[ovirt-users] SELinux and oVirt

Cam Mac iucounu at gmail.com
Thu May 26 13:46:24 UTC 2016


Hi Michal,

I re-installed the OS and then oVirt on that node, with SELinux enabled,
and that has resolved the issue.

Thanks for your help.

Cheers,

Cam

On Wed, May 25, 2016 at 7:24 PM, Michal Skrivanek <mskrivan at redhat.com>
wrote:

>
>
> On 25 May 2016, at 19:29, Cam Mac <iucounu at gmail.com> wrote:
>
> Hi Michal,
>
> Ran restorecon -r on '/' (and restarted vdsmd and other services): it is
> still getting selinux errors. I'd like to keep selinux running, especially
> as it is officially supported
>
>
> Yeah. Hm, dunno why it didn't work, perhaps the config is not set up
> correctly. I thought redeploy would fix it but I don't really know the
> deployment code so maybe I'm wrong
>
> (and works on the other node), so I guess the best option is to reinstall
> the OS and then install ovirt again perhaps.
>
>
> That's the most easy way out, yes:)
>
> Thanks,
> michal
>
>
> Thanks,
>
> Campbell
>
> On Wed, May 25, 2016 at 6:15 PM, Michal Skrivanek <mskrivan at redhat.com>
> wrote:
>
>>
>>
>> On 25 May 2016, at 19:12, Cam Mac <iucounu at gmail.com> wrote:
>>
>> I'll try that - presumably on the paths it is complaining about, and the
>> qemu binarys?
>>
>>
>> It shouldn't hurt on /, it should only help:)
>> And if it complains e.g. on attached nfs, the i suppose you need to run
>> it there too
>>
>>
>>
>> On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek <
>> michal.skrivanek at redhat.com> wrote:
>>
>>>
>>> On 25 May 2016, at 17:35, Cam Mac <iucounu at gmail.com> wrote:
>>>
>>> Hi Michal,
>>>
>>> I chose the 'reinstall node' option from the GUI menu, which appeared to
>>> go ok, however, I still cannot create or migrate a VM on that node. I can
>>> see selinux 'denied' messages relating to qemu-kvm, e.g.:
>>>
>>> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for
>>>  pid=4019 comm="qemu-kvm" name="650000ab-b33a-483a-af46-76f7305e2ae5"
>>> dev="sda2" ino=35401 scontext=system_
>>> u:system_r:svirt_t:s0:c720,c927
>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file
>>>
>>> There are a number of errors in the vdsm log but I assume that relates
>>> to selinux blocking it. So perhaps I need to remove all the ovirt packages
>>> manually, or perhaps re-install the OS as well? I guess either of those
>>> options involves complications with certificates and WWIDs for the attached
>>> SAN.
>>>
>>> Or could I somehow generate selinux labels?
>>>
>>>
>>> yeah, I think it didn’t happen. I though we do relabelling as part of
>>> deploy
>>> How about running "restorecon -r” now?
>>>
>>>
>>> These nodes + engine are not yet production, though I'd prefer to fix
>>> than restart entirely from scratch.
>>>
>>> Thanks for any help.
>>>
>>> regards,
>>>
>>> Campbell
>>>
>>>
>>> On Wed, May 11, 2016 at 3:13 PM, Cam Mac <iucounu at gmail.com> wrote:
>>>
>>>> Ah, ok that makes sense. For the node, is it enough to use the
>>>> 'reinstall node' option from the GUI, or is it better to reinstall the OS
>>>> and then deploy it again?
>>>>
>>>> Thanks,
>>>>
>>>> Cam
>>>>
>>>> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
>>>> michal.skrivanek at redhat.com> wrote:
>>>>
>>>>>
>>>>> On 11 May 2016, at 15:24, Cam Mac <iucounu at gmail.com> wrote:
>>>>>
>>>>> Thanks Michal, if reinstalling the engine, (which also had SELinux
>>>>> disabled at install), would the best way be to backup the engine and then
>>>>> restore just the ovirt config?
>>>>>
>>>>>
>>>>> for engine..well, VM security is not related to that, those are
>>>>> running on hypervisors, not the engine. So for any functionality/security
>>>>> it’s irrelevant what SELinux state it’s in
>>>>> I’m not sure if relabeling with restorecon is not enough (it sould
>>>>> work also on nodes, but as I said, it’s likely more safe to reinstall just
>>>>> to be really really sure:)
>>>>> Simone, am I right about the restorecon for engine?
>>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Cam
>>>>>
>>>>> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
>>>>> michal.skrivanek at redhat.com> wrote:
>>>>>
>>>>>>
>>>>>> > On 11 May 2016, at 15:02, Cam Mac <iucounu at gmail.com> wrote:
>>>>>> >
>>>>>> > Hi,
>>>>>> >
>>>>>> > In the oVirt guide, it says that "SELinux is being used by default
>>>>>> on oVirt Node", but then goes on to say that if you have problems you
>>>>>> should set it to permissive mode. I have had a few things fail due to being
>>>>>> blocked by SELinux on a node I later enabled SELinux on, as it was off at
>>>>>> install time. The other node which has had SELinux on from the start and so
>>>>>> far has not had any oVirt operations blocked. I am guessing that the oVirt
>>>>>> install process creates the necessary rules to allow vdsm to run under
>>>>>> SELinux. So if you want to set SELinux to enforcing after installation, is
>>>>>> there a script to do this, or is it better to just reinstall the node or
>>>>>> engine, rather than trying to work out the individual exceptions?
>>>>>>
>>>>>> For oVirt node it’s easier to reinstall it, it doesn’t persist much
>>>>>> and it’s the easies way how to get the labelling right
>>>>>>
>>>>>> Thanks,
>>>>>> michal
>>>>>>
>>>>>> >
>>>>>> > Thanks,
>>>>>> >
>>>>>> > Cam
>>>>>> > _______________________________________________
>>>>>> > Users mailing list
>>>>>> > Users at ovirt.org
>>>>>> > http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160526/8cdf9a49/attachment-0001.html>


More information about the Users mailing list