<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 22, 2017 at 10:05 PM, Michal Skrivanek <span dir="ltr"><<a href="mailto:mskrivan@redhat.com" target="_blank">mskrivan@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">> On 22 Feb 2017, at 16:46, Jiri Belka <<a href="mailto:jbelka@redhat.com">jbelka@redhat.com</a>> wrote:<br>
><br>
> ----- Original Message -----<br>
>> From: "Alan Griffiths" <<a href="mailto:apgriffiths79@gmail.com">apgriffiths79@gmail.com</a>><br>
>> To: "Ovirt Users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
>> Sent: Friday, February 10, 2017 4:25:28 PM<br>
>> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7<br>
>><br>
>> Hi,<br>
>><br>
>> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's<br>
>> running unconfined rather than within its own domain.<br>
>><br>
>> I see there is a rhev_agentd_exec_t<br>
<br>
</span>That sound suspicious on its own. Are you sure you haven't mixed rhev<br>
and ovirt agents in the same guest at some point? Restoring selinux<br>
context doesn't help?<br>
<div class="gmail-HOEnZb"><div class="gmail-h5"><br></div></div></blockquote><div><br></div><div>Here the same:</div><div><div>[root@c72he20170222h1 ~]# yum list installed | grep rhev</div><div>fence-agents-rhevm.x86_64 4.0.11-47.el7_3.2 @updates </div><div>[root@c72he20170222h1 ~]# yum list installed | grep ovirt-guest-agent</div><div>ovirt-guest-agent-common.noarch 1.0.12-4.el7 @epel </div><div>[root@c72he20170222h1 ~]# ps auxZ | grep guest-agent</div><div>system_u:system_r:unconfined_service_t:s0 ovirtag+ 732 0.2 0.6 441796 36036 ? Ssl 16:59 0:46 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py</div><div>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6938 0.0 0.0 112648 964 pts/0 S+ 22:31 0:00 grep --color=auto guest-agent</div><div>[root@c72he20170222h1 ~]# semanage fcontext -l | grep rhev_agentd</div><div>/var/log/rhev-agent(/.*)? all files system_u:object_r:rhev_agentd_log_t:s0 </div><div>/var/log/ovirt-guest-agent(/.*)? all files system_u:object_r:rhev_agentd_log_t:s0 </div><div>/usr/lib/systemd/system/ovirt-guest-agent.* regular file system_u:object_r:rhev_agentd_unit_file_t:s0 </div><div>/var/run/rhev-agentd\.pid regular file system_u:object_r:rhev_agentd_var_run_t:s0 </div><div>/usr/share/ovirt-guest-agent regular file system_u:object_r:rhev_agentd_exec_t:s0 </div><div>/var/run/ovirt-guest-agent\.pid regular file system_u:object_r:rhev_agentd_var_run_t:s0 </div><div>/usr/share/rhev-agent/rhev-agentd\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 </div><div>/usr/share/rhev-agent/LockActiveSession\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 </div><div>/usr/share/ovirt-guest-agent/LockActiveSession\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 </div></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail-HOEnZb"><div class="gmail-h5">
>> type, which I attempted to assign to<br>
>> ovirt-guest-agent.py but it still starts up as unconfined. Is there a<br>
>> supported process for getting ovirt-guest into its own domain? Or a reason<br>
>> why it's not possible?<br>
>><br>
>> Thanks,<br>
>><br>
>> Alan<br>
><br>
> Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems<br>
> there's missing glue between systemd -> python -> GA script.<br>
><br>
> Vinzenz, any idea?<br>
><br>
> j.<br>
> ______________________________<wbr>_________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
><br>
><br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div></div>