On Wed, Feb 22, 2017 at 10:05 PM, Michal Skrivanek <mskri...@redhat.com> wrote:
> > On 22 Feb 2017, at 16:46, Jiri Belka <jbe...@redhat.com> wrote: > > > > ----- Original Message ----- > >> From: "Alan Griffiths" <apgriffith...@gmail.com> > >> To: "Ovirt Users" <users@ovirt.org> > >> Sent: Friday, February 10, 2017 4:25:28 PM > >> Subject: [ovirt-users] Guest Agent Running unconfined on Centos 7 > >> > >> Hi, > >> > >> I'm running ovirt-guest-agent from Centos 7 EPEL and I notice that it's > >> running unconfined rather than within its own domain. > >> > >> I see there is a rhev_agentd_exec_t > > That sound suspicious on its own. Are you sure you haven't mixed rhev > and ovirt agents in the same guest at some point? Restoring selinux > context doesn't help? > > Here the same: [root@c72he20170222h1 ~]# yum list installed | grep rhev fence-agents-rhevm.x86_64 4.0.11-47.el7_3.2 @updates [root@c72he20170222h1 ~]# yum list installed | grep ovirt-guest-agent ovirt-guest-agent-common.noarch 1.0.12-4.el7 @epel [root@c72he20170222h1 ~]# ps auxZ | grep guest-agent system_u:system_r:unconfined_service_t:s0 ovirtag+ 732 0.2 0.6 441796 36036 ? Ssl 16:59 0:46 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6938 0.0 0.0 112648 964 pts/0 S+ 22:31 0:00 grep --color=auto guest-agent [root@c72he20170222h1 ~]# semanage fcontext -l | grep rhev_agentd /var/log/rhev-agent(/.*)? all files system_u:object_r:rhev_agentd_log_t:s0 /var/log/ovirt-guest-agent(/.*)? all files system_u:object_r:rhev_agentd_log_t:s0 /usr/lib/systemd/system/ovirt-guest-agent.* regular file system_u:object_r:rhev_agentd_unit_file_t:s0 /var/run/rhev-agentd\.pid regular file system_u:object_r:rhev_agentd_var_run_t:s0 /usr/share/ovirt-guest-agent regular file system_u:object_r:rhev_agentd_exec_t:s0 /var/run/ovirt-guest-agent\.pid regular file system_u:object_r:rhev_agentd_var_run_t:s0 /usr/share/rhev-agent/rhev-agentd\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 /usr/share/rhev-agent/LockActiveSession\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 /usr/share/ovirt-guest-agent/LockActiveSession\.py regular file system_u:object_r:rhev_agentd_exec_t:s0 > >> type, which I attempted to assign to > >> ovirt-guest-agent.py but it still starts up as unconfined. Is there a > >> supported process for getting ovirt-guest into its own domain? Or a > reason > >> why it's not possible? > >> > >> Thanks, > >> > >> Alan > > > > Hm, it seems many ovirt services run unconfined. For ovirt GA, it seems > > there's missing glue between systemd -> python -> GA script. > > > > Vinzenz, any idea? > > > > j. > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users