rough-actor-44204
08/25/2025, 6:35 PMtype=AVC msg=audit(1756145551.603:1849): avc: denied { write } for pid=31597 comm="mkdir" name="storage" dev="sdb" ino=1031 scontext=system_u:system_r:container_t:s0:c25,c186 tcontext=system_u:object_r:k3s_data_t:s0 tclass=dir permissive=0
It looks like the data dir has the correct labels:
dev-k8re-01:/var/lib/rancher/k3s/data # ls -lZ
total 4
-rw-------. 1 root root unconfined_u:object_r:k3s_lock_t:s0 0 Aug 25 12:14 .lock
drwxr-xr-x. 1 root root system_u:object_r:k3s_data_t:s0 12 Aug 25 12:34 80f7f3b67af96d724515f635f4e1625843b453399987e9084ea0f4f67c3c2ebe
drwxr-xr-x. 1 root root system_u:object_r:k3s_data_t:s0 116 Aug 25 12:34 cni
lrwxrwxrwx. 1 root root system_u:object_r:k3s_data_t:s0 90 Aug 25 12:34 current -> /var/lib/rancher/k3s/data/80f7f3b67af96d724515f635f4e1625843b453399987e9084ea0f4f67c3c2ebe
drwxr-xr-x. 1 root root system_u:object_r:k3s_data_t:s0 0 Aug 25 12:51 storage
and pods are being started with the right context:
dev-k8re-01:/var/lib/rancher/k3s/data # ps auxZ | grep pause
system_u:system_r:container_t:s0:c99,c555 65535 3174 0.0 0.0 972 512 ? Ss 13:53 0:00 /pause
and I believe all the required packages are installed:
dev-k8re-01:/var/lib/rancher/k3s/data # zypper search -i selinux
Loading repository data...
Reading installed packages...
S | Name | Summary | Type
---+-------------------------+-------------------------------------------------+--------
i | cockpit-selinux | Cockpit SELinux package | package
i | container-selinux | SELinux policies for container runtimes | package
i+ | k3s-selinux | SELinux policy module for k3s | package
i | libselinux1 | SELinux runtime library | package
i | passt-selinux | SELinux support for passt and pasta | package
i+ | patterns-base-selinux | SELinux Support | package
i | python3-selinux | Python bindings for the SELinux runtime library | package
i+ | selinux | SELinux Support | pattern
i | selinux-policy | SELinux policy configuration | package
i | selinux-policy-targeted | SELinux targeted base policy | package
i | selinux-tools | SELinux command-line utilities | package
i | swtpm-selinux | SELinux module for the Software TPM emulator | package
I can resolve the issue by manually adjusting the storage
context: chcon -t container_file_t /var/lib/rancher/k3s/data/storage
however I don’t think this is correct based on my minimal knowledge and inspection of the k3s-selinux packagehundreds-evening-84071
08/25/2025, 7:06 PMrough-actor-44204
08/25/2025, 7:09 PMdev-k8re-01:/var/lib # ls -lZ | grep rancher
drwxr-xr-x. 1 root root unconfined_u:object_r:var_lib_t:s0 6 Aug 25 12:14 rancher
hundreds-evening-84071
08/25/2025, 7:31 PMrough-actor-44204
08/25/2025, 7:38 PMstorage
has the container_file_t
context on the systems that run fine, and k3s_data_t
on the systems that fail.hundreds-evening-84071
08/25/2025, 7:40 PMrough-actor-44204
08/25/2025, 7:43 PMrough-actor-44204
08/25/2025, 8:17 PMchcon system_u:object_r:container_file_t:s0 /var/lib/rancher/k3s/data/storage/
immediately after k3s is installed because I guess I ran into this issue before and forgot. I disabled that and let the default stay: system_u:object_r:k3s_data_t:s0
After rebooting, the local provisioner helper pods start failing again due to the OP selinux issue.rough-actor-44204
08/25/2025, 8:20 PMrough-actor-44204
08/26/2025, 3:01 PM#!/usr/bin/env bash
mount /var
curl -fsSL -o /usr/bin/yq <https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64>
chmod +x /usr/bin/yq
export INSTALL_K3S_BIN_DIR=/usr/bin
export INSTALL_K3s_SKIP_START=true
curl -fsSL <https://get.k3s.io> |
sed 's#k3s >/.*#k3s; then#' | \
sh -s - server \
--disable=traefik \
--disable=servicelb \
--disable=local-storage \
--node-name=pvctest \
--selinux
kdir=/var/lib/rancher/k3s
k3sm=${kdir}/server/manifests
lsim=${k3sm}/local-storage-im.yaml
mkdir -p ${k3sm}
curl -fsSL -o ${lsim} <https://raw.githubusercontent.com/k3s-io/k3s/refs/heads/master/manifests/local-storage.yaml>
yq -i '. |= with(select(.kind == "StorageClass"); .volumeBindingMode = "Immediate" )' ${lsim}
sed -i "s/%{SYSTEM_DEFAULT_REGISTRY}%//" ${lsim}
sed -i "s#%{DEFAULT_LOCAL_STORAGE_PATH}%#${kdir}/data/storage#" ${lsim}
cat <<EOF > ${k3sm}/pvctest.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
<http://volume.kubernetes.io/selected-node|volume.kubernetes.io/selected-node>: pvctest
name: pvctest
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: local-path
volumeMode: Filesystem
EOF
rough-actor-44204
08/26/2025, 3:03 PMscript.sh
, make it executable, then run transactional-update run ./script.sh
and reboot. After the system comes back up you can see that the local-provisioner helper pod is failing to create the volume.average-appointment-24470
08/26/2025, 7:01 PM# Rule 3: Allow the container runtime to manage its storage directory.
# This grants the necessary permissions for the local-path-provisioner
# to create, modify, and delete directories and files within its storage path.
allow container_runtime_t var_lib_t:dir { add_name create getattr setattr search write remove_name };
allow container_runtime_t var_lib_t:file { create setattr unlink write };
Saw one of my clusters running this custom policy to fix local path provisioner errors 🙂