From Simon.Barrett at tradingscreen.com Fri May 23 04:36:20 2014 Content-Type: multipart/mixed; boundary="===============7268870439350503047==" MIME-Version: 1.0 From: Simon Barrett To: users at ovirt.org Subject: [ovirt-users] selinux on oVirt Node Date: Fri, 23 May 2014 08:36:14 +0000 Message-ID: --===============7268870439350503047== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable --_000_D86C48DF8800164BBE50B87623F7AC954836B078ln2wio001devtra_ Content-Type: text/plain; charset=3D"us-ascii" Content-Transfer-Encoding: quoted-printable I set "SELINUX=3D3Ddisabled" in /etc/selinux/config and ran a "persist /etc= /s=3D elinux/config". After the node reboots, the file has the correct "SELINUX=3D3Ddisabled" lin= e =3D but I see that selinux is still enabled: # grep ^SELINUX=3D3D /etc/selinux/config SELINUX=3D3Ddisabled # getenforce Enforcing # cat /selinux/enforce 1 It's like the bind mounts for the files in config happen after selinux is s= =3D etup. Is there something else I should be doing to make a change to selinux survi= =3D ve a node reboot? Many thanks, Simon --_000_D86C48DF8800164BBE50B87623F7AC954836B078ln2wio001devtra_ Content-Type: text/html; charset=3D"us-ascii" Content-Transfer-Encoding: quoted-printable

I set “SELINUX=3D3Ddisabled” in /etc/s= elin=3D ux/config and ran a “persist /etc/selinux/config”.

After the node reboots, the file has the correct &= #8=3D 220;SELINUX=3D3Ddisabled” line but I see that selinux is still enable= d:=3D

# grep ^SELINUX=3D3= D /etc=3D /selinux/config

SELINUX=3D3Ddisable= d=3D

# getenforce=3D

Enforcing

# cat /selinux/enfo= rce<=3D o:p>

It’s like the bind mounts for the files in c= on=3D fig happen after selinux is setup.

Is there something else I should be doing to make = a =3D change to selinux survive a node reboot?

Many thanks,

Simon

--_000_D86C48DF8800164BBE50B87623F7AC954836B078ln2wio001devtra_-- --===============7268870439350503047== Content-Type: multipart/alternative MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.bin" LS1fMDAwX0Q4NkM0OERGODgwMDE2NEJCRTUwQjg3NjIzRjdBQzk1NDgzNkIwNzhsbjJ3aW8wMDFk ZXZ0cmFfCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNjaWkiCkNvbnRl bnQtVHJhbnNmZXItRW5jb2Rpbmc6IHF1b3RlZC1wcmludGFibGUKCkkgc2V0ICJTRUxJTlVYPTNE ZGlzYWJsZWQiIGluIC9ldGMvc2VsaW51eC9jb25maWcgYW5kIHJhbiBhICJwZXJzaXN0IC9ldGMv cz0KZWxpbnV4L2NvbmZpZyIuCgpBZnRlciB0aGUgbm9kZSByZWJvb3RzLCB0aGUgZmlsZSBoYXMg dGhlIGNvcnJlY3QgIlNFTElOVVg9M0RkaXNhYmxlZCIgbGluZSA9CmJ1dCBJIHNlZSB0aGF0IHNl bGludXggaXMgc3RpbGwgZW5hYmxlZDoKCiMgZ3JlcCBeU0VMSU5VWD0zRCAvZXRjL3NlbGludXgv Y29uZmlnClNFTElOVVg9M0RkaXNhYmxlZAojIGdldGVuZm9yY2UKRW5mb3JjaW5nCiMgY2F0IC9z ZWxpbnV4L2VuZm9yY2UKMQoKSXQncyBsaWtlIHRoZSBiaW5kIG1vdW50cyBmb3IgdGhlIGZpbGVz IGluIGNvbmZpZyBoYXBwZW4gYWZ0ZXIgc2VsaW51eCBpcyBzPQpldHVwLgoKSXMgdGhlcmUgc29t ZXRoaW5nIGVsc2UgSSBzaG91bGQgYmUgZG9pbmcgdG8gbWFrZSBhIGNoYW5nZSB0byBzZWxpbnV4 IHN1cnZpPQp2ZSBhIG5vZGUgcmVib290PwoKTWFueSB0aGFua3MsCgpTaW1vbgoKCi0tXzAwMF9E ODZDNDhERjg4MDAxNjRCQkU1MEI4NzYyM0Y3QUM5NTQ4MzZCMDc4bG4yd2lvMDAxZGV2dHJhXwpD b250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiCkNvbnRlbnQtVHJhbnNm ZXItRW5jb2Rpbmc6IHF1b3RlZC1wcmludGFibGUKCjxodG1sIHhtbG5zOnY9M0QidXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89M0QidXJuOnNjaGVtYXMtbWljcj0Kb3NvZnQt Y29tOm9mZmljZTpvZmZpY2UiIHhtbG5zOnc9M0QidXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpv ZmZpY2U6d29yZCIgPQp4bWxuczptPTNEImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vb2Zm aWNlLzIwMDQvMTIvb21tbCIgeG1sbnM9M0QiaHR0cDo9Ci8vd3d3LnczLm9yZy9UUi9SRUMtaHRt bDQwIj4KPGhlYWQ+CjxtZXRhIGh0dHAtZXF1aXY9M0QiQ29udGVudC1UeXBlIiBjb250ZW50PTNE InRleHQvaHRtbDsgY2hhcnNldD0zRHVzLWFzY2lpIj0KPgo8bWV0YSBuYW1lPTNEIkdlbmVyYXRv ciIgY29udGVudD0zRCJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQgbWVkaXVtKSI+CjxzdHls ZT48IS0tCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8KQGZvbnQtZmFjZQoJe2ZvbnQtZmFtaWx5OiJD YW1icmlhIE1hdGgiOwoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9CkBmb250LWZhY2UK CXtmb250LWZhbWlseTpDYWxpYnJpOwoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLwpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNv Tm9ybWFsCgl7bWFyZ2luOjBjbTsKCW1hcmdpbi1ib3R0b206LjAwMDFwdDsKCWZvbnQtc2l6ZTox MS4wcHQ7Cglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOwoJbXNvLWZhcmVhc3Qt bGFuZ3VhZ2U6RU4tVVM7fQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5OwoJY29sb3I6IzA1NjNDMTsKCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQph OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQKCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7Cgljb2xvcjojOTU0RjcyOwoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9CnNwYW4uRW1h aWxTdHlsZTE3Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsKCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7Cgljb2xvcjp3aW5kb3d0ZXh0O30KLk1zb0NocERlZmF1 bHQKCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsKCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwi c2Fucy1zZXJpZiI7Cgltc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUzt9CkBwYWdlIFdvcmRTZWN0 aW9uMQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0OwoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0 IDcyLjBwdDt9CmRpdi5Xb3JkU2VjdGlvbjEKCXtwYWdlOldvcmRTZWN0aW9uMTt9Ci0tPjwvc3R5 bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+CjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9M0QiZWRp dCIgc3BpZG1heD0zRCIxMDI2IiAvPgo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28g OV0+PHhtbD4KPG86c2hhcGVsYXlvdXQgdjpleHQ9M0QiZWRpdCI+CjxvOmlkbWFwIHY6ZXh0PTNE ImVkaXQiIGRhdGE9M0QiMSIgLz4KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPgo8 L2hlYWQ+Cjxib2R5IGxhbmc9M0QiRU4tR0IiIGxpbms9M0QiIzA1NjNDMSIgdmxpbms9M0QiIzk1 NEY3MiI+CjxkaXYgY2xhc3M9M0QiV29yZFNlY3Rpb24xIj4KPHAgY2xhc3M9M0QiTXNvTm9ybWFs Ij5JIHNldCAmIzgyMjA7U0VMSU5VWD0zRGRpc2FibGVkJiM4MjIxOyBpbiAvZXRjL3NlbGluPQp1 eC9jb25maWcgYW5kIHJhbiBhICYjODIyMDtwZXJzaXN0IC9ldGMvc2VsaW51eC9jb25maWcmIzgy MjE7LjxvOnA+PC9vOnA+PC89CnA+CjxwIGNsYXNzPTNEIk1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+CjxwIGNsYXNzPTNEIk1zb05vcm1hbCI+QWZ0ZXIgdGhlIG5vZGUgcmVib290cywg dGhlIGZpbGUgaGFzIHRoZSBjb3JyZWN0ICYjOD0KMjIwO1NFTElOVVg9M0RkaXNhYmxlZCYjODIy MTsgbGluZSBidXQgSSBzZWUgdGhhdCBzZWxpbnV4IGlzIHN0aWxsIGVuYWJsZWQ6PQo8bzpwPjwv bzpwPjwvcD4KPHAgY2xhc3M9M0QiTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAg Y2xhc3M9M0QiTXNvTm9ybWFsIiBzdHlsZT0zRCJtYXJnaW4tbGVmdDozNi4wcHQiPiMgZ3JlcCBe U0VMSU5VWD0zRCAvZXRjPQovc2VsaW51eC9jb25maWc8bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9 M0QiTXNvTm9ybWFsIiBzdHlsZT0zRCJtYXJnaW4tbGVmdDozNi4wcHQiPlNFTElOVVg9M0RkaXNh YmxlZDxvOnA+PQo8L286cD48L3A+CjxwIGNsYXNzPTNEIk1zb05vcm1hbCIgc3R5bGU9M0QibWFy Z2luLWxlZnQ6MzYuMHB0Ij4jIGdldGVuZm9yY2U8bzpwPjwvbzpwPj0KPC9wPgo8cCBjbGFzcz0z RCJNc29Ob3JtYWwiIHN0eWxlPTNEIm1hcmdpbi1sZWZ0OjM2LjBwdCI+RW5mb3JjaW5nPG86cD48 L286cD48L3A9Cj4KPHAgY2xhc3M9M0QiTXNvTm9ybWFsIiBzdHlsZT0zRCJtYXJnaW4tbGVmdDoz Ni4wcHQiPiMgY2F0IC9zZWxpbnV4L2VuZm9yY2U8PQpvOnA+PC9vOnA+PC9wPgo8cCBjbGFzcz0z RCJNc29Ob3JtYWwiIHN0eWxlPTNEIm1hcmdpbi1sZWZ0OjM2LjBwdCI+MTxvOnA+PC9vOnA+PC9w Pgo8cCBjbGFzcz0zRCJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPgo8cCBjbGFzcz0z RCJNc29Ob3JtYWwiPkl0JiM4MjE3O3MgbGlrZSB0aGUgYmluZCBtb3VudHMgZm9yIHRoZSBmaWxl cyBpbiBjb249CmZpZyBoYXBwZW4gYWZ0ZXIgc2VsaW51eCBpcyBzZXR1cC48bzpwPjwvbzpwPjwv cD4KPHAgY2xhc3M9M0QiTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9 M0QiTXNvTm9ybWFsIj5JcyB0aGVyZSBzb21ldGhpbmcgZWxzZSBJIHNob3VsZCBiZSBkb2luZyB0 byBtYWtlIGEgPQpjaGFuZ2UgdG8gc2VsaW51eCBzdXJ2aXZlIGEgbm9kZSByZWJvb3Q/PG86cD48 L286cD48L3A+CjxwIGNsYXNzPTNEIk1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+Cjxw IGNsYXNzPTNEIk1zb05vcm1hbCI+TWFueSB0aGFua3MsPG86cD48L286cD48L3A+CjxwIGNsYXNz PTNEIk1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+CjxwIGNsYXNzPTNEIk1zb05vcm1h bCI+U2ltb248bzpwPjwvbzpwPjwvcD4KPHAgY2xhc3M9M0QiTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4KPC9kaXY+CjwvYm9keT4KPC9odG1sPgoKLS1fMDAwX0Q4NkM0OERGODgwMDE2 NEJCRTUwQjg3NjIzRjdBQzk1NDgzNkIwNzhsbjJ3aW8wMDFkZXZ0cmFfLS0K --===============7268870439350503047==-- From S.Kieske at mittwald.de Fri May 23 04:46:35 2014 Content-Type: multipart/mixed; boundary="===============4013172265081433479==" MIME-Version: 1.0 From: Sven Kieske To: users at ovirt.org Subject: Re: [ovirt-users] selinux on oVirt Node Date: Fri, 23 May 2014 08:44:46 +0000 Message-ID: <537F0AE7.3090104@mittwald.de> In-Reply-To: D86C48DF8800164BBE50B87623F7AC954836B078@ln2-wio-001.dev.tradingscreen.com --===============4013172265081433479== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable afaik you need to disable selinux by passing the relevant parameter direct via kernel boot options. search the ML or the net if you need the exact command line. HTH Am 23.05.2014 10:36, schrieb Simon Barrett: > I set "SELINUX=3Ddisabled" in /etc/selinux/config and ran a "persist /etc= /selinux/config". > = > After the node reboots, the file has the correct "SELINUX=3Ddisabled" lin= e but I see that selinux is still enabled: > = > # grep ^SELINUX=3D /etc/selinux/config > SELINUX=3Ddisabled > # getenforce > Enforcing > # cat /selinux/enforce > 1 > = > It's like the bind mounts for the files in config happen after selinux is= setup. > = > Is there something else I should be doing to make a change to selinux sur= vive a node reboot? > = > Many thanks, > = > Simon -- = Mit freundlichen Gr=C3=BC=C3=9Fen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG K=C3=B6nigsberger Stra=C3=9Fe 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Gesch=C3=A4ftsf=C3=BChrer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplement=C3=A4rin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynh= ausen --===============4013172265081433479==-- From Simon.Barrett at tradingscreen.com Fri May 23 08:38:45 2014 Content-Type: multipart/mixed; boundary="===============1853499547602686340==" MIME-Version: 1.0 From: Simon Barrett To: users at ovirt.org Subject: Re: [ovirt-users] selinux on oVirt Node Date: Fri, 23 May 2014 12:38:39 +0000 Message-ID: In-Reply-To: 537F0AE7.3090104@mittwald.de --===============1853499547602686340== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable I added "enforcing=3D0" to my pxe menu and re-installed the node. All looks= better now. = # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted # cat /selinux/enforce 0 Thanks for the information. Simon -----Original Message----- From: users-bounces(a)ovirt.org [mailto:users-bounces(a)ovirt.org] On Behal= f Of Sven Kieske Sent: 23 May 2014 09:45 To: users(a)ovirt.org Subject: Re: [ovirt-users] selinux on oVirt Node afaik you need to disable selinux by passing the relevant parameter direct = via kernel boot options. search the ML or the net if you need the exact command line. HTH Am 23.05.2014 10:36, schrieb Simon Barrett: > I set "SELINUX=3Ddisabled" in /etc/selinux/config and ran a "persist /etc= /selinux/config". > = > After the node reboots, the file has the correct "SELINUX=3Ddisabled" lin= e but I see that selinux is still enabled: > = > # grep ^SELINUX=3D /etc/selinux/config > SELINUX=3Ddisabled > # getenforce > Enforcing > # cat /selinux/enforce > 1 > = > It's like the bind mounts for the files in config happen after selinux is= setup. > = > Is there something else I should be doing to make a change to selinux sur= vive a node reboot? > = > Many thanks, > = > Simon -- Mit freundlichen Gr=C3=BC=C3=9Fen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG K=C3=B6nigsberger Stra=C3=9Fe 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Gesch=C3=A4ftsf=C3=BChrer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplement=C3=A4rin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynh= ausen _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users --===============1853499547602686340==--