From: bigon@debian.org (Laurent Bigonville) Date: Tue, 28 Jan 2014 11:15:53 +0100 Subject: [refpolicy] Missing appconfig file for libvirt and LXC containers In-Reply-To: <20140128072212.GA4601@bogon.sigxcpu.org> References: <20140128072212.GA4601@bogon.sigxcpu.org> Message-ID: <20140128111553.6c267725@soldur.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM VM can be started properly now, but a bug[1] has been reported that LXC containers are failing to start due to the missing "lxc_contexts" appconfig file. Looking at the fedora policy, it's indeed shipping that file with the following content: --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content = "system_u:object_r:virt_var_lib_t:s0" file = "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" --------- I only see minimal differences between the virt module in the refpolicy and the one in the fedora one, and I'm maybe missing something, but it seems that some types are missing in both the refpolicy and the fedora policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example. So an idea how we could make libvirt happy with LXC containers? Cheers, Laurent Bigonville [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 PS: could you please keep the 736909-forwarded CC while replying.