K3s: SELinux is preventing (k3s) from execute access on the file k3s

Created on 14 Mar 2019 · 6Comments · Source: k3s-io/k3s

Describe the bug
I am trying to get through a first time install of k3s. I followed the very simple directions and it failed.

This shouldn't take long…
    curl -sfL https://get.k3s.io | sh -
    # Check for Ready node, takes maybe 30 seconds
    k3s kubectl get node

To Reproduce

$ curl -sfL https://get.k3s.io | sh -
[INFO]  Finding latest release
[INFO]  Using v0.2.0 as release
[INFO]  Downloading hash https://github.com/rancher/k3s/releases/download/v0.2.0/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/rancher/k3s/releases/download/v0.2.0/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[sudo] password for dagostinelli: 
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  systemd: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s
Job for k3s.service failed because the control process exited with error code.
See "systemctl status k3s.service" and "journalctl -xe" for details.

Hmm, so:

$ sudo systemctl enable k3s
$ sudo systemctl start k3s
Job for k3s.service failed because the control process exited with error code.
See "systemctl status k3s.service" and "journalctl -xe" for details.

Then:

$ sudo journalctl -xe

Mar 13 21:33:14 mycomputer setroubleshoot[7317]: SELinux is preventing (k3s) from execute access on the file k3s. For complete SELinux messages run: sealert -l cff0b5ab-691a-4e44-b47a-d89a9>
Mar 13 21:33:14 mycomputer python3[7317]: SELinux is preventing (k3s) from execute access on the file k3s.

                                          *****  Plugin catchall (100. confidence) suggests   **************************

                                          If you believe that (k3s) should be allowed execute access on the k3s file by default.
                                          Then you should report this as a bug.
                                          You can generate a local policy module to allow this access.
                                          Do
                                          allow this access for now by executing:
                                          # ausearch -c '(k3s)' --raw | audit2allow -M my-k3s
                                          # semodule -X 300 -i my-k3s.pp

Expected behavior
It should just work as described.

This shouldn't take long…
    curl -sfL https://get.k3s.io | sh -
    # Check for Ready node, takes maybe 30 seconds
    k3s kubectl get node

Screenshots
N/A

Additional context
I'm not too keen on "just disable selinux". I could, however, install the module that audit2allow says to install. But should I? Is that what you'd like us to do? I'll do it, if that's your recommendation.

My machine is Fedora Linux. F29 to be exact.

kinbug

Source

dagostinelli

Most helpful comment

You just need to set the context:

sudo semanage fcontext -a -t bin_t "/usr/local/bin/k3s"
sudo restorecon -v /usr/local/bin/k3s

mrwulf on 14 Mar 2019

👍2

All 6 comments

You just need to set the context:

sudo semanage fcontext -a -t bin_t "/usr/local/bin/k3s"
sudo restorecon -v /usr/local/bin/k3s

mrwulf on 14 Mar 2019

👍2

I see your PR. I'm glad that you are going to fix this.

BTW, in my case, just plain sudo restorecon -v /usr/local/bin/k3s seemed to be enough.

Also, it looks like there is also a k3s-uninstall.sh file in there. I didn't bother investigating anything and just ran restorecon on that as well: sudo restorecon -v /usr/local/bin/k3s-uninstall.sh

dagostinelli on 14 Mar 2019

👍1

Reopening for testing

erikwilson on 22 Mar 2019

This seems to be working properly as tested:

$ setenforce
$ getenforce

Enforcing
````
`$ sudo curl -sfL https://get.k3s.io | sh -`

[INFO] Finding latest release
[INFO] Using v0.2.0 as release
[INFO] Downloading hash https://github.com/rancher/k3s/releases/download/v0.2.0/sha256sum-arm64.txt
[INFO] Downloading binary https://github.com/rancher/k3s/releases/download/v0.2.0/k3s-arm64
[INFO] Verifying binary download
[INFO] Installing k3s to /usr/local/bin/k3s
[INFO] SeLinux is enabled, setting permissions
[INFO] Creating /usr/local/bin/kubectl symlink to k3s
[INFO] Creating /usr/local/bin/crictl symlink to k3s
[INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO] systemd: Creating environment file /etc/systemd/system/k3s.service.env
[INFO] systemd: Creating service file /etc/systemd/system/k3s.service
[INFO] systemd: Enabling k3s unit
Created symlink from /etc/systemd/system/multi-user.target.wants/k3s.service to /etc/systemd/system/k3s.service.
[INFO] systemd: Starting k3s

`$ k3s kubectl get nodes`

NAME STATUS ROLES AGE VERSION
ip-172-31-26-0.ec2.internal Ready 4s v1.13.4-k3s.1
```

mak3r on 29 Mar 2019

Thank you for testing @mak3r!

erikwilson on 29 Mar 2019

I have SELinux enabled. I followed this issue's comments. I set "setenforce Enforcing", I installed k3s again sudo curl -sfL https://get.k3s.io | sh -, I ran the command k3s kubectl get nodes but still the output is No resources found..

Nevertheless, k3s kubectl get namespaces returns the expected output:

NAME              STATUS   AGE
default           Active   130m
kube-node-lease   Active   130m
kube-public       Active   130m
kube-system       Active   130m