Re: [ovirt-users] SELinux and oVirt

On 25 May 2016, at 19:29, Cam Mac <iucounu(a)gmail.com&gt; wrote: Hi Michal, Ran restorecon -r on '/' (and restarted vdsmd and other services): it is still getting selinux errors. I'd like to keep selinux running, especially as it is officially supported Yeah. Hm, dunno why it didn't work, perhaps the config is not set up correctly. I thought redeploy would fix it but I don't really know the deployment code so maybe I'm wrong (and works on the other node), so I guess the best option is to reinstall the OS and then install ovirt again perhaps. That's the most easy way out, yes:) Thanks, michal Thanks, Campbell On Wed, May 25, 2016 at 6:15 PM, Michal Skrivanek <mskrivan(a)redhat.com&gt; wrote: > > > On 25 May 2016, at 19:12, Cam Mac <iucounu(a)gmail.com&gt; wrote: > > I'll try that - presumably on the paths it is complaining about, and the > qemu binarys? > > > It shouldn't hurt on /, it should only help:) > And if it complains e.g. on attached nfs, the i suppose you need to run > it there too > > > > On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek < > michal.skrivanek(a)redhat.com&gt; wrote: > >> >> On 25 May 2016, at 17:35, Cam Mac <iucounu(a)gmail.com&gt; wrote: >> >> Hi Michal, >> >> I chose the 'reinstall node' option from the GUI menu, which appeared to >> go ok, however, I still cannot create or migrate a VM on that node. I can >> see selinux 'denied' messages relating to qemu-kvm, e.g.: >> >> type=AVC msg=audit(1464189232.136:251): avc: denied { read } for >> pid=4019 comm="qemu-kvm" name="650000ab-b33a-483a-af46-76f7305e2ae5" >> dev="sda2" ino=35401 scontext=system_ >> u:system_r:svirt_t:s0:c720,c927 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file >> >> There are a number of errors in the vdsm log but I assume that relates >> to selinux blocking it. So perhaps I need to remove all the ovirt packages >> manually, or perhaps re-install the OS as well? I guess either of those >> options involves complications with certificates and WWIDs for the attached >> SAN. >> >> Or could I somehow generate selinux labels? >> >> >> yeah, I think it didn’t happen. I though we do relabelling as part of >> deploy >> How about running "restorecon -r” now? >> >> >> These nodes + engine are not yet production, though I'd prefer to fix >> than restart entirely from scratch. >> >> Thanks for any help. >> >> regards, >> >> Campbell >> >> >> On Wed, May 11, 2016 at 3:13 PM, Cam Mac <iucounu(a)gmail.com&gt; wrote: >> >>> Ah, ok that makes sense. For the node, is it enough to use the >>> 'reinstall node' option from the GUI, or is it better to reinstall the OS >>> and then deploy it again? >>> >>> Thanks, >>> >>> Cam >>> >>> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek < >>> michal.skrivanek(a)redhat.com&gt; wrote: >>> >>>> >>>> On 11 May 2016, at 15:24, Cam Mac <iucounu(a)gmail.com&gt; wrote: >>>> >>>> Thanks Michal, if reinstalling the engine, (which also had SELinux >>>> disabled at install), would the best way be to backup the engine and then >>>> restore just the ovirt config? >>>> >>>> >>>> for engine..well, VM security is not related to that, those are >>>> running on hypervisors, not the engine. So for any functionality/security >>>> it’s irrelevant what SELinux state it’s in >>>> I’m not sure if relabeling with restorecon is not enough (it sould >>>> work also on nodes, but as I said, it’s likely more safe to reinstall just >>>> to be really really sure:) >>>> Simone, am I right about the restorecon for engine? >>>> >>>> >>>> Cheers, >>>> >>>> Cam >>>> >>>> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek < >>>> michal.skrivanek(a)redhat.com&gt; wrote: >>>> >>>>> >>>>> > On 11 May 2016, at 15:02, Cam Mac <iucounu(a)gmail.com&gt; wrote: >>>>> > >>>>> > Hi, >>>>> > >>>>> > In the oVirt guide, it says that "SELinux is being used by default >>>>> on oVirt Node", but then goes on to say that if you have problems you >>>>> should set it to permissive mode. I have had a few things fail due to being >>>>> blocked by SELinux on a node I later enabled SELinux on, as it was off at >>>>> install time. The other node which has had SELinux on from the start and so >>>>> far has not had any oVirt operations blocked. I am guessing that the oVirt >>>>> install process creates the necessary rules to allow vdsm to run under >>>>> SELinux. So if you want to set SELinux to enforcing after installation, is >>>>> there a script to do this, or is it better to just reinstall the node or >>>>> engine, rather than trying to work out the individual exceptions? >>>>> >>>>> For oVirt node it’s easier to reinstall it, it doesn’t persist much >>>>> and it’s the easies way how to get the labelling right >>>>> >>>>> Thanks, >>>>> michal >>>>> >>>>> > >>>>> > Thanks, >>>>> > >>>>> > Cam >>>>> > _______________________________________________ >>>>> > Users mailing list >>>>> > Users(a)ovirt.org >>>>> > http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>>> >>>> >>> >> >> >