The following instructions have been tested on Rancher 1.4/1.5 and CentOS 7.3.
The selinux-policy-devel package must be installed to build the module (yum install selinux-policy-devel).
Create a file in the current directory (named virtpatch.te for example) with the following contents.
policy_module(virtpatch, 1.0)
gen_require(`
type svirt_lxc_net_t;
')
allow svirt_lxc_net_t self:netlink_xfrm_socket create_netlink_socket_perms;
This can be built by running make -f /usr/share/selinux/devel/Makefile. You should see a file named virtpatch.pp created if the build was successful.
virtpatch.pp is the compiled SELinux module and can be loaded with semodule -i virtpatch.pp. You can run semodule -l to verify that the module is loaded.
Lastly, ensure that the following kernel modules are loaded (modprobe ... to load).
ansi_cprng
drbg
esp4
veth
xfrm4_mode_tunnel
xfrm6_mode_tunnel
xt_mark
xt_nat
All Rancher networking services (as well as full Cattle environments) should now be functional on this host.