subject:"Re\: \[ovirt\-users\] SELinux and oVirt"

Re: [ovirt-users] SELinux and oVirt

2016-05-26 Thread Cam Mac

Hi Michal,

I re-installed the OS and then oVirt on that node, with SELinux enabled,
and that has resolved the issue.

Thanks for your help.

Cheers,

Cam

On Wed, May 25, 2016 at 7:24 PM, Michal Skrivanek 
wrote:

>
>
> On 25 May 2016, at 19:29, Cam Mac  wrote:
>
> Hi Michal,
>
> Ran restorecon -r on '/' (and restarted vdsmd and other services): it is
> still getting selinux errors. I'd like to keep selinux running, especially
> as it is officially supported
>
>
> Yeah. Hm, dunno why it didn't work, perhaps the config is not set up
> correctly. I thought redeploy would fix it but I don't really know the
> deployment code so maybe I'm wrong
>
> (and works on the other node), so I guess the best option is to reinstall
> the OS and then install ovirt again perhaps.
>
>
> That's the most easy way out, yes:)
>
> Thanks,
> michal
>
>
> Thanks,
>
> Campbell
>
> On Wed, May 25, 2016 at 6:15 PM, Michal Skrivanek 
> wrote:
>
>>
>>
>> On 25 May 2016, at 19:12, Cam Mac  wrote:
>>
>> I'll try that - presumably on the paths it is complaining about, and the
>> qemu binarys?
>>
>>
>> It shouldn't hurt on /, it should only help:)
>> And if it complains e.g. on attached nfs, the i suppose you need to run
>> it there too
>>
>>
>>
>> On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek <
>> michal.skriva...@redhat.com> wrote:
>>
>>>
>>> On 25 May 2016, at 17:35, Cam Mac  wrote:
>>>
>>> Hi Michal,
>>>
>>> I chose the 'reinstall node' option from the GUI menu, which appeared to
>>> go ok, however, I still cannot create or migrate a VM on that node. I can
>>> see selinux 'denied' messages relating to qemu-kvm, e.g.:
>>>
>>> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for
>>>  pid=4019 comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5"
>>> dev="sda2" ino=35401 scontext=system_
>>> u:system_r:svirt_t:s0:c720,c927
>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file
>>>
>>> There are a number of errors in the vdsm log but I assume that relates
>>> to selinux blocking it. So perhaps I need to remove all the ovirt packages
>>> manually, or perhaps re-install the OS as well? I guess either of those
>>> options involves complications with certificates and WWIDs for the attached
>>> SAN.
>>>
>>> Or could I somehow generate selinux labels?
>>>
>>>
>>> yeah, I think it didn’t happen. I though we do relabelling as part of
>>> deploy
>>> How about running "restorecon -r” now?
>>>
>>>
>>> These nodes + engine are not yet production, though I'd prefer to fix
>>> than restart entirely from scratch.
>>>
>>> Thanks for any help.
>>>
>>> regards,
>>>
>>> Campbell
>>>
>>>
>>> On Wed, May 11, 2016 at 3:13 PM, Cam Mac  wrote:
>>>
 Ah, ok that makes sense. For the node, is it enough to use the
 'reinstall node' option from the GUI, or is it better to reinstall the OS
 and then deploy it again?

 Thanks,

 Cam

 On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
 michal.skriva...@redhat.com> wrote:

>
> On 11 May 2016, at 15:24, Cam Mac  wrote:
>
> Thanks Michal, if reinstalling the engine, (which also had SELinux
> disabled at install), would the best way be to backup the engine and then
> restore just the ovirt config?
>
>
> for engine..well, VM security is not related to that, those are
> running on hypervisors, not the engine. So for any functionality/security
> it’s irrelevant what SELinux state it’s in
> I’m not sure if relabeling with restorecon is not enough (it sould
> work also on nodes, but as I said, it’s likely more safe to reinstall just
> to be really really sure:)
> Simone, am I right about the restorecon for engine?
>
>
> Cheers,
>
> Cam
>
> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
> michal.skriva...@redhat.com> wrote:
>
>>
>> > On 11 May 2016, at 15:02, Cam Mac  wrote:
>> >
>> > Hi,
>> >
>> > In the oVirt guide, it says that "SELinux is being used by default
>> on oVirt Node", but then goes on to say that if you have problems you
>> should set it to permissive mode. I have had a few things fail due to 
>> being
>> blocked by SELinux on a node I later enabled SELinux on, as it was off at
>> install time. The other node which has had SELinux on from the start and 
>> so
>> far has not had any oVirt operations blocked. I am guessing that the 
>> oVirt
>> install process creates the necessary rules to allow vdsm to run under
>> SELinux. So if you want to set SELinux to enforcing after installation, 
>> is
>> there a script to do this, or is it better to just reinstall the node or
>> engine, rather than trying to work out the individual exceptions?
>>
>> For oVirt node it’s easier to reinstall it, it doesn’t persist

Re: [ovirt-users] SELinux and oVirt

2016-05-25 Thread Michal Skrivanek



> On 25 May 2016, at 19:29, Cam Mac  wrote:
> 
> Hi Michal,
> 
> Ran restorecon -r on '/' (and restarted vdsmd and other services): it is 
> still getting selinux errors. I'd like to keep selinux running, especially as 
> it is officially supported

Yeah. Hm, dunno why it didn't work, perhaps the config is not set up correctly. 
I thought redeploy would fix it but I don't really know the deployment code so 
maybe I'm wrong

> (and works on the other node), so I guess the best option is to reinstall the 
> OS and then install ovirt again perhaps.

That's the most easy way out, yes:)

Thanks,
michal
> 
> Thanks,
> 
> Campbell
> 
>> On Wed, May 25, 2016 at 6:15 PM, Michal Skrivanek  
>> wrote:
>> 
>> 
>>> On 25 May 2016, at 19:12, Cam Mac  wrote:
>>> 
>>> I'll try that - presumably on the paths it is complaining about, and the 
>>> qemu binarys?
>> 
>> It shouldn't hurt on /, it should only help:)
>> And if it complains e.g. on attached nfs, the i suppose you need to run it 
>> there too
>> 
>> 
>>> 
 On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek 
  wrote:
 
> On 25 May 2016, at 17:35, Cam Mac  wrote:
> 
> Hi Michal,
> 
> I chose the 'reinstall node' option from the GUI menu, which appeared to 
> go ok, however, I still cannot create or migrate a VM on that node. I can 
> see selinux 'denied' messages relating to qemu-kvm, e.g.:
> 
> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for  
> pid=4019 comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5" 
> dev="sda2" ino=35401 scontext=system_
> u:system_r:svirt_t:s0:c720,c927 tcontext=system_u:object_r:unlabeled_t:s0 
> tclass=lnk_file
> 
> There are a number of errors in the vdsm log but I assume that relates to 
> selinux blocking it. So perhaps I need to remove all the ovirt packages 
> manually, or perhaps re-install the OS as well? I guess either of those 
> options involves complications with certificates and WWIDs for the 
> attached SAN. 
> 
> Or could I somehow generate selinux labels?
 
 yeah, I think it didn’t happen. I though we do relabelling as part of 
 deploy
 How about running "restorecon -r” now?
 
> 
> These nodes + engine are not yet production, though I'd prefer to fix 
> than restart entirely from scratch.
> 
> Thanks for any help.
> 
> regards,
> 
> Campbell
> 
> 
>> On Wed, May 11, 2016 at 3:13 PM, Cam Mac  wrote:
>> Ah, ok that makes sense. For the node, is it enough to use the 
>> 'reinstall node' option from the GUI, or is it better to reinstall the 
>> OS and then deploy it again?
>> 
>> Thanks,
>> 
>> Cam
>> 
>>> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek 
>>>  wrote:
>>> 
 On 11 May 2016, at 15:24, Cam Mac  wrote:
 
 Thanks Michal, if reinstalling the engine, (which also had SELinux 
 disabled at install), would the best way be to backup the engine and 
 then restore just the ovirt config?
>>> 
>>> for engine..well, VM security is not related to that, those are running 
>>> on hypervisors, not the engine. So for any functionality/security it’s 
>>> irrelevant what SELinux state it’s in
>>> I’m not sure if relabeling with restorecon is not enough (it sould work 
>>> also on nodes, but as I said, it’s likely more safe to reinstall just 
>>> to be really really sure:)
>>> Simone, am I right about the restorecon for engine?
>>> 
 
 Cheers,
 
 Cam
 
> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek 
>  wrote:
> 
> > On 11 May 2016, at 15:02, Cam Mac  wrote:
> >
> > Hi,
> >
> > In the oVirt guide, it says that "SELinux is being used by default 
> > on oVirt Node", but then goes on to say that if you have problems 
> > you should set it to permissive mode. I have had a few things fail 
> > due to being blocked by SELinux on a node I later enabled SELinux 
> > on, as it was off at install time. The other node which has had 
> > SELinux on from the start and so far has not had any oVirt 
> > operations blocked. I am guessing that the oVirt install process 
> > creates the necessary rules to allow vdsm to run under SELinux. So 
> > if you want to set SELinux to enforcing after installation, is 
> > there a script to do this, or is it better to just reinstall the 
> > node or engine, rather than trying to work out the individual 
> > exceptions?
> 
> For oVirt node it’s easier to reinstall it, it doesn’t

Re: [ovirt-users] SELinux and oVirt

2016-05-25 Thread Cam Mac

Hi Michal,

Ran restorecon -r on '/' (and restarted vdsmd and other services): it is
still getting selinux errors. I'd like to keep selinux running, especially
as it is officially supported (and works on the other node), so I guess the
best option is to reinstall the OS and then install ovirt again perhaps.

Thanks,

Campbell

On Wed, May 25, 2016 at 6:15 PM, Michal Skrivanek 
wrote:

>
>
> On 25 May 2016, at 19:12, Cam Mac  wrote:
>
> I'll try that - presumably on the paths it is complaining about, and the
> qemu binarys?
>
>
> It shouldn't hurt on /, it should only help:)
> And if it complains e.g. on attached nfs, the i suppose you need to run it
> there too
>
>
>
> On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek <
> michal.skriva...@redhat.com> wrote:
>
>>
>> On 25 May 2016, at 17:35, Cam Mac  wrote:
>>
>> Hi Michal,
>>
>> I chose the 'reinstall node' option from the GUI menu, which appeared to
>> go ok, however, I still cannot create or migrate a VM on that node. I can
>> see selinux 'denied' messages relating to qemu-kvm, e.g.:
>>
>> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for
>>  pid=4019 comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5"
>> dev="sda2" ino=35401 scontext=system_
>> u:system_r:svirt_t:s0:c720,c927 tcontext=system_u:object_r:unlabeled_t:s0
>> tclass=lnk_file
>>
>> There are a number of errors in the vdsm log but I assume that relates to
>> selinux blocking it. So perhaps I need to remove all the ovirt packages
>> manually, or perhaps re-install the OS as well? I guess either of those
>> options involves complications with certificates and WWIDs for the attached
>> SAN.
>>
>> Or could I somehow generate selinux labels?
>>
>>
>> yeah, I think it didn’t happen. I though we do relabelling as part of
>> deploy
>> How about running "restorecon -r” now?
>>
>>
>> These nodes + engine are not yet production, though I'd prefer to fix
>> than restart entirely from scratch.
>>
>> Thanks for any help.
>>
>> regards,
>>
>> Campbell
>>
>>
>> On Wed, May 11, 2016 at 3:13 PM, Cam Mac  wrote:
>>
>>> Ah, ok that makes sense. For the node, is it enough to use the
>>> 'reinstall node' option from the GUI, or is it better to reinstall the OS
>>> and then deploy it again?
>>>
>>> Thanks,
>>>
>>> Cam
>>>
>>> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
>>> michal.skriva...@redhat.com> wrote:
>>>

 On 11 May 2016, at 15:24, Cam Mac  wrote:

 Thanks Michal, if reinstalling the engine, (which also had SELinux
 disabled at install), would the best way be to backup the engine and then
 restore just the ovirt config?


 for engine..well, VM security is not related to that, those are running
 on hypervisors, not the engine. So for any functionality/security it’s
 irrelevant what SELinux state it’s in
 I’m not sure if relabeling with restorecon is not enough (it sould work
 also on nodes, but as I said, it’s likely more safe to reinstall just to be
 really really sure:)
 Simone, am I right about the restorecon for engine?


 Cheers,

 Cam

 On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
 michal.skriva...@redhat.com> wrote:

>
> > On 11 May 2016, at 15:02, Cam Mac  wrote:
> >
> > Hi,
> >
> > In the oVirt guide, it says that "SELinux is being used by default
> on oVirt Node", but then goes on to say that if you have problems you
> should set it to permissive mode. I have had a few things fail due to 
> being
> blocked by SELinux on a node I later enabled SELinux on, as it was off at
> install time. The other node which has had SELinux on from the start and 
> so
> far has not had any oVirt operations blocked. I am guessing that the oVirt
> install process creates the necessary rules to allow vdsm to run under
> SELinux. So if you want to set SELinux to enforcing after installation, is
> there a script to do this, or is it better to just reinstall the node or
> engine, rather than trying to work out the individual exceptions?
>
> For oVirt node it’s easier to reinstall it, it doesn’t persist much
> and it’s the easies way how to get the labelling right
>
> Thanks,
> michal
>
> >
> > Thanks,
> >
> > Cam
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
>
>
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users



>>>
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

2016-05-25 Thread Michal Skrivanek



> On 25 May 2016, at 19:12, Cam Mac  wrote:
> 
> I'll try that - presumably on the paths it is complaining about, and the qemu 
> binarys?

It shouldn't hurt on /, it should only help:)
And if it complains e.g. on attached nfs, the i suppose you need to run it 
there too

> 
>> On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek 
>>  wrote:
>> 
>>> On 25 May 2016, at 17:35, Cam Mac  wrote:
>>> 
>>> Hi Michal,
>>> 
>>> I chose the 'reinstall node' option from the GUI menu, which appeared to go 
>>> ok, however, I still cannot create or migrate a VM on that node. I can see 
>>> selinux 'denied' messages relating to qemu-kvm, e.g.:
>>> 
>>> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for  
>>> pid=4019 comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5" 
>>> dev="sda2" ino=35401 scontext=system_
>>> u:system_r:svirt_t:s0:c720,c927 tcontext=system_u:object_r:unlabeled_t:s0 
>>> tclass=lnk_file
>>> 
>>> There are a number of errors in the vdsm log but I assume that relates to 
>>> selinux blocking it. So perhaps I need to remove all the ovirt packages 
>>> manually, or perhaps re-install the OS as well? I guess either of those 
>>> options involves complications with certificates and WWIDs for the attached 
>>> SAN. 
>>> 
>>> Or could I somehow generate selinux labels?
>> 
>> yeah, I think it didn’t happen. I though we do relabelling as part of deploy
>> How about running "restorecon -r” now?
>> 
>>> 
>>> These nodes + engine are not yet production, though I'd prefer to fix than 
>>> restart entirely from scratch.
>>> 
>>> Thanks for any help.
>>> 
>>> regards,
>>> 
>>> Campbell
>>> 
>>> 
 On Wed, May 11, 2016 at 3:13 PM, Cam Mac  wrote:
 Ah, ok that makes sense. For the node, is it enough to use the 'reinstall 
 node' option from the GUI, or is it better to reinstall the OS and then 
 deploy it again?
 
 Thanks,
 
 Cam
 
> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek 
>  wrote:
> 
>> On 11 May 2016, at 15:24, Cam Mac  wrote:
>> 
>> Thanks Michal, if reinstalling the engine, (which also had SELinux 
>> disabled at install), would the best way be to backup the engine and 
>> then restore just the ovirt config?
> 
> for engine..well, VM security is not related to that, those are running 
> on hypervisors, not the engine. So for any functionality/security it’s 
> irrelevant what SELinux state it’s in
> I’m not sure if relabeling with restorecon is not enough (it sould work 
> also on nodes, but as I said, it’s likely more safe to reinstall just to 
> be really really sure:)
> Simone, am I right about the restorecon for engine?
> 
>> 
>> Cheers,
>> 
>> Cam
>> 
>>> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek 
>>>  wrote:
>>> 
>>> > On 11 May 2016, at 15:02, Cam Mac  wrote:
>>> >
>>> > Hi,
>>> >
>>> > In the oVirt guide, it says that "SELinux is being used by default on 
>>> > oVirt Node", but then goes on to say that if you have problems you 
>>> > should set it to permissive mode. I have had a few things fail due to 
>>> > being blocked by SELinux on a node I later enabled SELinux on, as it 
>>> > was off at install time. The other node which has had SELinux on from 
>>> > the start and so far has not had any oVirt operations blocked. I am 
>>> > guessing that the oVirt install process creates the necessary rules 
>>> > to allow vdsm to run under SELinux. So if you want to set SELinux to 
>>> > enforcing after installation, is there a script to do this, or is it 
>>> > better to just reinstall the node or engine, rather than trying to 
>>> > work out the individual exceptions?
>>> 
>>> For oVirt node it’s easier to reinstall it, it doesn’t persist much and 
>>> it’s the easies way how to get the labelling right
>>> 
>>> Thanks,
>>> michal
>>> 
>>> >
>>> > Thanks,
>>> >
>>> > Cam
>>> > ___
>>> > Users mailing list
>>> > Users@ovirt.org
>>> > http://lists.ovirt.org/mailman/listinfo/users
>>> 
>> 
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
> 
 
>>> 
>> 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

2016-05-25 Thread Cam Mac

I'll try that - presumably on the paths it is complaining about, and the
qemu binarys?

On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek <
michal.skriva...@redhat.com> wrote:

>
> On 25 May 2016, at 17:35, Cam Mac  wrote:
>
> Hi Michal,
>
> I chose the 'reinstall node' option from the GUI menu, which appeared to
> go ok, however, I still cannot create or migrate a VM on that node. I can
> see selinux 'denied' messages relating to qemu-kvm, e.g.:
>
> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for
>  pid=4019 comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5"
> dev="sda2" ino=35401 scontext=system_
> u:system_r:svirt_t:s0:c720,c927 tcontext=system_u:object_r:unlabeled_t:s0
> tclass=lnk_file
>
> There are a number of errors in the vdsm log but I assume that relates to
> selinux blocking it. So perhaps I need to remove all the ovirt packages
> manually, or perhaps re-install the OS as well? I guess either of those
> options involves complications with certificates and WWIDs for the attached
> SAN.
>
> Or could I somehow generate selinux labels?
>
>
> yeah, I think it didn’t happen. I though we do relabelling as part of
> deploy
> How about running "restorecon -r” now?
>
>
> These nodes + engine are not yet production, though I'd prefer to fix than
> restart entirely from scratch.
>
> Thanks for any help.
>
> regards,
>
> Campbell
>
>
> On Wed, May 11, 2016 at 3:13 PM, Cam Mac  wrote:
>
>> Ah, ok that makes sense. For the node, is it enough to use the 'reinstall
>> node' option from the GUI, or is it better to reinstall the OS and then
>> deploy it again?
>>
>> Thanks,
>>
>> Cam
>>
>> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
>> michal.skriva...@redhat.com> wrote:
>>
>>>
>>> On 11 May 2016, at 15:24, Cam Mac  wrote:
>>>
>>> Thanks Michal, if reinstalling the engine, (which also had SELinux
>>> disabled at install), would the best way be to backup the engine and then
>>> restore just the ovirt config?
>>>
>>>
>>> for engine..well, VM security is not related to that, those are running
>>> on hypervisors, not the engine. So for any functionality/security it’s
>>> irrelevant what SELinux state it’s in
>>> I’m not sure if relabeling with restorecon is not enough (it sould work
>>> also on nodes, but as I said, it’s likely more safe to reinstall just to be
>>> really really sure:)
>>> Simone, am I right about the restorecon for engine?
>>>
>>>
>>> Cheers,
>>>
>>> Cam
>>>
>>> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
>>> michal.skriva...@redhat.com> wrote:
>>>

 > On 11 May 2016, at 15:02, Cam Mac  wrote:
 >
 > Hi,
 >
 > In the oVirt guide, it says that "SELinux is being used by default on
 oVirt Node", but then goes on to say that if you have problems you should
 set it to permissive mode. I have had a few things fail due to being
 blocked by SELinux on a node I later enabled SELinux on, as it was off at
 install time. The other node which has had SELinux on from the start and so
 far has not had any oVirt operations blocked. I am guessing that the oVirt
 install process creates the necessary rules to allow vdsm to run under
 SELinux. So if you want to set SELinux to enforcing after installation, is
 there a script to do this, or is it better to just reinstall the node or
 engine, rather than trying to work out the individual exceptions?

 For oVirt node it’s easier to reinstall it, it doesn’t persist much and
 it’s the easies way how to get the labelling right

 Thanks,
 michal

 >
 > Thanks,
 >
 > Cam
 > ___
 > Users mailing list
 > Users@ovirt.org
 > http://lists.ovirt.org/mailman/listinfo/users


>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>>
>>
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

2016-05-25 Thread Michal Skrivanek


> On 25 May 2016, at 17:35, Cam Mac  wrote:
> 
> Hi Michal,
> 
> I chose the 'reinstall node' option from the GUI menu, which appeared to go 
> ok, however, I still cannot create or migrate a VM on that node. I can see 
> selinux 'denied' messages relating to qemu-kvm, e.g.:
> 
> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for  pid=4019 
> comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5" dev="sda2" 
> ino=35401 scontext=system_
> u:system_r:svirt_t:s0:c720,c927 tcontext=system_u:object_r:unlabeled_t:s0 
> tclass=lnk_file
> 
> There are a number of errors in the vdsm log but I assume that relates to 
> selinux blocking it. So perhaps I need to remove all the ovirt packages 
> manually, or perhaps re-install the OS as well? I guess either of those 
> options involves complications with certificates and WWIDs for the attached 
> SAN. 
> 
> Or could I somehow generate selinux labels?

yeah, I think it didn’t happen. I though we do relabelling as part of deploy
How about running "restorecon -r” now?

> 
> These nodes + engine are not yet production, though I'd prefer to fix than 
> restart entirely from scratch.
> 
> Thanks for any help.
> 
> regards,
> 
> Campbell
> 
> 
> On Wed, May 11, 2016 at 3:13 PM, Cam Mac  > wrote:
> Ah, ok that makes sense. For the node, is it enough to use the 'reinstall 
> node' option from the GUI, or is it better to reinstall the OS and then 
> deploy it again?
> 
> Thanks,
> 
> Cam
> 
> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek 
> > wrote:
> 
>> On 11 May 2016, at 15:24, Cam Mac > > wrote:
>> 
>> Thanks Michal, if reinstalling the engine, (which also had SELinux disabled 
>> at install), would the best way be to backup the engine and then restore 
>> just the ovirt config?
> 
> for engine..well, VM security is not related to that, those are running on 
> hypervisors, not the engine. So for any functionality/security it’s 
> irrelevant what SELinux state it’s in
> I’m not sure if relabeling with restorecon is not enough (it sould work also 
> on nodes, but as I said, it’s likely more safe to reinstall just to be really 
> really sure:)
> Simone, am I right about the restorecon for engine?
> 
>> 
>> Cheers,
>> 
>> Cam
>> 
>> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek 
>> > wrote:
>> 
>> > On 11 May 2016, at 15:02, Cam Mac > > > wrote:
>> >
>> > Hi,
>> >
>> > In the oVirt guide, it says that "SELinux is being used by default on 
>> > oVirt Node", but then goes on to say that if you have problems you should 
>> > set it to permissive mode. I have had a few things fail due to being 
>> > blocked by SELinux on a node I later enabled SELinux on, as it was off at 
>> > install time. The other node which has had SELinux on from the start and 
>> > so far has not had any oVirt operations blocked. I am guessing that the 
>> > oVirt install process creates the necessary rules to allow vdsm to run 
>> > under SELinux. So if you want to set SELinux to enforcing after 
>> > installation, is there a script to do this, or is it better to just 
>> > reinstall the node or engine, rather than trying to work out the 
>> > individual exceptions?
>> 
>> For oVirt node it’s easier to reinstall it, it doesn’t persist much and it’s 
>> the easies way how to get the labelling right
>> 
>> Thanks,
>> michal
>> 
>> >
>> > Thanks,
>> >
>> > Cam
>> > ___
>> > Users mailing list
>> > Users@ovirt.org 
>> > http://lists.ovirt.org/mailman/listinfo/users 
>> > 
>> 
>> 
>> ___
>> Users mailing list
>> Users@ovirt.org 
>> http://lists.ovirt.org/mailman/listinfo/users 
>> 
> 
> 
> 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

2016-05-25 Thread Cam Mac

Hi Michal,

I chose the 'reinstall node' option from the GUI menu, which appeared to go
ok, however, I still cannot create or migrate a VM on that node. I can see
selinux 'denied' messages relating to qemu-kvm, e.g.:

type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for
 pid=4019 comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5"
dev="sda2" ino=35401 scontext=system_
u:system_r:svirt_t:s0:c720,c927 tcontext=system_u:object_r:unlabeled_t:s0
tclass=lnk_file

There are a number of errors in the vdsm log but I assume that relates to
selinux blocking it. So perhaps I need to remove all the ovirt packages
manually, or perhaps re-install the OS as well? I guess either of those
options involves complications with certificates and WWIDs for the attached
SAN.

Or could I somehow generate selinux labels?

These nodes + engine are not yet production, though I'd prefer to fix than
restart entirely from scratch.

Thanks for any help.

regards,

Campbell


On Wed, May 11, 2016 at 3:13 PM, Cam Mac  wrote:

> Ah, ok that makes sense. For the node, is it enough to use the 'reinstall
> node' option from the GUI, or is it better to reinstall the OS and then
> deploy it again?
>
> Thanks,
>
> Cam
>
> On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
> michal.skriva...@redhat.com> wrote:
>
>>
>> On 11 May 2016, at 15:24, Cam Mac  wrote:
>>
>> Thanks Michal, if reinstalling the engine, (which also had SELinux
>> disabled at install), would the best way be to backup the engine and then
>> restore just the ovirt config?
>>
>>
>> for engine..well, VM security is not related to that, those are running
>> on hypervisors, not the engine. So for any functionality/security it’s
>> irrelevant what SELinux state it’s in
>> I’m not sure if relabeling with restorecon is not enough (it sould work
>> also on nodes, but as I said, it’s likely more safe to reinstall just to be
>> really really sure:)
>> Simone, am I right about the restorecon for engine?
>>
>>
>> Cheers,
>>
>> Cam
>>
>> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
>> michal.skriva...@redhat.com> wrote:
>>
>>>
>>> > On 11 May 2016, at 15:02, Cam Mac  wrote:
>>> >
>>> > Hi,
>>> >
>>> > In the oVirt guide, it says that "SELinux is being used by default on
>>> oVirt Node", but then goes on to say that if you have problems you should
>>> set it to permissive mode. I have had a few things fail due to being
>>> blocked by SELinux on a node I later enabled SELinux on, as it was off at
>>> install time. The other node which has had SELinux on from the start and so
>>> far has not had any oVirt operations blocked. I am guessing that the oVirt
>>> install process creates the necessary rules to allow vdsm to run under
>>> SELinux. So if you want to set SELinux to enforcing after installation, is
>>> there a script to do this, or is it better to just reinstall the node or
>>> engine, rather than trying to work out the individual exceptions?
>>>
>>> For oVirt node it’s easier to reinstall it, it doesn’t persist much and
>>> it’s the easies way how to get the labelling right
>>>
>>> Thanks,
>>> michal
>>>
>>> >
>>> > Thanks,
>>> >
>>> > Cam
>>> > ___
>>> > Users mailing list
>>> > Users@ovirt.org
>>> > http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

2016-05-11 Thread Cam Mac

Ah, ok that makes sense. For the node, is it enough to use the 'reinstall
node' option from the GUI, or is it better to reinstall the OS and then
deploy it again?

Thanks,

Cam

On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
michal.skriva...@redhat.com> wrote:

>
> On 11 May 2016, at 15:24, Cam Mac  wrote:
>
> Thanks Michal, if reinstalling the engine, (which also had SELinux
> disabled at install), would the best way be to backup the engine and then
> restore just the ovirt config?
>
>
> for engine..well, VM security is not related to that, those are running on
> hypervisors, not the engine. So for any functionality/security it’s
> irrelevant what SELinux state it’s in
> I’m not sure if relabeling with restorecon is not enough (it sould work
> also on nodes, but as I said, it’s likely more safe to reinstall just to be
> really really sure:)
> Simone, am I right about the restorecon for engine?
>
>
> Cheers,
>
> Cam
>
> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
> michal.skriva...@redhat.com> wrote:
>
>>
>> > On 11 May 2016, at 15:02, Cam Mac  wrote:
>> >
>> > Hi,
>> >
>> > In the oVirt guide, it says that "SELinux is being used by default on
>> oVirt Node", but then goes on to say that if you have problems you should
>> set it to permissive mode. I have had a few things fail due to being
>> blocked by SELinux on a node I later enabled SELinux on, as it was off at
>> install time. The other node which has had SELinux on from the start and so
>> far has not had any oVirt operations blocked. I am guessing that the oVirt
>> install process creates the necessary rules to allow vdsm to run under
>> SELinux. So if you want to set SELinux to enforcing after installation, is
>> there a script to do this, or is it better to just reinstall the node or
>> engine, rather than trying to work out the individual exceptions?
>>
>> For oVirt node it’s easier to reinstall it, it doesn’t persist much and
>> it’s the easies way how to get the labelling right
>>
>> Thanks,
>> michal
>>
>> >
>> > Thanks,
>> >
>> > Cam
>> > ___
>> > Users mailing list
>> > Users@ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
>>
>>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

2016-05-11 Thread Michal Skrivanek


> On 11 May 2016, at 15:24, Cam Mac  wrote:
> 
> Thanks Michal, if reinstalling the engine, (which also had SELinux disabled 
> at install), would the best way be to backup the engine and then restore just 
> the ovirt config?

for engine..well, VM security is not related to that, those are running on 
hypervisors, not the engine. So for any functionality/security it’s irrelevant 
what SELinux state it’s in
I’m not sure if relabeling with restorecon is not enough (it sould work also on 
nodes, but as I said, it’s likely more safe to reinstall just to be really 
really sure:)
Simone, am I right about the restorecon for engine?

> 
> Cheers,
> 
> Cam
> 
> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek 
> > wrote:
> 
> > On 11 May 2016, at 15:02, Cam Mac  > > wrote:
> >
> > Hi,
> >
> > In the oVirt guide, it says that "SELinux is being used by default on oVirt 
> > Node", but then goes on to say that if you have problems you should set it 
> > to permissive mode. I have had a few things fail due to being blocked by 
> > SELinux on a node I later enabled SELinux on, as it was off at install 
> > time. The other node which has had SELinux on from the start and so far has 
> > not had any oVirt operations blocked. I am guessing that the oVirt install 
> > process creates the necessary rules to allow vdsm to run under SELinux. So 
> > if you want to set SELinux to enforcing after installation, is there a 
> > script to do this, or is it better to just reinstall the node or engine, 
> > rather than trying to work out the individual exceptions?
> 
> For oVirt node it’s easier to reinstall it, it doesn’t persist much and it’s 
> the easies way how to get the labelling right
> 
> Thanks,
> michal
> 
> >
> > Thanks,
> >
> > Cam
> > ___
> > Users mailing list
> > Users@ovirt.org 
> > http://lists.ovirt.org/mailman/listinfo/users 
> > 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

2016-05-11 Thread Michal Skrivanek


> On 11 May 2016, at 15:02, Cam Mac  wrote:
> 
> Hi,
> 
> In the oVirt guide, it says that "SELinux is being used by default on oVirt 
> Node", but then goes on to say that if you have problems you should set it to 
> permissive mode. I have had a few things fail due to being blocked by SELinux 
> on a node I later enabled SELinux on, as it was off at install time. The 
> other node which has had SELinux on from the start and so far has not had any 
> oVirt operations blocked. I am guessing that the oVirt install process 
> creates the necessary rules to allow vdsm to run under SELinux. So if you 
> want to set SELinux to enforcing after installation, is there a script to do 
> this, or is it better to just reinstall the node or engine, rather than 
> trying to work out the individual exceptions?

For oVirt node it’s easier to reinstall it, it doesn’t persist much and it’s 
the easies way how to get the labelling right

Thanks,
michal

> 
> Thanks,
> 
> Cam
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] selinux on oVirt Node

2014-05-23 Thread Sven Kieske

afaik you need to disable selinux by passing
the relevant parameter direct via kernel boot options.

search the ML or the net if you need the exact command line.

HTH

Am 23.05.2014 10:36, schrieb Simon Barrett:
 I set SELINUX=disabled in /etc/selinux/config and ran a persist 
 /etc/selinux/config.
 
 After the node reboots, the file has the correct SELINUX=disabled line but 
 I see that selinux is still enabled:
 
 # grep ^SELINUX= /etc/selinux/config
 SELINUX=disabled
 # getenforce
 Enforcing
 # cat /selinux/enforce
 1
 
 It's like the bind mounts for the files in config happen after selinux is 
 setup.
 
 Is there something else I should be doing to make a change to selinux survive 
 a node reboot?
 
 Many thanks,
 
 Simon

-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH  Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] selinux on oVirt Node

2014-05-23 Thread Simon Barrett


I added enforcing=0 to my pxe menu and re-installed the node. All looks 
better now.
 
# sestatus
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode:   permissive
Mode from config file:  disabled
Policy version: 24
Policy from config file:targeted

# cat /selinux/enforce
0

Thanks for the information.

Simon


-Original Message-
From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of 
Sven Kieske
Sent: 23 May 2014 09:45
To: users@ovirt.org
Subject: Re: [ovirt-users] selinux on oVirt Node

afaik you need to disable selinux by passing the relevant parameter direct via 
kernel boot options.

search the ML or the net if you need the exact command line.

HTH

Am 23.05.2014 10:36, schrieb Simon Barrett:
 I set SELINUX=disabled in /etc/selinux/config and ran a persist 
 /etc/selinux/config.
 
 After the node reboots, the file has the correct SELINUX=disabled line but 
 I see that selinux is still enabled:
 
 # grep ^SELINUX= /etc/selinux/config
 SELINUX=disabled
 # getenforce
 Enforcing
 # cat /selinux/enforce
 1
 
 It's like the bind mounts for the files in config happen after selinux is 
 setup.
 
 Is there something else I should be doing to make a change to selinux survive 
 a node reboot?
 
 Many thanks,
 
 Simon

--
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH  Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] SELinux and oVirt

Re: [ovirt-users] selinux on oVirt Node

Re: [ovirt-users] selinux on oVirt Node

12 matches

Site Navigation

Mail list logo

Footer information