The following instructions have been tested on Rancher 1.4/1.5 and CentOS 7.3.
The selinux-policy-devel
package must be installed to build the module (yum install selinux-policy-devel
).
Create a file in the current directory (named virtpatch.te
for example) with the following contents.
policy_module(virtpatch, 1.0)
gen_require(`
type svirt_lxc_net_t;
')
allow svirt_lxc_net_t self:netlink_xfrm_socket create_netlink_socket_perms;
This can be built by running make -f /usr/share/selinux/devel/Makefile
. You should see a file named virtpatch.pp
created if the build was successful.
virtpatch.pp
is the compiled SELinux module and can be loaded with semodule -i virtpatch.pp
. You can run semodule -l
to verify that the module is loaded.
Lastly, ensure that the following kernel modules are loaded (modprobe ...
to load).
ansi_cprng
drbg
esp4
veth
xfrm4_mode_tunnel
xfrm6_mode_tunnel
xt_mark
xt_nat
All Rancher networking services (as well as full Cattle environments) should now be functional on this host.