Hello,
libvirt uses a config file which is not shipped by the refpolicy
(config/appconfig-*/lxc_contexts)
The fedora policy contains the following file:
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
This file is not working with the refpolicy because
"svirt_sandbox_file_t" doesn't exist.
The following file seems to work on my system:
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
The processes of the lxc are running under
"system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
Looking at the libvirt code, I don't see sandbox_kvm_process and
sandbox_lxc_process being used anywhere (except in some test file).
Shouldn't this file be added to the refpolicy?
Cheers,
Laurent Bigonville
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
> Hello,
>
> libvirt uses a config file which is not shipped by the refpolicy
> (config/appconfig-*/lxc_contexts)
>
> The fedora policy contains the following file:
>
> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0"
>
> This file is not working with the refpolicy because
> "svirt_sandbox_file_t" doesn't exist.
>
> The following file seems to work on my system:
>
> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_lxc_file_t:s0"
>
> The processes of the lxc are running under
> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
>
> Looking at the libvirt code, I don't see sandbox_kvm_process and
> sandbox_lxc_process being used anywhere (except in some test
> file).
>
> Shouldn't this file be added to the refpolicy?
>
Yes, should be added. Its also in upstream libselinux
> Cheers,
>
> Laurent Bigonville _______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJWwPClAAoJECV0jlU3+UdpEwEL/1kNDZMxfDANbEQ8Jff/3qEy
UCtWFa59n0gbb5zLhQ3utUlal9Hcj2/yuZNH8IKbnUlKkziRBpPwJbBQ54bZzqZc
vJ0D4+8B2rY3UkRDxo9mkS8r/3O4V3PVhzMIzIOuYjElGTqBBzTMO/JsDciI4ORs
W7kbjCSr1HQmTpteo+WV8d4SFsRzHZ6avqw3qr/ljBuBfPT0Exeg4Ik0H4ZT+oW+
4fqhF5V7czrDUwsmLeAQ2rALsia/Bw5g+zOtTt09jf+lflJyttO177emg3962GQ+
FHb3FHFM6mA7t+p1DKwzGiRGQTKegmP2IGjk6uNNAgwNlw2Tr9KVobewAn70D+Lt
Jl7eq2c9WIQPHICoxryX5DSwcwGlu4Xds4usNv0tDXGCFeThkHxjbxJdazM4S/be
f4+hqQYv+/VdazaZrkmnc3E0Sr1g73/byq7wi8XnI1GoDfKtJOK1YSSW7wNN8Mz2
29F4znz3xS0pt7MFp/ASgYhNFtTqSWIODz/ToSETtQ==
=M48f
-----END PGP SIGNATURE-----
Le 14/02/16 22:24, Dominick Grift a ?crit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
>> Hello,
>>
>> libvirt uses a config file which is not shipped by the refpolicy
>> (config/appconfig-*/lxc_contexts)
>>
>> The fedora policy contains the following file:
>>
>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>> "system_u:object_r:virt_var_lib_t:s0" file =
>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
>> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process =
>> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
>> "system_u:system_r:svirt_lxc_net_t:s0"
>>
>> This file is not working with the refpolicy because
>> "svirt_sandbox_file_t" doesn't exist.
>>
>> The following file seems to work on my system:
>>
>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>> "system_u:object_r:virt_var_lib_t:s0" file =
>> "system_u:object_r:svirt_lxc_file_t:s0"
>>
>> The processes of the lxc are running under
>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
>>
>> Looking at the libvirt code, I don't see sandbox_kvm_process and
>> sandbox_lxc_process being used anywhere (except in some test
>> file).
>>
>> Shouldn't this file be added to the refpolicy?
>>
> Yes, should be added. Its also in upstream libselinux
I can propose a patch, but I'm a bit concerned about the correctness of
the content of the file tbh, especially the sandbox_*_process fields
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/17/2016 06:31 PM, Laurent Bigonville wrote:
> Le 14/02/16 22:24, Dominick Grift a ?crit :
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
>>> Hello,
>>>
>>> libvirt uses a config file which is not shipped by the
>>> refpolicy (config/appconfig-*/lxc_contexts)
>>>
>>> The fedora policy contains the following file:
>>>
>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>>> "system_u:object_r:virt_var_lib_t:s0" file =
>>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process
>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process
>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process
>>> = "system_u:system_r:svirt_lxc_net_t:s0"
>>>
>>> This file is not working with the refpolicy because
>>> "svirt_sandbox_file_t" doesn't exist.
>>>
>>> The following file seems to work on my system:
>>>
>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>>> "system_u:object_r:virt_var_lib_t:s0" file =
>>> "system_u:object_r:svirt_lxc_file_t:s0"
>>>
>>> The processes of the lxc are running under
>>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
>>>
>>> Looking at the libvirt code, I don't see sandbox_kvm_process
>>> and sandbox_lxc_process being used anywhere (except in some
>>> test file).
>>>
>>> Shouldn't this file be added to the refpolicy?
>>>
>> Yes, should be added. Its also in upstream libselinux
> I can propose a patch, but I'm a bit concerned about the
> correctness of the content of the file tbh, especially the
> sandbox_*_process fields
Yes, i would only include what i know for sure to be right. leave
everything else out
>
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJWxK63AAoJECV0jlU3+UdppIsL/RHOPdus/xizeanlO1XFXoAr
mcEDRch+7svpuzH8iE0iGwWtc7p5H28BXZWgmZKETiIXzTSKCgLKalvyPhe13ecy
qbE4rmow8u0oM0VI9uErcaIlQiQgcd4rQyU/QajKrpsDskMSbO9PKekdVLSFelEd
p5aXTOLz67TbM02mGrmOR5SV8OQqfG4k36oA+USeW37FF8cBAqD7B4ivucCnpIsG
eSAq7av3WeiSN9UlxEw8VdDUWJbM+95p/0HuQA0Yh7dJLJ4IsWVtmTEFiee8hYD2
j5a0kMWjoDNppJFy8J2/pGsFJzJSVgpAB2tQ6k/a00SV/cf45oSwooHivz529/zM
+/Gyn934XW9GZx60bOMjvX9oSEC+Zp15o3bwv8zqxR1zJwRPvV2UfVdEeBSvL2HG
b5GXP1Vqgg33birnaesS5VMvDvDEb04FgdZ31+zxlGGKh+Zqzafj7pYdEkYl8dAm
kiY4MVgyiLBqK8tkGrwZV7U0VGw3grOz6Dj9ECoMmw==
=DgMs
-----END PGP SIGNATURE-----
On 02/17/2016 12:32 PM, Dominick Grift wrote:
> On 02/17/2016 06:31 PM, Laurent Bigonville wrote:
> > Le 14/02/16 22:24, Dominick Grift a ?crit :
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> >>
> >> On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
> >>> Hello,
> >>>
> >>> libvirt uses a config file which is not shipped by the
> >>> refpolicy (config/appconfig-*/lxc_contexts)
> >>>
> >>> The fedora policy contains the following file:
> >>>
> >>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> >>> "system_u:object_r:virt_var_lib_t:s0" file =
> >>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process
> >>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process
> >>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process
> >>> = "system_u:system_r:svirt_lxc_net_t:s0"
> >>>
> >>> This file is not working with the refpolicy because
> >>> "svirt_sandbox_file_t" doesn't exist.
> >>>
> >>> The following file seems to work on my system:
> >>>
> >>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> >>> "system_u:object_r:virt_var_lib_t:s0" file =
> >>> "system_u:object_r:svirt_lxc_file_t:s0"
> >>>
> >>> The processes of the lxc are running under
> >>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
> >>>
> >>> Looking at the libvirt code, I don't see sandbox_kvm_process
> >>> and sandbox_lxc_process being used anywhere (except in some
> >>> test file).
> >>>
> >>> Shouldn't this file be added to the refpolicy?
> >>>
> >> Yes, should be added. Its also in upstream libselinux
> > I can propose a patch, but I'm a bit concerned about the
> > correctness of the content of the file tbh, especially the
> > sandbox_*_process fields
>
> Yes, i would only include what i know for sure to be right. leave
> everything else out
>
>
>
> > _______________________________________________ refpolicy mailing
> > list refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
> _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com >
http://oss.tresys.com/mailman/listinfo/refpolicy
Which types are questionable?
Le 17/02/16 19:39, Daniel J Walsh a ?crit :
> On 02/17/2016 12:32 PM, Dominick Grift wrote:
>> On 02/17/2016 06:31 PM, Laurent Bigonville wrote:
>>> Le 14/02/16 22:24, Dominick Grift a ?crit :
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>
>>>> On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
>>>>> Hello,
>>>>>
>>>>> libvirt uses a config file which is not shipped by the
>>>>> refpolicy (config/appconfig-*/lxc_contexts)
>>>>>
>>>>> The fedora policy contains the following file:
>>>>>
>>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>>>>> "system_u:object_r:virt_var_lib_t:s0" file =
>>>>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process
>>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process
>>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process
>>>>> = "system_u:system_r:svirt_lxc_net_t:s0"
>>>>>
>>>>> This file is not working with the refpolicy because
>>>>> "svirt_sandbox_file_t" doesn't exist.
>>>>>
>>>>> The following file seems to work on my system:
>>>>>
>>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>>>>> "system_u:object_r:virt_var_lib_t:s0" file =
>>>>> "system_u:object_r:svirt_lxc_file_t:s0"
>>>>>
>>>>> The processes of the lxc are running under
>>>>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
>>>>>
>>>>> Looking at the libvirt code, I don't see sandbox_kvm_process
>>>>> and sandbox_lxc_process being used anywhere (except in some
>>>>> test file).
>>>>>
>>>>> Shouldn't this file be added to the refpolicy?
>>>>>
>>>> Yes, should be added. Its also in upstream libselinux
>>> I can propose a patch, but I'm a bit concerned about the
>>> correctness of the content of the file tbh, especially the
>>> sandbox_*_process fields
>> Yes, i would only include what i know for sure to be right. leave
>> everything else out
>>
>>
> Which types are questionable?
I cannot find where the sandbox_*_process parameters are used.
(https://codesearch.debian.net/results/sandbox_lxc_process/)
On 02/18/2016 06:07 AM, Laurent Bigonville wrote:
> Le 17/02/16 19:39, Daniel J Walsh a ?crit :
>> On 02/17/2016 12:32 PM, Dominick Grift wrote:
>>> On 02/17/2016 06:31 PM, Laurent Bigonville wrote:
>>>> Le 14/02/16 22:24, Dominick Grift a ?crit :
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>
>>>>> On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
>>>>>> Hello,
>>>>>>
>>>>>> libvirt uses a config file which is not shipped by the
>>>>>> refpolicy (config/appconfig-*/lxc_contexts)
>>>>>>
>>>>>> The fedora policy contains the following file:
>>>>>>
>>>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>>>>>> "system_u:object_r:virt_var_lib_t:s0" file =
>>>>>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process
>>>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process
>>>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process
>>>>>> = "system_u:system_r:svirt_lxc_net_t:s0"
>>>>>>
>>>>>> This file is not working with the refpolicy because
>>>>>> "svirt_sandbox_file_t" doesn't exist.
>>>>>>
>>>>>> The following file seems to work on my system:
>>>>>>
>>>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>>>>>> "system_u:object_r:virt_var_lib_t:s0" file =
>>>>>> "system_u:object_r:svirt_lxc_file_t:s0"
>>>>>>
>>>>>> The processes of the lxc are running under
>>>>>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
>>>>>>
>>>>>> Looking at the libvirt code, I don't see sandbox_kvm_process
>>>>>> and sandbox_lxc_process being used anywhere (except in some
>>>>>> test file).
>>>>>>
>>>>>> Shouldn't this file be added to the refpolicy?
>>>>>>
>>>>> Yes, should be added. Its also in upstream libselinux
>>>> I can propose a patch, but I'm a bit concerned about the
>>>> correctness of the content of the file tbh, especially the
>>>> sandbox_*_process fields
>>> Yes, i would only include what i know for sure to be right. leave
>>> everything else out
>>>
>>>
>> Which types are questionable?
> I cannot find where the sandbox_*_process parameters are used.
> (https://codesearch.debian.net/results/sandbox_lxc_process/)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
They were added for libvirt. I see these names in their tests suite,
although I am not sure h ow they are using them.