[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
> > Also, please note that in el8 (which will be the only supported OS for > oVirt 4.4), if you do not want to use firewalld, might have to > convert/amend your scripts/conf to use nftables. > > Best regards, > -- > Didi Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables or the "old" good netfilter in the backend. (Debian 10 documentation seems more precise on this point) By the way I don't use it on oVirt nodes just on VMs... Just saying it is possible. -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AOYYPYSRZK2KKID5TW5ZGYDJ6RZ357OW/
[ovirt-users] Re: Q: Fixing SELinux Permissions on oVirt node
Hi,
you coul'd start with :
cat /var/log/audit/audit.log | grep denied | audit2why
The messages are quite clear.
After you coul'd also refine a little bit more :
cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd
Remember to renew audit.log sometimes, in order to filter errors more preciselly
--
Cordialement / Best regards, Michaël Couren,
ABES, Montpellier, France.
- Le 29 Mai 20, à 15:14, Andrei Verovski andre...@starlett.lv a écrit :
> Hi,
>
> SELinux is quite cumbersome for someone which not used it before.
>
> stat /var/log/anvraidcheck.log
> # File: ‘/var/log/anvraidcheck.log’
> # Size: 75 Blocks: 8 IO Block: 4096 regular file
> # Device: fd08h/64776dInode: 138 Links: 1
> # Access: (0666/-rw-rw-rw-) Uid: (0/root) Gid: (0/root)
> # Context: system_u:object_r:cron_log_t:s0
>
> ps -eZ | grep snmpd
> # system_u:system_r:snmpd_t:s0 1835 ?00:02:00 snmpd
>
>
> How to enforce this policy (if its correct of course)?
>
> allow snmpd_t cron_log_t:file { read };
>
>
>
>> On 29 May 2020, at 12:31, Alan wrote:
>>
>> When running from the terminal you are unconfined, hence it runs without
>> error.
>>
>> Probably your only option is to create custom policy to allow this. Although
>> I
>> would question why the log file you are reading is cron_log_t and not
>> var_log_t.
>>
>>
>> On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski
>>
>> wrote
>>
>> Hi !
>>
>> I’m struggling with SELinux blocking SNMP script from reading log file (oVirt
>> node manually installed on CentOS 7).
>> Log file is readable by all (chmod ugo+r).
>>
>> Scripts working fine when executed from terminal.
>>
>> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As
>> far
>> as I know, SELinux can’t be turned off on oVirt node.
>>
>> Thanks in advance for any suggestion(s).
>>
>>
>> **
>>
>> option in snmpd.conf
>>
>> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh
>>
>>
>> **
>> script 4anvcheckraid_hp.sh
>>
>> #!/bin/bash
>>
>> LOGFILE='/var/log/anvraidcheck.log'
>>
>> if [ ! -f $LOGFILE ]; then
>> exit 0
>> fi
>>
>> # Variant 1 with sed
>> sed '/^[ \t]*$/d' $LOGFILE | while read line; do
>> echo "$line"
>> exit 1
>> done
>>
>> # Variant 2 without sed
>> while read line
>> do
>> if [[ "$line" =~ [^[:space:]] ]]; then
>> echo "$line"
>> exit 1
>> fi
>> done < $LOGFILE
>>
>>
>> **
>>
>> SELinux audit log:
>>
>> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142
>> comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138
>> scontext=system_u:system_r:snmpd_t:s0
>> tcontext=system_u:object_r:cron_log_t:s0
>> tclass=file permissive=0
>>
>> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141
>> comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138
>> scontext=system_u:system_r:snmpd_t:s0
>> tcontext=system_u:object_r:cron_log_t:s0
>> tclass=file permissive=0
>>
>> ___
>> Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
>> To unsubscribe send an email to users-le...@ovirt.org
>> <mailto:users-le...@ovirt.org>
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> <https://www.ovirt.org/privacy-policy.html>
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> <https://www.ovirt.org/community/about/community-guidelines/>
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/
>> <https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/>
>>
>>
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MICJMAXCALWNSYLWWJXQABJ4EAHW55L/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AMCHVEGJ7ATGKTIRXBSRIFKMSNZL7J22/
[ovirt-users] Re: Q: Fixing SELinux Permissions on oVirt node
Sorry, the strings to grep for are the ones in comm="the_string" (in your
example for example it's "sed")
- Le 29 Mai 20, à 15:31, Michaël Couren cou...@abes.fr a écrit :
> Hi,
> you coul'd start with :
>
> cat /var/log/audit/audit.log | grep denied | audit2why
>
> The messages are quite clear.
>
> After you coul'd also refine a little bit more :
>
> cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd
>
> Remember to renew audit.log sometimes, in order to filter errors more
> preciselly
> --
> Cordialement / Best regards, Michaël Couren,
> ABES, Montpellier, France.
>
>
>
> - Le 29 Mai 20, à 15:14, Andrei Verovski andre...@starlett.lv a écrit :
>
>> Hi,
>>
>> SELinux is quite cumbersome for someone which not used it before.
>>
>> stat /var/log/anvraidcheck.log
>> # File: ‘/var/log/anvraidcheck.log’
>> # Size: 75 Blocks: 8 IO Block: 4096 regular file
>> # Device: fd08h/64776dInode: 138 Links: 1
>> # Access: (0666/-rw-rw-rw-) Uid: (0/root) Gid: (0/root)
>> # Context: system_u:object_r:cron_log_t:s0
>>
>> ps -eZ | grep snmpd
>> # system_u:system_r:snmpd_t:s0 1835 ?00:02:00 snmpd
>>
>>
>> How to enforce this policy (if its correct of course)?
>>
>> allow snmpd_t cron_log_t:file { read };
>>
>>
>>
>>> On 29 May 2020, at 12:31, Alan wrote:
>>>
>>> When running from the terminal you are unconfined, hence it runs without
>>> error.
>>>
>>> Probably your only option is to create custom policy to allow this.
>>> Although I
>>> would question why the log file you are reading is cron_log_t and not
>>> var_log_t.
>>>
>>>
>>> On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski
>>>
>>> wrote
>>>
>>> Hi !
>>>
>>> I’m struggling with SELinux blocking SNMP script from reading log file
>>> (oVirt
>>> node manually installed on CentOS 7).
>>> Log file is readable by all (chmod ugo+r).
>>>
>>> Scripts working fine when executed from terminal.
>>>
>>> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE.
>>> As far
>>> as I know, SELinux can’t be turned off on oVirt node.
>>>
>>> Thanks in advance for any suggestion(s).
>>>
>>>
>>> **
>>>
>>> option in snmpd.conf
>>>
>>> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh
>>>
>>>
>>> **
>>> script 4anvcheckraid_hp.sh
>>>
>>> #!/bin/bash
>>>
>>> LOGFILE='/var/log/anvraidcheck.log'
>>>
>>> if [ ! -f $LOGFILE ]; then
>>> exit 0
>>> fi
>>>
>>> # Variant 1 with sed
>>> sed '/^[ \t]*$/d' $LOGFILE | while read line; do
>>> echo "$line"
>>> exit 1
>>> done
>>>
>>> # Variant 2 without sed
>>> while read line
>>> do
>>> if [[ "$line" =~ [^[:space:]] ]]; then
>>> echo "$line"
>>> exit 1
>>> fi
>>> done < $LOGFILE
>>>
>>>
>>> **
>>>
>>> SELinux audit log:
>>>
>>> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for
>>> pid=12142
>>> comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138
>>> scontext=system_u:system_r:snmpd_t:s0
>>> tcontext=system_u:object_r:cron_log_t:s0
>>> tclass=file permissive=0
>>>
>>> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for
>>> pid=12141
>>> comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138
>>> scontext=system_u:system_r:snmpd_t:s0
>>> tcontext=system_u:object_r:cron_log_t:s0
>>> tclass=file permissive=0
>>>
>>> ___
>>> Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> <mailto:users-le...@ovirt.org>
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> <https://www.ovirt.org/privacy-policy.html>
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/
[ovirt-users] Engine certificate and HTTPS : broken on recent Firefox
Hi, Is there a "verified"* way to add a valid certificate to an oVirt 4.3 engine ? (or suppress HTTP Strict Transport Security) It is no more possible to add a security exception (on latest Firefox 80.0.1 Linux) and I don't want to use 2 browsers (like sanp-chromium just for oVirt...) *"verified" : I mean we have already tried official doc (many months ago) but with no success Thanks -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/COB3FSPO3YWNZSEPVPX2VZFNHKHOYBM4/
[ovirt-users] Re: Cannot Increase Hosted Engine VM Memory
> > On Wed, 11 Dec 2019 at 09:36, Serhiy Morhun > wrote: > >> Hello, did anyone find a resolution for this issue? I'm having exactly the >> same problem: Hi, same issue for us, the solution was : Make a snappshot Edit the properties, putting 32768 MB for "Mem", 131072 MB for "Max" and 32768 MB for "Guaranteed" Then reboot the server (cold reboot) -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/S33OGCAO6KOSLFCVIKX5MNQ3M2UC3ZQ5/
