Guest Agent Running unconfined on Centos 7
Hi, I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's running unconfined rather than within its own domain. I see there is a rhev_agentd_exec_t type, which I attempted to assign to ovirt-guest-agent.py but it still starts up as unconfined. Is there a supported process for getting ovirt-guest into its own domain? Or a reason why it's not possible? Thanks, Alan
----- Original Message -----
From: "Alan Griffiths" <apgriffiths79@gmail.com> To: "Ovirt Users" <users@ovirt.org> Sent: Friday, February 10, 2017 4:25:28 PM Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
Hi,
I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's running unconfined rather than within its own domain.
I see there is a rhev_agentd_exec_t type, which I attempted to assign to ovirt-guest-agent.py but it still starts up as unconfined. Is there a supported process for getting ovirt-guest into its own domain? Or a reason why it's not possible?
Thanks,
Alan
Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems there's missing glue between systemd -> python -> GA script. Vinzenz, any idea? j.
On 22 Feb 2017, at 16:46, Jiri Belka <jbelka@redhat.com> wrote:
----- Original Message -----
From: "Alan Griffiths" <apgriffiths79@gmail.com> To: "Ovirt Users" <users@ovirt.org> Sent: Friday, February 10, 2017 4:25:28 PM Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
Hi,
I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's running unconfined rather than within its own domain.
I see there is a rhev_agentd_exec_t
That sound suspicious on its own. Are you sure you haven't mixed rhev and ovirt agents in the same guest at some point? Restoring selinux context doesn't help?
type, which I attempted to assign to ovirt-guest-agent.py but it still starts up as unconfined. Is there a supported process for getting ovirt-guest into its own domain? Or a reason why it's not possible?
Thanks,
Alan
Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems there's missing glue between systemd -> python -> GA script.
Vinzenz, any idea?
j. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Wed, Feb 22, 2017 at 10:05 PM, Michal Skrivanek <mskrivan@redhat.com> wrote:
On 22 Feb 2017, at 16:46, Jiri Belka <jbelka@redhat.com> wrote:
----- Original Message -----
From: "Alan Griffiths" <apgriffiths79@gmail.com> To: "Ovirt Users" <users@ovirt.org> Sent: Friday, February 10, 2017 4:25:28 PM Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
Hi,
I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's running unconfined rather than within its own domain.
I see there is a rhev_agentd_exec_t
That sound suspicious on its own. Are you sure you haven't mixed rhev and ovirt agents in the same guest at some point? Restoring selinux context doesn't help?
Here the same: [root@c72he20170222h1 ~]# yum list installed | grep rhev fence-agents-rhevm.x86_64 4.0.11-47.el7_3.2 @updates [root@c72he20170222h1 ~]# yum list installed | grep ovirt-guest-agent ovirt-guest-agent-common.noarch 1.0.12-4.el7 @epel [root@c72he20170222h1 ~]# ps auxZ | grep guest-agent system_u:system_r:unconfined_service_t:s0 ovirtag+ 732 0.2 0.6 441796 36036 ? Ssl 16:59 0:46 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6938 0.0 0.0 112648 964 pts/0 S+ 22:31 0:00 grep --color=auto guest-agent [root@c72he20170222h1 ~]# semanage fcontext -l | grep rhev_agentd /var/log/rhev-agent(/.*)? all files system_u:object_r:rhev_agentd_log_t:s0 /var/log/ovirt-guest-agent(/.*)? all files system_u:object_r:rhev_agentd_log_t:s0 /usr/lib/systemd/system/ovirt-guest-agent.* regular file system_u:object_r:rhev_agentd_unit_file_t:s0 /var/run/rhev-agentd\.pid regular file system_u:object_r:rhev_agentd_var_run_t:s0 /usr/share/ovirt-guest-agent regular file system_u:object_r:rhev_agentd_exec_t:s0 /var/run/ovirt-guest-agent\.pid regular file system_u:object_r:rhev_agentd_var_run_t:s0 /usr/share/rhev-agent/rhev-agentd\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 /usr/share/rhev-agent/LockActiveSession\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 /usr/share/ovirt-guest-agent/LockActiveSession\.py regular file system_u:object_r:rhev_agentd_exec_t:s0
type, which I attempted to assign to ovirt-guest-agent.py but it still starts up as unconfined. Is there a supported process for getting ovirt-guest into its own domain? Or a reason why it's not possible?
Thanks,
Alan
Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems there's missing glue between systemd -> python -> GA script.
Vinzenz, any idea?
j. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (4)
-
Alan Griffiths -
Jiri Belka -
Michal Skrivanek -
Simone Tiraboschi