[ovirt-users] Guest Agent Running unconfined on Centos 7

Simone Tiraboschi stirabos at redhat.com
Wed Feb 22 21:32:53 UTC 2017 

On Wed, Feb 22, 2017 at 10:05 PM, Michal Skrivanek <mskrivan at redhat.com>
wrote:

> > On 22 Feb 2017, at 16:46, Jiri Belka <jbelka at redhat.com> wrote:
> >
> > ----- Original Message -----
> >> From: "Alan Griffiths" <apgriffiths79 at gmail.com>
> >> To: "Ovirt Users" <users at ovirt.org>
> >> Sent: Friday, February 10, 2017 4:25:28 PM
> >> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
> >>
> >> Hi,
> >>
> >> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's
> >> running unconfined rather than within its own domain.
> >>
> >> I see there is a rhev_agentd_exec_t
>
> That sound suspicious on its own. Are you sure you haven't mixed rhev
> and ovirt agents in the same guest at some point? Restoring selinux
> context doesn't help?
>
>
Here the same:
[root at c72he20170222h1 ~]# yum list installed | grep rhev
fence-agents-rhevm.x86_64             4.0.11-47.el7_3.2
 @updates
[root at c72he20170222h1 ~]# yum list installed | grep ovirt-guest-agent
ovirt-guest-agent-common.noarch       1.0.12-4.el7
@epel
[root at c72he20170222h1 ~]# ps auxZ  | grep guest-agent
system_u:system_r:unconfined_service_t:s0 ovirtag+ 732 0.2  0.6 441796
36036 ? Ssl  16:59   0:46 /usr/bin/python
/usr/share/ovirt-guest-agent/ovirt-guest-agent.py
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6938 0.0  0.0
112648 964 pts/0 S+ 22:31   0:00 grep --color=auto guest-agent
[root at c72he20170222h1 ~]# semanage fcontext -l | grep rhev_agentd
/var/log/rhev-agent(/.*)?                          all files
 system_u:object_r:rhev_agentd_log_t:s0
/var/log/ovirt-guest-agent(/.*)?                   all files
 system_u:object_r:rhev_agentd_log_t:s0
/usr/lib/systemd/system/ovirt-guest-agent.*        regular file
system_u:object_r:rhev_agentd_unit_file_t:s0
/var/run/rhev-agentd\.pid                          regular file
system_u:object_r:rhev_agentd_var_run_t:s0
/usr/share/ovirt-guest-agent                       regular file
system_u:object_r:rhev_agentd_exec_t:s0
/var/run/ovirt-guest-agent\.pid                    regular file
system_u:object_r:rhev_agentd_var_run_t:s0
/usr/share/rhev-agent/rhev-agentd\.py              regular file
system_u:object_r:rhev_agentd_exec_t:s0
/usr/share/rhev-agent/LockActiveSession\.py        regular file
system_u:object_r:rhev_agentd_exec_t:s0
/usr/share/ovirt-guest-agent/LockActiveSession\.py regular file
system_u:object_r:rhev_agentd_exec_t:s0




> >> type, which I attempted to assign to
> >> ovirt-guest-agent.py but it still starts up as unconfined. Is there a
> >> supported process for getting ovirt-guest into its own domain? Or a
> reason
> >> why it's not possible?
> >>
> >> Thanks,
> >>
> >> Alan
> >
> > Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems
> > there's missing glue between systemd -> python -> GA script.
> >
> > Vinzenz, any idea?
> >
> > j.
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> >
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170222/8b4e9b09/attachment-0001.html>

More information about the Users mailing list