From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 29 Jan 2014 08:13:43 -0500 Subject: [refpolicy] Missing appconfig file for libvirt and LXC containers In-Reply-To: <20140128111553.6c267725@soldur.bigon.be> References: <20140128072212.GA4601@bogon.sigxcpu.org> <20140128111553.6c267725@soldur.bigon.be> Message-ID: <52E8FE87.3040100@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/28/2014 05:15 AM, Laurent Bigonville wrote: > Hi, > > Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM > VM can be started properly now, but a bug[1] has been reported that LXC > containers are failing to start due to the missing "lxc_contexts" appconfig > file. > > Looking at the fedora policy, it's indeed shipping that file with the > following content: > > --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content = > "system_u:object_r:virt_var_lib_t:s0" file = > "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = > "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = > "system_u:system_r:svirt_lxc_net_t:s0" --------- > > I only see minimal differences between the virt module in the refpolicy and > the one in the fedora one, and I'm maybe missing something, but it seems > that some types are missing in both the refpolicy and the fedora policy. I > find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example. > > So an idea how we could make libvirt happy with LXC containers? > > Cheers, > > Laurent Bigonville > > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 > > PS: could you please keep the 736909-forwarded CC while replying. > There in there, I have attached the latest qemu policy. We use svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox - -X containers). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLo/ocACgkQrlYvE4MpobM7gwCgwzHws/wTFcOry2KGauJ06UIn 1ggAoN2F+xfdaCOvc/rOOm7UpaQL+PQq =3UGI -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: qemu.tgz Type: application/x-gzip Size: 2304 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140129/228c0bcc/attachment.tgz