On Wed, Feb 22, 2017 at 10:05 PM, Michal Skrivanek <mskrivan@redhat.com> wrote:
> On 22 Feb 2017, at 16:46, Jiri Belka <jbelka@redhat.com> wrote:
>
> ----- Original Message -----
>> From: "Alan Griffiths" <apgriffiths79@gmail.com>
>> To: "Ovirt Users" <users@ovirt.org>
>> Sent: Friday, February 10, 2017 4:25:28 PM
>> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
>>
>> Hi,
>>
>> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's
>> running unconfined rather than within its own domain.
>>
>> I see there is a rhev_agentd_exec_t

That sound suspicious on its own. Are you sure you haven't mixed rhev
and ovirt agents in the same guest at some point? Restoring selinux
context doesn't help?


Here the same:
[root@c72he20170222h1 ~]# yum list installed | grep rhev
fence-agents-rhevm.x86_64             4.0.11-47.el7_3.2                @updates 
[root@c72he20170222h1 ~]# yum list installed | grep ovirt-guest-agent
ovirt-guest-agent-common.noarch       1.0.12-4.el7                     @epel    
[root@c72he20170222h1 ~]# ps auxZ  | grep guest-agent
system_u:system_r:unconfined_service_t:s0 ovirtag+ 732 0.2  0.6 441796 36036 ? Ssl  16:59   0:46 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6938 0.0  0.0 112648 964 pts/0 S+ 22:31   0:00 grep --color=auto guest-agent
[root@c72he20170222h1 ~]# semanage fcontext -l | grep rhev_agentd
/var/log/rhev-agent(/.*)?                          all files          system_u:object_r:rhev_agentd_log_t:s0 
/var/log/ovirt-guest-agent(/.*)?                   all files          system_u:object_r:rhev_agentd_log_t:s0 
/usr/lib/systemd/system/ovirt-guest-agent.*        regular file       system_u:object_r:rhev_agentd_unit_file_t:s0 
/var/run/rhev-agentd\.pid                          regular file       system_u:object_r:rhev_agentd_var_run_t:s0 
/usr/share/ovirt-guest-agent                       regular file       system_u:object_r:rhev_agentd_exec_t:s0 
/var/run/ovirt-guest-agent\.pid                    regular file       system_u:object_r:rhev_agentd_var_run_t:s0 
/usr/share/rhev-agent/rhev-agentd\.py              regular file       system_u:object_r:rhev_agentd_exec_t:s0 
/usr/share/rhev-agent/LockActiveSession\.py        regular file       system_u:object_r:rhev_agentd_exec_t:s0 
/usr/share/ovirt-guest-agent/LockActiveSession\.py regular file       system_u:object_r:rhev_agentd_exec_t:s0 


 
>> type, which I attempted to assign to
>> ovirt-guest-agent.py but it still starts up as unconfined. Is there a
>> supported process for getting ovirt-guest into its own domain? Or a reason
>> why it's not possible?
>>
>> Thanks,
>>
>> Alan
>
> Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems
> there's missing glue between systemd -> python -> GA script.
>
> Vinzenz, any idea?
>
> j.
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users