subject:"Re\: \[ovirt\-users\] Guest Agent Running unconfined on Centos 7"

Re: [ovirt-users] Guest Agent Running unconfined on Centos 7

2017-02-22 Thread Simone Tiraboschi

On Wed, Feb 22, 2017 at 10:05 PM, Michal Skrivanek 
wrote:

> > On 22 Feb 2017, at 16:46, Jiri Belka  wrote:
> >
> > - Original Message -
> >> From: "Alan Griffiths" 
> >> To: "Ovirt Users" 
> >> Sent: Friday, February 10, 2017 4:25:28 PM
> >> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
> >>
> >> Hi,
> >>
> >> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's
> >> running unconfined rather than within its own domain.
> >>
> >> I see there is a rhev_agentd_exec_t
>
> That sound suspicious on its own. Are you sure you haven't mixed rhev
> and ovirt agents in the same guest at some point? Restoring selinux
> context doesn't help?
>
>
Here the same:
[root@c72he20170222h1 ~]# yum list installed | grep rhev
fence-agents-rhevm.x86_64 4.0.11-47.el7_3.2
 @updates
[root@c72he20170222h1 ~]# yum list installed | grep ovirt-guest-agent
ovirt-guest-agent-common.noarch   1.0.12-4.el7
@epel
[root@c72he20170222h1 ~]# ps auxZ  | grep guest-agent
system_u:system_r:unconfined_service_t:s0 ovirtag+ 732 0.2  0.6 441796
36036 ? Ssl  16:59   0:46 /usr/bin/python
/usr/share/ovirt-guest-agent/ovirt-guest-agent.py
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6938 0.0  0.0
112648 964 pts/0 S+ 22:31   0:00 grep --color=auto guest-agent
[root@c72he20170222h1 ~]# semanage fcontext -l | grep rhev_agentd
/var/log/rhev-agent(/.*)?  all files
 system_u:object_r:rhev_agentd_log_t:s0
/var/log/ovirt-guest-agent(/.*)?   all files
 system_u:object_r:rhev_agentd_log_t:s0
/usr/lib/systemd/system/ovirt-guest-agent.*regular file
system_u:object_r:rhev_agentd_unit_file_t:s0
/var/run/rhev-agentd\.pid  regular file
system_u:object_r:rhev_agentd_var_run_t:s0
/usr/share/ovirt-guest-agent   regular file
system_u:object_r:rhev_agentd_exec_t:s0
/var/run/ovirt-guest-agent\.pidregular file
system_u:object_r:rhev_agentd_var_run_t:s0
/usr/share/rhev-agent/rhev-agentd\.py  regular file
system_u:object_r:rhev_agentd_exec_t:s0
/usr/share/rhev-agent/LockActiveSession\.pyregular file
system_u:object_r:rhev_agentd_exec_t:s0
/usr/share/ovirt-guest-agent/LockActiveSession\.py regular file
system_u:object_r:rhev_agentd_exec_t:s0




> >> type, which I attempted to assign to
> >> ovirt-guest-agent.py but it still starts up as unconfined. Is there a
> >> supported process for getting ovirt-guest into its own domain? Or a
> reason
> >> why it's not possible?
> >>
> >> Thanks,
> >>
> >> Alan
> >
> > Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems
> > there's missing glue between systemd -> python -> GA script.
> >
> > Vinzenz, any idea?
> >
> > j.
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> >
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Guest Agent Running unconfined on Centos 7

2017-02-22 Thread Michal Skrivanek

> On 22 Feb 2017, at 16:46, Jiri Belka  wrote:
>
> - Original Message -
>> From: "Alan Griffiths" 
>> To: "Ovirt Users" 
>> Sent: Friday, February 10, 2017 4:25:28 PM
>> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
>>
>> Hi,
>>
>> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's
>> running unconfined rather than within its own domain.
>>
>> I see there is a rhev_agentd_exec_t

That sound suspicious on its own. Are you sure you haven't mixed rhev
and ovirt agents in the same guest at some point? Restoring selinux
context doesn't help?

>> type, which I attempted to assign to
>> ovirt-guest-agent.py but it still starts up as unconfined. Is there a
>> supported process for getting ovirt-guest into its own domain? Or a reason
>> why it's not possible?
>>
>> Thanks,
>>
>> Alan
>
> Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems
> there's missing glue between systemd -> python -> GA script.
>
> Vinzenz, any idea?
>
> j.
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Guest Agent Running unconfined on Centos 7

2017-02-22 Thread Jiri Belka

- Original Message -
> From: "Alan Griffiths" 
> To: "Ovirt Users" 
> Sent: Friday, February 10, 2017 4:25:28 PM
> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7
> 
> Hi,
> 
> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's
> running unconfined rather than within its own domain.
> 
> I see there is a rhev_agentd_exec_t type, which I attempted to assign to
> ovirt-guest-agent.py but it still starts up as unconfined. Is there a
> supported process for getting ovirt-guest into its own domain? Or a reason
> why it's not possible?
> 
> Thanks,
> 
> Alan

Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems
there's missing glue between systemd -> python -> GA script.

Vinzenz, any idea?

j.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Guest Agent Running unconfined on Centos 7

Re: [ovirt-users] Guest Agent Running unconfined on Centos 7

Re: [ovirt-users] Guest Agent Running unconfined on Centos 7

3 matches

Site Navigation

Mail list logo

Footer information