[ovirt-users] SELinux and oVirt

Cam Mac iucounu at gmail.com
Wed May 25 17:29:53 UTC 2016


Hi Michal,

Ran restorecon -r on '/' (and restarted vdsmd and other services): it is
still getting selinux errors. I'd like to keep selinux running, especially
as it is officially supported (and works on the other node), so I guess the
best option is to reinstall the OS and then install ovirt again perhaps.

Thanks,

Campbell

On Wed, May 25, 2016 at 6:15 PM, Michal Skrivanek <mskrivan at redhat.com>
wrote:

>
>
> On 25 May 2016, at 19:12, Cam Mac <iucounu at gmail.com> wrote:
>
> I'll try that - presumably on the paths it is complaining about, and the
> qemu binarys?
>
>
> It shouldn't hurt on /, it should only help:)
> And if it complains e.g. on attached nfs, the i suppose you need to run it
> there too
>
>
>
> On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek <
> michal.skrivanek at redhat.com> wrote:
>
>>
>> On 25 May 2016, at 17:35, Cam Mac <iucounu at gmail.com> wrote:
>>
>> Hi Michal,
>>
>> I chose the 'reinstall node' option from the GUI menu, which appeared to
>> go ok, however, I still cannot create or migrate a VM on that node. I can
>> see selinux 'denied' messages relating to qemu-kvm, e.g.:
>>
>> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for
>>  pid=4019 comm="qemu-kvm" name="650000ab-b33a-483a-af46-76f7305e2ae5"
>> dev="sda2" ino=35401 scontext=system_
>> u:system_r:svirt_t:s0:c720,c927 tcontext=system_u:object_r:unlabeled_t:s0
>> tclass=lnk_file
>>
>> There are a number of errors in the vdsm log but I assume that relates to
>> selinux blocking it. So perhaps I need to remove all the ovirt packages
>> manually, or perhaps re-install the OS as well? I guess either of those
>> options involves complications with certificates and WWIDs for the attached
>> SAN.
>>
>> Or could I somehow generate selinux labels?
>>
>>
>> yeah, I think it didn’t happen. I though we do relabelling as part of
>> deploy
>> How about running "restorecon -r” now?
>>
>>
>> These nodes + engine are not yet production, though I'd prefer to fix
>> than restart entirely from scratch.
>>
>> Thanks for any help.
>>
>> regards,
>>
>> Campbell
>>
>>
>> On Wed, May 11, 2016 at 3:13 PM, Cam Mac <iucounu at gmail.com> wrote:
>>
>>> Ah, ok that makes sense. For the node, is it enough to use the
>>> 'reinstall node' option from the GUI, or is it better to reinstall the OS
>>> and then deploy it again?
>>>
>>> Thanks,
>>>
>>> Cam
>>>
>>> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
>>> michal.skrivanek at redhat.com> wrote:
>>>
>>>>
>>>> On 11 May 2016, at 15:24, Cam Mac <iucounu at gmail.com> wrote:
>>>>
>>>> Thanks Michal, if reinstalling the engine, (which also had SELinux
>>>> disabled at install), would the best way be to backup the engine and then
>>>> restore just the ovirt config?
>>>>
>>>>
>>>> for engine..well, VM security is not related to that, those are running
>>>> on hypervisors, not the engine. So for any functionality/security it’s
>>>> irrelevant what SELinux state it’s in
>>>> I’m not sure if relabeling with restorecon is not enough (it sould work
>>>> also on nodes, but as I said, it’s likely more safe to reinstall just to be
>>>> really really sure:)
>>>> Simone, am I right about the restorecon for engine?
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Cam
>>>>
>>>> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
>>>> michal.skrivanek at redhat.com> wrote:
>>>>
>>>>>
>>>>> > On 11 May 2016, at 15:02, Cam Mac <iucounu at gmail.com> wrote:
>>>>> >
>>>>> > Hi,
>>>>> >
>>>>> > In the oVirt guide, it says that "SELinux is being used by default
>>>>> on oVirt Node", but then goes on to say that if you have problems you
>>>>> should set it to permissive mode. I have had a few things fail due to being
>>>>> blocked by SELinux on a node I later enabled SELinux on, as it was off at
>>>>> install time. The other node which has had SELinux on from the start and so
>>>>> far has not had any oVirt operations blocked. I am guessing that the oVirt
>>>>> install process creates the necessary rules to allow vdsm to run under
>>>>> SELinux. So if you want to set SELinux to enforcing after installation, is
>>>>> there a script to do this, or is it better to just reinstall the node or
>>>>> engine, rather than trying to work out the individual exceptions?
>>>>>
>>>>> For oVirt node it’s easier to reinstall it, it doesn’t persist much
>>>>> and it’s the easies way how to get the labelling right
>>>>>
>>>>> Thanks,
>>>>> michal
>>>>>
>>>>> >
>>>>> > Thanks,
>>>>> >
>>>>> > Cam
>>>>> > _______________________________________________
>>>>> > Users mailing list
>>>>> > Users at ovirt.org
>>>>> > http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>>>
>>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160525/2bb87978/attachment-0001.html>


More information about the Users mailing list