From: bigon@debian.org (Laurent Bigonville)
Date: Wed, 29 Jan 2014 23:09:43 +0100
Subject: [refpolicy] Missing appconfig file for libvirt and LXC
 containers
In-Reply-To: <52E96ED8.1020407@redhat.com>
References: <CADKfTWYXie4v8p3xavrPXaRBgpZCsJG8ZcU3+stQuZda=kP62g@mail.gmail.com>
	<CADKfTWZeiGxt_2pP9BicBpPB2ydqz+_SEQcrNm5VqYkutNWtaw@mail.gmail.com>
	<20140128072212.GA4601@bogon.sigxcpu.org>
	<20140128111553.6c267725@soldur.bigon.be>
	<52E96ED8.1020407@redhat.com>
Message-ID: <20140129230943.1a1cb68a@fornost.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Wed, 29 Jan 2014 22:12:56 +0100,
Miroslav Grepl <mgrepl@redhat.com> a ?crit :

Hi,

Thanks for your reply.

> On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> > Hi,
> >
> > Libvirt selinux security driver is now enabled in debian unstable.
> > Qemu/KVM VM can be started properly now, but a bug[1] has been
> > reported that LXC containers are failing to start due to the missing
> > "lxc_contexts" appconfig file.
> >
> > Looking at the fedora policy, it's indeed shipping that file with
> > the following content:
> >
> > ---------
> > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > content = "system_u:object_r:virt_var_lib_t:s0"
> > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> > ---------
> >
> > I only see minimal differences between the virt module in the
> > refpolicy and the one in the fedora one, and I'm maybe missing
> > something, but it seems that some types are missing in both the
> > refpolicy and the fedora policy. I find no signs of
> > "svirt_qemu_net_t" or "sandbox_file_t" for example.
> I see all types are presented in virt.te,
> 
> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib

Yes indeed, for some reasons I didn't found this /o\ The fact that
the .gitmodule of the selinux-policy repository is still pointing to
the refpolicy one is really confusing.

Anyway these types are not currently present in the upstream refpolicy,
so I guess I should try propose a patch to merge back the changes from
the fedora virt.pp module. Or do you have any plans to do this?

The delta between the two is unfortunately larger that I would have
expected.

Kind regards,

Laurent Bigonville