-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
-
False
-
None
-
False
-
Release Note Not Required
-
-
We got a report today from the CNV team that istio-cni fails on RHEL9 nodes because of SELinux. From the audit log:
type=AVC msg=audit(1671679231.719:78743): avc:  denied  { open } for  pid=703303 comm="iptables-restor" path="/tmp/iptables-rules-1671679231719103294.txt128242135" dev="vda1" ino=535228 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
Apparently, for some reason iptables-restore is not allowed to open files in /tmp. This might as well be a RHEL9 bug as this previously worked.
iptables has been deprecated in RHEL9, so we'll have to look into migrating to nftables anyway. This might be a good time. OCP 4.13 will be based on RHCOS9 and will likely have the same problem.
