From: mgrepl@redhat.com (Miroslav Grepl) Date: Wed, 29 Jan 2014 22:12:56 +0100 Subject: [refpolicy] Missing appconfig file for libvirt and LXC containers In-Reply-To: <20140128111553.6c267725@soldur.bigon.be> References: <20140128072212.GA4601@bogon.sigxcpu.org> <20140128111553.6c267725@soldur.bigon.be> Message-ID: <52E96ED8.1020407@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/28/2014 11:15 AM, Laurent Bigonville wrote: > Hi, > > Libvirt selinux security driver is now enabled in debian unstable. > Qemu/KVM VM can be started properly now, but a bug[1] has been reported > that LXC containers are failing to start due to the missing > "lxc_contexts" appconfig file. > > Looking at the fedora policy, it's indeed shipping that file with the > following content: > > --------- > process = "system_u:system_r:svirt_lxc_net_t:s0" > content = "system_u:object_r:virt_var_lib_t:s0" > file = "system_u:object_r:svirt_sandbox_file_t:s0" > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" > --------- > > I only see minimal differences between the virt module in the refpolicy > and the one in the fedora one, and I'm maybe missing something, but it > seems that some types are missing in both the refpolicy and the fedora > policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for > example. I see all types are presented in virt.te, https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib > So an idea how we could make libvirt happy with LXC containers? > > Cheers, > > Laurent Bigonville > > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 > > PS: could you please keep the 736909-forwarded CC while replying. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy