Bug 1418579

Summary: Use selinux when building ovirt-appliance
Product: [oVirt] ovirt-appliance Reporter: Yuval Turgeman <yturgema>
Component: BuildAssignee: Yuval Turgeman <yturgema>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: high    
Version: 4.1CC: bugs, jclaretm, lsvaty, mgoldboi, rbarry, sbonazzo, stirabos, trichard, yturgema
Target Milestone: ovirt-4.2.2Keywords: Improvement
Target Release: ---Flags: rule-engine: ovirt-4.2+
grafuls: testing_plan_complete-
sbonazzo: devel_ack+
lsvaty: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
SELinux is now set to Enforcing by default in the ovirt-appliance.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-29 11:03:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yuval Turgeman 2017-02-02 08:50:33 UTC 
Today the kickstart for building ovirt-appliance sets selinux --permissive, we need to check if it can be changed to enforcing.
Comment 1 Yuval Turgeman 2017-06-05 10:33:09 UTC 
This was reverted since engine-setup (firewall-cmd) hangs in selinux when run from cloud-ini (missing transition from cloud_init_t to firewalld_t)
Comment 2 Red Hat Bugzilla Rules Engine 2017-06-05 10:33:14 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 3 Sandro Bonazzola 2017-06-09 09:59:44 UTC 
Dropping code change, since this requires a full functional test once done.
Comment 4 Ryan Barry 2017-06-27 09:54:38 UTC 
Yuval - has a bug been filed against cloud-init for this?
Comment 5 Yuval Turgeman 2017-06-27 13:02:20 UTC 
Yes, not by us, though, but it's the same behavior, see bug 1126096
Comment 6 Yuval Turgeman 2017-06-29 13:21:45 UTC 
I just noticed that bug 1126096 was reported in 2014, could setenforce 0 or add cloud_init_t to permissive in our cloud-init script ?
Comment 8 Yaniv Kaul 2017-10-26 11:37:04 UTC 
Can this move to MODIFIED?
Comment 9 Sandro Bonazzola 2017-11-14 09:15:59 UTC 
We need a patch in appliance code.
Comment 10 Gonza 2018-01-11 15:19:10 UTC 
Checked on:
rhvm-appliance-20180103.0-1.x86_64.rhevm.ova

$ getenforce
Permissive
Comment 11 Red Hat Bugzilla Rules Engine 2018-01-11 15:19:16 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 13 Gonza 2018-02-21 09:19:33 UTC 
Verified with:
rhvm-appliance-4.2-20180202.0.x86_64.rhevm.ova

# getenforce
Enforcing
Comment 14 Sandro Bonazzola 2018-03-29 11:03:55 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.