On 11 May 2016, at 15:24, Cam Mac <iucounu@gmail.com> wrote: =20 Thanks Michal, if reinstalling the engine, (which also had SELinux = disabled at install), would the best way be to backup the engine and =
=20 Cheers, =20 Cam =20 On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek = <michal.skrivanek@redhat.com <mailto:michal.skrivanek@redhat.com>> = wrote: =20
On 11 May 2016, at 15:02, Cam Mac <iucounu@gmail.com = <mailto:iucounu@gmail.com>> wrote:
Hi,
In the oVirt guide, it says that "SELinux is being used by default = on oVirt Node", but then goes on to say that if you have problems you = should set it to permissive mode. I have had a few things fail due to = being blocked by SELinux on a node I later enabled SELinux on, as it was = off at install time. The other node which has had SELinux on from the = start and so far has not had any oVirt operations blocked. I am guessing =
=20 For oVirt node it=E2=80=99s easier to reinstall it, it doesn=E2=80=99t =
--Apple-Mail=_CDE436FE-61F8-4137-8BB4-CE456B791151 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 then restore just the ovirt config? for engine..well, VM security is not related to that, those are running = on hypervisors, not the engine. So for any functionality/security it=E2=80= =99s irrelevant what SELinux state it=E2=80=99s in I=E2=80=99m not sure if relabeling with restorecon is not enough (it = sould work also on nodes, but as I said, it=E2=80=99s likely more safe = to reinstall just to be really really sure:) Simone, am I right about the restorecon for engine? that the oVirt install process creates the necessary rules to allow vdsm = to run under SELinux. So if you want to set SELinux to enforcing after = installation, is there a script to do this, or is it better to just = reinstall the node or engine, rather than trying to work out the = individual exceptions? persist much and it=E2=80=99s the easies way how to get the labelling = right
=20 Thanks, michal =20
Thanks,
Cam _______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users =
<http://lists.ovirt.org/mailman/listinfo/users> =20 =20 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--Apple-Mail=_CDE436FE-61F8-4137-8BB4-CE456B791151 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div = class=3D"">On 11 May 2016, at 15:24, Cam Mac <<a = href=3D"mailto:iucounu@gmail.com" class=3D"">iucounu@gmail.com</a>> = wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div = dir=3D"ltr" class=3D"">Thanks Michal, if reinstalling the engine, (which = also had SELinux disabled at install), would the best way be to backup = the engine and then restore just the ovirt = config?</div></div></blockquote><div><br class=3D""></div>for = engine..well, VM security is not related to that, those are running on = hypervisors, not the engine. So for any functionality/security it=E2=80=99= s irrelevant what SELinux state it=E2=80=99s in</div><div>I=E2=80=99m = not sure if relabeling with restorecon is not enough (it sould work also = on nodes, but as I said, it=E2=80=99s likely more safe to reinstall just = to be really really sure:)</div><div>Simone, am I right about the = restorecon for engine?</div><div><br class=3D""></div><div><blockquote = type=3D"cite" class=3D""><div class=3D""><div dir=3D"ltr" class=3D""><div = class=3D""><br class=3D""></div><div class=3D"">Cheers,</div><div = class=3D""><br class=3D""></div><div class=3D"">Cam</div></div><div = class=3D"gmail_extra"><br class=3D""><div class=3D"gmail_quote">On Wed, = May 11, 2016 at 2:14 PM, Michal Skrivanek <span dir=3D"ltr" = class=3D""><<a href=3D"mailto:michal.skrivanek@redhat.com" = target=3D"_blank" class=3D"">michal.skrivanek@redhat.com</a>></span> = wrote:<br class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 = 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D""><br= class=3D""> > On 11 May 2016, at 15:02, Cam Mac <<a = href=3D"mailto:iucounu@gmail.com" class=3D"">iucounu@gmail.com</a>> = wrote:<br class=3D""> ><br class=3D""> > Hi,<br class=3D""> ><br class=3D""> > In the oVirt guide, it says that "SELinux is being used by default = on oVirt Node", but then goes on to say that if you have problems you = should set it to permissive mode. I have had a few things fail due to = being blocked by SELinux on a node I later enabled SELinux on, as it was = off at install time. The other node which has had SELinux on from the = start and so far has not had any oVirt operations blocked. I am guessing = that the oVirt install process creates the necessary rules to allow vdsm = to run under SELinux. So if you want to set SELinux to enforcing after = installation, is there a script to do this, or is it better to just = reinstall the node or engine, rather than trying to work out the = individual exceptions?<br class=3D""> <br class=3D""> </span>For oVirt node it=E2=80=99s easier to reinstall it, it doesn=E2=80=99= t persist much and it=E2=80=99s the easies way how to get the labelling = right<br class=3D""> <br class=3D""> Thanks,<br class=3D""> michal<br class=3D""> <br class=3D""> ><br class=3D""> > Thanks,<br class=3D""> ><br class=3D""> > Cam<br class=3D""> > _______________________________________________<br class=3D""> > Users mailing list<br class=3D""> > <a href=3D"mailto:Users@ovirt.org" class=3D"">Users@ovirt.org</a><br = class=3D""> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" = rel=3D"noreferrer" target=3D"_blank" = class=3D"">http://lists.ovirt.org/mailman/listinfo/users</a><br = class=3D""> <br class=3D""> </blockquote></div><br class=3D""></div> _______________________________________________<br class=3D"">Users = mailing list<br class=3D""><a href=3D"mailto:Users@ovirt.org" = class=3D"">Users@ovirt.org</a><br = class=3D"">http://lists.ovirt.org/mailman/listinfo/users<br = class=3D""></div></blockquote></div><br class=3D""></body></html>= --Apple-Mail=_CDE436FE-61F8-4137-8BB4-CE456B791151--