About rancher-selinux
To allow Rancher to work with SELinux, some functionality has to be manually enabled for the SELinux nodes. To help with that, Rancher provides a SELinux RPM.
The rancher-selinux RPM only contains policies for the rancher-logging application.
The rancher-selinux GitHub repository is here.
Installing the rancher-selinux RPM
The rancher-selinux RPM was tested with CentOS 7, 8 and 9.
1. Set up the yum repo
Set up the yum repo to install rancher-selinux directly on all hosts in the cluster.
In order to use the RPM repository, on a CentOS 7 or RHEL 7 system, run the following bash snippet:
# cat << EOF > /etc/yum.repos.d/rancher.repo
[rancher]
name=Rancher
baseurl=https://rpm.rancher.io/rancher/production/centos/7/noarch
enabled=1
gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
EOF
In order to use the RPM repository, on a CentOS 8 or RHEL 8 system, run the following bash snippet:
# cat << EOF > /etc/yum.repos.d/rancher.repo
[rancher]
name=Rancher
baseurl=https://rpm.rancher.io/rancher/production/centos/8/noarch
enabled=1
gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
EOF
In order to use the RPM repository, on a CentOS 9 or RHEL 9 system, run the following bash snippet:
# cat << EOF > /etc/yum.repos.d/rancher.repo
[rancher]
name=Rancher
baseurl=https://rpm.rancher.io/rancher/production/centos/9/noarch
enabled=1
gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
EOF
2. Installing the RPM
Install the RPM:
yum -y install rancher-selinux
Configuring the Logging Application to Work with SELinux
Logging v2 was tested with SELinux on RHEL/CentOS 7, 8 and 9.
Applications do not automatically work once the rancher-selinux RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM.
To configure the rancher-logging chart to be SELinux aware, change global.seLinux.enabled to true in the values.yaml when installing the chart.