From 429e9d4966d070dface71771cf607eac3f93b3b1 Mon Sep 17 00:00:00 2001 From: Darren Shepherd Date: Mon, 24 Feb 2020 16:07:03 -0700 Subject: [PATCH] Don't require selinux utils and require k3s_selinux If you are installing k3s on a selinux enforcing system then we required that you also install k3s_selinux RPM to put in the proper policy. --- install.sh | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/install.sh b/install.sh index d364e12d4e..362347f3a6 100755 --- a/install.sh +++ b/install.sh @@ -276,15 +276,6 @@ verify_downloader() { return 0 } -# --- verify existence of semanage when SELinux is enabled --- -verify_semanage() { - if [ -x "$(which getenforce)" ]; then - if [ "Disabled" != $(getenforce) ] && [ ! -x "$(which semanage)" ]; then - fatal 'SELinux is enabled but semanage is not found' - fi - fi -} - # --- create tempory directory and cleanup when done --- setup_tmp() { TMP_DIR=$(mktemp -d -t k3s-install.XXXXXXXXXX) @@ -396,13 +387,9 @@ setup_binary() { $SUDO chown root:root ${TMP_BIN} $SUDO mv -f ${TMP_BIN} ${BIN_DIR}/k3s - if command -v getenforce > /dev/null 2>&1; then - if [ "Disabled" != $(getenforce) ]; then - info 'SELinux is enabled, setting permissions' - if ! $SUDO semanage fcontext -l | grep "${BIN_DIR}/k3s" > /dev/null 2>&1; then - $SUDO semanage fcontext -a -t bin_t "${BIN_DIR}/k3s" - fi - $SUDO restorecon -v ${BIN_DIR}/k3s > /dev/null + if ! $SUDO chcon -u system_u -r object_r -t container_runtime_exec_t ${BIN_DIR}/k3s 2>/dev/null 2>&1; then + if $SUDO grep SELINUX=enforcing /etc/selinux/config >/dev/null 2>&1; then + fatal "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, please install k3s_selinux RPM" fi fi } @@ -417,7 +404,6 @@ download_and_verify() { setup_verify_arch verify_downloader curl || verify_downloader wget || fatal 'Can not find curl or wget for downloading files' - verify_semanage setup_tmp get_release_version download_hash