ioctl_skip_cloexec=0
Any hints will be appreciated, thanks.
/cc @bufferoverflow
The text was updated successfully, but these errors were encountered: