On 25 May 2016, at 17:35, Cam Mac <iucounu@gmail.com> wrote: =20 Hi Michal, =20 I chose the 'reinstall node' option from the GUI menu, which appeared = to go ok, however, I still cannot create or migrate a VM on that node. I = can see selinux 'denied' messages relating to qemu-kvm, e.g.: =20 type=3DAVC msg=3Daudit(1464189232.136:251): avc: denied { read } for =
u:system_r:svirt_t:s0:c720,c927 = tcontext=3Dsystem_u:object_r:unlabeled_t:s0 tclass=3Dlnk_file =20 There are a number of errors in the vdsm log but I assume that relates = to selinux blocking it. So perhaps I need to remove all the ovirt =
--Apple-Mail=_9687EDFD-A956-44FC-B7A6-ED6E5AA0CA88 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 pid=3D4019 comm=3D"qemu-kvm" = name=3D"650000ab-b33a-483a-af46-76f7305e2ae5" dev=3D"sda2" ino=3D35401 = scontext=3Dsystem_ packages manually, or perhaps re-install the OS as well? I guess either = of those options involves complications with certificates and WWIDs for = the attached SAN.=20
=20 Or could I somehow generate selinux labels?
=20 These nodes + engine are not yet production, though I'd prefer to fix =
=20 Thanks for any help. =20 regards, =20 Campbell =20 =20 On Wed, May 11, 2016 at 3:13 PM, Cam Mac <iucounu@gmail.com = <mailto:iucounu@gmail.com>> wrote: Ah, ok that makes sense. For the node, is it enough to use the = 'reinstall node' option from the GUI, or is it better to reinstall the = OS and then deploy it again? =20 Thanks, =20 Cam =20 On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek = <michal.skrivanek@redhat.com <mailto:michal.skrivanek@redhat.com>> = wrote: =20
On 11 May 2016, at 15:24, Cam Mac <iucounu@gmail.com = <mailto:iucounu@gmail.com>> wrote: =20 Thanks Michal, if reinstalling the engine, (which also had SELinux = disabled at install), would the best way be to backup the engine and =
=20 for engine..well, VM security is not related to that, those are = running on hypervisors, not the engine. So for any = functionality/security it=E2=80=99s irrelevant what SELinux state it=E2=80= =99s in I=E2=80=99m not sure if relabeling with restorecon is not enough (it = sould work also on nodes, but as I said, it=E2=80=99s likely more safe = to reinstall just to be really really sure:) Simone, am I right about the restorecon for engine? =20
=20 Cheers, =20 Cam =20 On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek = <michal.skrivanek@redhat.com <mailto:michal.skrivanek@redhat.com>> = wrote: =20
On 11 May 2016, at 15:02, Cam Mac <iucounu@gmail.com = <mailto:iucounu@gmail.com>> wrote:
Hi,
In the oVirt guide, it says that "SELinux is being used by default = on oVirt Node", but then goes on to say that if you have problems you = should set it to permissive mode. I have had a few things fail due to = being blocked by SELinux on a node I later enabled SELinux on, as it was = off at install time. The other node which has had SELinux on from the = start and so far has not had any oVirt operations blocked. I am guessing =
=20 For oVirt node it=E2=80=99s easier to reinstall it, it doesn=E2=80=99t =
yeah, I think it didn=E2=80=99t happen. I though we do relabelling as = part of deploy How about running "restorecon -r=E2=80=9D now? than restart entirely from scratch. then restore just the ovirt config? that the oVirt install process creates the necessary rules to allow vdsm = to run under SELinux. So if you want to set SELinux to enforcing after = installation, is there a script to do this, or is it better to just = reinstall the node or engine, rather than trying to work out the = individual exceptions? persist much and it=E2=80=99s the easies way how to get the labelling = right
=20 Thanks, michal =20
Thanks,
Cam _______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users =
<http://lists.ovirt.org/mailman/listinfo/users> =20 =20 _______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users = <http://lists.ovirt.org/mailman/listinfo/users> =20 =20 =20
--Apple-Mail=_9687EDFD-A956-44FC-B7A6-ED6E5AA0CA88 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div = class=3D"">On 25 May 2016, at 17:35, Cam Mac <<a = href=3D"mailto:iucounu@gmail.com" class=3D"">iucounu@gmail.com</a>> = wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div = dir=3D"ltr" class=3D"">Hi Michal,<div class=3D""><br class=3D""></div><div= class=3D"">I chose the 'reinstall node' option from the GUI menu, which = appeared to go ok, however, I still cannot create or migrate a VM on = that node. I can see selinux 'denied' messages relating to qemu-kvm, = e.g.:</div><div class=3D""><div class=3D""><br class=3D""></div><div = class=3D"">type=3DAVC msg=3Daudit(1464189232.136:251): avc: denied = { read } for pid=3D4019 comm=3D"qemu-kvm" = name=3D"650000ab-b33a-483a-af46-76f7305e2ae5" dev=3D"sda2" ino=3D35401 = scontext=3Dsystem_</div><div class=3D"">u:system_r:svirt_t:s0:c720,c927 = tcontext=3Dsystem_u:object_r:unlabeled_t:s0 = tclass=3Dlnk_file</div></div><div class=3D""><br class=3D""></div><div = class=3D"">There are a number of errors in the vdsm log but I assume = that relates to selinux blocking it. So perhaps I need to remove all the = ovirt packages manually, or perhaps re-install the OS as well? I guess = either of those options involves complications with certificates and = WWIDs for the attached SAN. </div><div class=3D""><br = class=3D""></div><div class=3D"">Or could I somehow generate selinux = labels?</div></div></div></blockquote><div><br class=3D""></div>yeah, I = think it didn=E2=80=99t happen. I though we do relabelling as part of = deploy</div><div>How about running "restorecon -r=E2=80=9D = now?</div><div><br class=3D""><blockquote type=3D"cite" class=3D""><div = class=3D""><div dir=3D"ltr" class=3D""><div class=3D""><br = class=3D""></div><div class=3D"">These nodes + engine are not yet = production, though I'd prefer to fix than restart entirely from = scratch.</div><div class=3D""><br class=3D""></div><div class=3D"">Thanks = for any help.</div><div class=3D""><br class=3D""></div><div = class=3D"">regards,</div><div class=3D""><br class=3D"">Campbell</div><div= class=3D""><br class=3D""></div></div><div class=3D"gmail_extra"><br = class=3D""><div class=3D"gmail_quote">On Wed, May 11, 2016 at 3:13 PM, = Cam Mac <span dir=3D"ltr" class=3D""><<a = href=3D"mailto:iucounu@gmail.com" target=3D"_blank" = class=3D"">iucounu@gmail.com</a>></span> wrote:<br = class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 = .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr" = class=3D"">Ah, ok that makes sense. For the node, is it enough to use = the 'reinstall node' option from the GUI, or is it better to reinstall = the OS and then deploy it again?<div class=3D""><br class=3D""></div><div = class=3D"">Thanks,</div><div class=3D""><br class=3D"">Cam</div></div><div= class=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_extra"><br = class=3D""><div class=3D"gmail_quote">On Wed, May 11, 2016 at 2:40 PM, = Michal Skrivanek <span dir=3D"ltr" class=3D""><<a = href=3D"mailto:michal.skrivanek@redhat.com" target=3D"_blank" = class=3D"">michal.skrivanek@redhat.com</a>></span> wrote:<br = class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 = .8ex;border-left:1px #ccc solid;padding-left:1ex"><div = style=3D"word-wrap:break-word" class=3D""><br class=3D""><div = class=3D""><span class=3D""><blockquote type=3D"cite" class=3D""><div = class=3D"">On 11 May 2016, at 15:24, Cam Mac <<a = href=3D"mailto:iucounu@gmail.com" target=3D"_blank" = class=3D"">iucounu@gmail.com</a>> wrote:</div><br class=3D""><div = class=3D""><div dir=3D"ltr" class=3D"">Thanks Michal, if reinstalling = the engine, (which also had SELinux disabled at install), would the best = way be to backup the engine and then restore just the ovirt = config?</div></div></blockquote><div class=3D""><br = class=3D""></div></span>for engine..well, VM security is not related to = that, those are running on hypervisors, not the engine. So for any = functionality/security it=E2=80=99s irrelevant what SELinux state it=E2=80= =99s in</div><div class=3D"">I=E2=80=99m not sure if relabeling with = restorecon is not enough (it sould work also on nodes, but as I said, = it=E2=80=99s likely more safe to reinstall just to be really really = sure:)</div><div class=3D"">Simone, am I right about the restorecon for = engine?</div><span class=3D""><div class=3D""><br class=3D""></div><div = class=3D""><blockquote type=3D"cite" class=3D""><div class=3D""><div = dir=3D"ltr" class=3D""><div class=3D""><br class=3D""></div><div = class=3D"">Cheers,</div><div class=3D""><br class=3D""></div><div = class=3D"">Cam</div></div><div class=3D"gmail_extra"><br class=3D""><div = class=3D"gmail_quote">On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek = <span dir=3D"ltr" class=3D""><<a = href=3D"mailto:michal.skrivanek@redhat.com" target=3D"_blank" = class=3D"">michal.skrivanek@redhat.com</a>></span> wrote:<br = class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 = .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D""><br = class=3D""> > On 11 May 2016, at 15:02, Cam Mac <<a = href=3D"mailto:iucounu@gmail.com" target=3D"_blank" = class=3D"">iucounu@gmail.com</a>> wrote:<br class=3D""> ><br class=3D""> > Hi,<br class=3D""> ><br class=3D""> > In the oVirt guide, it says that "SELinux is being used by default = on oVirt Node", but then goes on to say that if you have problems you = should set it to permissive mode. I have had a few things fail due to = being blocked by SELinux on a node I later enabled SELinux on, as it was = off at install time. The other node which has had SELinux on from the = start and so far has not had any oVirt operations blocked. I am guessing = that the oVirt install process creates the necessary rules to allow vdsm = to run under SELinux. So if you want to set SELinux to enforcing after = installation, is there a script to do this, or is it better to just = reinstall the node or engine, rather than trying to work out the = individual exceptions?<br class=3D""> <br class=3D""> </span>For oVirt node it=E2=80=99s easier to reinstall it, it doesn=E2=80=99= t persist much and it=E2=80=99s the easies way how to get the labelling = right<br class=3D""> <br class=3D""> Thanks,<br class=3D""> michal<br class=3D""> <br class=3D""> ><br class=3D""> > Thanks,<br class=3D""> ><br class=3D""> > Cam<br class=3D""> > _______________________________________________<br class=3D""> > Users mailing list<br class=3D""> > <a href=3D"mailto:Users@ovirt.org" target=3D"_blank" = class=3D"">Users@ovirt.org</a><br class=3D""> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" = rel=3D"noreferrer" target=3D"_blank" = class=3D"">http://lists.ovirt.org/mailman/listinfo/users</a><br = class=3D""> <br class=3D""> </blockquote></div><br class=3D""></div> _______________________________________________<br class=3D"">Users = mailing list<br class=3D""><a href=3D"mailto:Users@ovirt.org" = target=3D"_blank" class=3D"">Users@ovirt.org</a><br class=3D""><a = href=3D"http://lists.ovirt.org/mailman/listinfo/users" target=3D"_blank" = class=3D"">http://lists.ovirt.org/mailman/listinfo/users</a><br = class=3D""></div></blockquote></div><br = class=3D""></span></div></blockquote></div><br class=3D""></div> </div></div></blockquote></div><br class=3D""></div> </div></blockquote></div><br class=3D""></body></html>= --Apple-Mail=_9687EDFD-A956-44FC-B7A6-ED6E5AA0CA88--