Re: [ovirt-users] SELinux and oVirt

--Apple-Mail=_CDE436FE-61F8-4137-8BB4-CE456B791151 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 disabled at install), would the best way be to backup the engine and = then restore just the ovirt config? for engine..well, VM security is not related to that, those are running = on hypervisors, not the engine. So for any functionality/security it=E2=80= =99s irrelevant what SELinux state it=E2=80=99s in I=E2=80=99m not sure if relabeling with restorecon is not enough (it = sould work also on nodes, but as I said, it=E2=80=99s likely more safe = to reinstall just to be really really sure:) Simone, am I right about the restorecon for engine? <michal.skrivanek(a)redhat.com <mailto:michal.skrivanek@redhat.com>> = wrote: <mailto:iucounu@gmail.com>> wrote: on oVirt Node", but then goes on to say that if you have problems you = should set it to permissive mode. I have had a few things fail due to = being blocked by SELinux on a node I later enabled SELinux on, as it was = off at install time. The other node which has had SELinux on from the = start and so far has not had any oVirt operations blocked. I am guessing = that the oVirt install process creates the necessary rules to allow vdsm = to run under SELinux. So if you want to set SELinux to enforcing after = installation, is there a script to do this, or is it better to just = reinstall the node or engine, rather than trying to work out the = individual exceptions? persist much and it=E2=80=99s the easies way how to get the labelling = right <http://lists.ovirt.org/mailman/listinfo/users> --Apple-Mail=_CDE436FE-61F8-4137-8BB4-CE456B791151 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div = class=3D"">On 11 May 2016, at 15:24, Cam Mac &lt;<a = href=3D"mailto:iucounu@gmail.com" class=3D&quot;&quot;&gt;iucounu(a)gmail.com&lt;/a&gt;&amp;gt; = wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div = dir=3D"ltr" class=3D"">Thanks Michal, if reinstalling the engine, (which = also had SELinux disabled at install), would the best way be to backup = the engine and then restore just the ovirt = config?</div></div></blockquote><div><br class=3D""></div>for = engine..well, VM security is not related to that, those are running on = hypervisors, not the engine. So for any functionality/security it=E2=80=99= s irrelevant what SELinux state it=E2=80=99s in</div><div>I=E2=80=99m = not sure if relabeling with restorecon is not enough (it sould work also = on nodes, but as I said, it=E2=80=99s likely more safe to reinstall just = to be really really sure:)</div><div>Simone, am I right about the = restorecon for engine?</div><div><br class=3D""></div><div><blockquote = type=3D"cite" class=3D""><div class=3D""><div dir=3D"ltr" class=3D""><div = class=3D""><br class=3D""></div><div class=3D"">Cheers,</div><div = class=3D""><br class=3D""></div><div class=3D"">Cam</div></div><div = class=3D"gmail_extra"><br class=3D""><div class=3D"gmail_quote">On Wed, = May 11, 2016 at 2:14 PM, Michal Skrivanek <span dir=3D"ltr" = class=3D"">&lt;<a href=3D"mailto:michal.skrivanek@redhat.com" = target=3D"_blank" class=3D&quot;&quot;&gt;michal.skrivanek(a)redhat.com&lt;/a&gt;&amp;gt;&lt;/span&gt; = wrote:<br class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 = 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D""><br= class=3D""> &gt; On 11 May 2016, at 15:02, Cam Mac &lt;<a = href=3D"mailto:iucounu@gmail.com" class=3D&quot;&quot;&gt;iucounu(a)gmail.com&lt;/a&gt;&amp;gt; = wrote:<br class=3D""> &gt;<br class=3D""> &gt; Hi,<br class=3D""> &gt;<br class=3D""> &gt; In the oVirt guide, it says that "SELinux is being used by default = on oVirt Node", but then goes on to say that if you have problems you = should set it to permissive mode. I have had a few things fail due to = being blocked by SELinux on a node I later enabled SELinux on, as it was = off at install time. The other node which has had SELinux on from the = start and so far has not had any oVirt operations blocked. I am guessing = that the oVirt install process creates the necessary rules to allow vdsm = to run under SELinux. So if you want to set SELinux to enforcing after = installation, is there a script to do this, or is it better to just = reinstall the node or engine, rather than trying to work out the = individual exceptions?<br class=3D""> <br class=3D""> </span>For oVirt node it=E2=80=99s easier to reinstall it, it doesn=E2=80=99= t persist much and it=E2=80=99s the easies way how to get the labelling = right<br class=3D""> <br class=3D""> Thanks,<br class=3D""> michal<br class=3D""> <br class=3D""> &gt;<br class=3D""> &gt; Thanks,<br class=3D""> &gt;<br class=3D""> &gt; Cam<br class=3D""> &gt; _______________________________________________<br class=3D""> &gt; Users mailing list<br class=3D""> &gt; <a href=3D"mailto:Users@ovirt.org" class=3D&quot;&quot;&gt;Users(a)ovirt.org&lt;/a&gt;&lt;br = class=3D""> &gt; <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" = rel=3D"noreferrer" target=3D"_blank" = class=3D"">http://lists.ovirt.org/mailman/listinfo/users<... = class=3D""> <br class=3D""> </blockquote></div><br class=3D""></div> _______________________________________________<br class=3D"">Users = mailing list<br class=3D""><a href=3D"mailto:Users@ovirt.org" = class=3D&quot;&quot;&gt;Users(a)ovirt.org&lt;/a&gt;&lt;br = class=3D"">http://lists.ovirt.org/mailman/listinfo/users<br = class=3D""></div></blockquote></div><br class=3D""></body></html>= --Apple-Mail=_CDE436FE-61F8-4137-8BB4-CE456B791151--