11:32 p.m.
On Wed, Feb 22, 2017 at 10:05 PM, Michal Skrivanek <mskrivan(a)redhat.com>
wrote:
> On 22 Feb 2017, at 16:46, Jiri Belka <jbelka(a)redhat.com>
wrote:
>
> ----- Original Message -----
>> From: "Alan Griffiths" <apgriffiths79(a)gmail.com>
>> To: "Ovirt Users" <users(a)ovirt.org>
>> Sent: Friday, February 10, 2017 4:25:28 PM
>> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
>>
>> Hi,
>>
>> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's
>> running unconfined rather than within its own domain.
>>
>> I see there is a rhev_agentd_exec_t
That sound suspicious on its own. Are you sure you haven't mixed rhev
and ovirt agents in the same guest at some point? Restoring selinux
context doesn't help?
Here the same:
[root@c72he20170222h1 ~]# yum list installed | grep rhev
fence-agents-rhevm.x86_64 4.0.11-47.el7_3.2
@updates
[root@c72he20170222h1 ~]# yum list installed | grep ovirt-guest-agent
ovirt-guest-agent-common.noarch 1.0.12-4.el7
@epel
[root@c72he20170222h1 ~]# ps auxZ | grep guest-agent
system_u:system_r:unconfined_service_t:s0 ovirtag+ 732 0.2 0.6 441796
36036 ? Ssl 16:59 0:46 /usr/bin/python
/usr/share/ovirt-guest-agent/ovirt-guest-agent.py
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6938 0.0 0.0
112648 964 pts/0 S+ 22:31 0:00 grep --color=auto guest-agent
[root@c72he20170222h1 ~]# semanage fcontext -l | grep rhev_agentd
/var/log/rhev-agent(/.*)? all files
system_u:object_r:rhev_agentd_log_t:s0
/var/log/ovirt-guest-agent(/.*)? all files
system_u:object_r:rhev_agentd_log_t:s0
/usr/lib/systemd/system/ovirt-guest-agent.* regular file
system_u:object_r:rhev_agentd_unit_file_t:s0
/var/run/rhev-agentd\.pid regular file
system_u:object_r:rhev_agentd_var_run_t:s0
/usr/share/ovirt-guest-agent regular file
system_u:object_r:rhev_agentd_exec_t:s0
/var/run/ovirt-guest-agent\.pid regular file
system_u:object_r:rhev_agentd_var_run_t:s0
/usr/share/rhev-agent/rhev-agentd\.py regular file
system_u:object_r:rhev_agentd_exec_t:s0
/usr/share/rhev-agent/LockActiveSession\.py regular file
system_u:object_r:rhev_agentd_exec_t:s0
/usr/share/ovirt-guest-agent/LockActiveSession\.py regular file
system_u:object_r:rhev_agentd_exec_t:s0
>> type, which I attempted to assign to
>> ovirt-guest-agent.py but it still starts up as unconfined. Is there a
>> supported process for getting ovirt-guest into its own domain? Or a
reason
>> why it's not possible?
>>
>> Thanks,
>>
>> Alan
>
> Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems
> there's missing glue between systemd -> python -> GA script.
>
> Vinzenz, any idea?
>
> j.
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users