Hi,
Libvirt selinux security driver is now enabled in debian unstable.
Qemu/KVM VM can be started properly now, but a bug[1] has been reported
that LXC containers are failing to start due to the missing
"lxc_contexts" appconfig file.
Looking at the fedora policy, it's indeed shipping that file with the
following content:
---------
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
---------
I only see minimal differences between the virt module in the refpolicy
and the one in the fedora one, and I'm maybe missing something, but it
seems that some types are missing in both the refpolicy and the fedora
policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
example.
So an idea how we could make libvirt happy with LXC containers?
Cheers,
Laurent Bigonville
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
PS: could you please keep the 736909-forwarded CC while replying.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2014 05:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM
> VM can be started properly now, but a bug[1] has been reported that LXC
> containers are failing to start due to the missing "lxc_contexts" appconfig
> file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0" ---------
>
> I only see minimal differences between the virt module in the refpolicy and
> the one in the fedora one, and I'm maybe missing something, but it seems
> that some types are missing in both the refpolicy and the fedora policy. I
> find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example.
>
> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
>
There in there, I have attached the latest qemu policy. We use
svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox
- -X containers).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLo/ocACgkQrlYvE4MpobM7gwCgwzHws/wTFcOry2KGauJ06UIn
1ggAoN2F+xfdaCOvc/rOOm7UpaQL+PQq
=3UGI
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qemu.tgz
Type: application/x-gzip
Size: 2304 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140129/228c0bcc/attachment.tgz
On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable.
> Qemu/KVM VM can be started properly now, but a bug[1] has been reported
> that LXC containers are failing to start due to the missing
> "lxc_contexts" appconfig file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> ---------
> process = "system_u:system_r:svirt_lxc_net_t:s0"
> content = "system_u:object_r:virt_var_lib_t:s0"
> file = "system_u:object_r:svirt_sandbox_file_t:s0"
> sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> ---------
>
> I only see minimal differences between the virt module in the refpolicy
> and the one in the fedora one, and I'm maybe missing something, but it
> seems that some types are missing in both the refpolicy and the fedora
> policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
> example.
I see all types are presented in virt.te,
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib
> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Le Wed, 29 Jan 2014 22:12:56 +0100,
Miroslav Grepl <[email protected]> a ?crit :
Hi,
Thanks for your reply.
> On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> > Hi,
> >
> > Libvirt selinux security driver is now enabled in debian unstable.
> > Qemu/KVM VM can be started properly now, but a bug[1] has been
> > reported that LXC containers are failing to start due to the missing
> > "lxc_contexts" appconfig file.
> >
> > Looking at the fedora policy, it's indeed shipping that file with
> > the following content:
> >
> > ---------
> > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > content = "system_u:object_r:virt_var_lib_t:s0"
> > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> > ---------
> >
> > I only see minimal differences between the virt module in the
> > refpolicy and the one in the fedora one, and I'm maybe missing
> > something, but it seems that some types are missing in both the
> > refpolicy and the fedora policy. I find no signs of
> > "svirt_qemu_net_t" or "sandbox_file_t" for example.
> I see all types are presented in virt.te,
>
> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib
Yes indeed, for some reasons I didn't found this /o\ The fact that
the .gitmodule of the selinux-policy repository is still pointing to
the refpolicy one is really confusing.
Anyway these types are not currently present in the upstream refpolicy,
so I guess I should try propose a patch to merge back the changes from
the fedora virt.pp module. Or do you have any plans to do this?
The delta between the two is unfortunately larger that I would have
expected.
Kind regards,
Laurent Bigonville