/
k3s and SELinux

k3s and SELinux

Owned by Space Sync for Confluence
Feb 28, 2025
3 min read

The K3s installer does ship and install SELinux policies by default if the system has SELinux enabled (enforcing or permissive mode).

Applying SELinux policies manually after K3s has already been deployed may overwrite critical configurations, potentially leading to operational issues. This guide explains how K3s handles SELinux, how to verify its proper configuration, and how to restore SELinux policies if they are overwritten.

How k3s handles SELinux

  1. Automatic Installation of SELinux Policies

    • If SELinux is enabled on the host system, K3s automatically installs its required SELinux policies.

    • The policies are typically installed in /var/lib/rancher/k3s/data/current/selinux.

  2. SELinux Package Dependency

    • K3s requires the container-selinux package to be installed for proper SELinux support.

    • If missing, K3s may attempt to install it on RPM-based distributions (like CentOS/RHEL).

  3. Manually Disabling SELinux Support

    • If you don't want K3s to manage SELinux rules, you can disable this by setting:

      INSTALL_K3S_SKIP_SELINUX_RPM=true

    • This will prevent the installer from handling SELinux policies.

  4. Checking SELinux Mode
    You can verify SELinux mode with:

    # getenforce

    Expected output:

    • Enforcing: SELinux is actively enforcing policies.

    • Permissive: SELinux logs policy violations but does not enforce them.

Verifying k3s SELinux policy

If SELinux policies are overwritten after K3s has been deployed, it may cause issues with functionality. This guide provides step-by-step instructions to restore the necessary SELinux policies to ensure K3s operates correctly.

Before restoring SELinux policies, verify the current configuration to identify any missing components.

1. Check if the K3s SELinux package is installed:

rpm -qa | grep k3s-selinux

Expected output: The installed k3s-selinux package along with its version number.

2. Verify the container-selinux package is installed:

rpm -qa | grep container-selinux

This package is a prerequisite for k3s-selinux.

3. Check the SELinux context of the K3s binary:

ls -Z /usr/local/bin/k3s

Expected output: The binary should have the container_runtime_exec_t context.

4. (Optional) Verify storage directory SELinux contexts:

ls -Z /var/lib/rancher/k3s/storage

Expected output: The directory should have the container_file_t context.

5. Confirm SELinux is running in enforcing mode:

getenforce

Expected output: Enforcing (indicating SELinux is active and properly configured).

6. Check for any SELinux denials related to K3s:

ausearch -m avc -ts recent | grep k3s

If no denials are found, K3s is functioning properly with SELinux. If denials exist, proceed with restoring the policies.

Restoring SELinux Policies

If SELinux policies are overwritten or missing, follow these steps to restore them:

1. Install Required SELinux Packages

Ensure the necessary SELinux packages are installed.

sudo yum install -y container-selinux

2. Install the K3s SELinux Policy Package

Download and install the latest K3s SELinux policy package:

Instructions below are for RHEL 9. For other versions please adjust the download link.

sudo yum install -y https://github.com/k3s-io/k3s-selinux/releases/download/v1.6.stable.1/k3s-selinux-1.6-1.el9.noarch.rpm

3. Apply the Correct SELinux Context to the K3s Binary

sudo chcon -t container_runtime_exec_t /usr/local/bin/k3s

Make the context persistent:

sudo semanage fcontext -a -t container_runtime_exec_t /usr/local/bin/k3s sudo restorecon -v /usr/local/bin/k3s

4. Set Contexts for K3s Data Directories

sudo semanage fcontext -a -t container_runtime_exec_t "/var/lib/rancher/k3s/data/.*\.so.*" sudo semanage fcontext -a -t container_runtime_exec_t "/var/lib/rancher/k3s/data/[^/]*"

Apply the contexts:

sudo restorecon -R /var/lib/rancher/k3s/data/

5. Set Contexts for the K3s Agent Directory

sudo semanage fcontext -a -t container_runtime_exec_t "/var/lib/rancher/k3s/agent/.*" sudo restorecon -R /var/lib/rancher/k3s/agent/

6. Restart K3s

After applying the SELinux contexts, restart the K3s service:

sudo systemctl restart k3s

7. Verify K3s Binary SELinux Context

Confirm that the K3s binary has the correct SELinux context:

ls -Z /usr/local/bin/k3s

8. Check for Remaining SELinux Denials

Ensure there are no new SELinux denials related to K3s:

sudo ausearch -m avc -ts recent | grep k3s

If denials persist, additional policy adjustments may be required.

Following these steps ensures that the required SELinux policies for K3s are properly restored, preventing disruptions caused by overwritten policies. Regularly checking SELinux contexts and logs can help maintain system stability and security.

Related content

Classified as Getvisibility - Partner/Customer Confidential