From: bigon@debian.org (Laurent Bigonville)
Date: Sun, 14 Feb 2016 15:00:56 +0100
Subject: [refpolicy] lxc_contexts file used by libvirt
Message-ID: <56C08898.6080608@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

libvirt uses a config file which is not shipped by the refpolicy 
(config/appconfig-*/lxc_contexts)

The fedora policy contains the following file:

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

This file is not working with the refpolicy because 
"svirt_sandbox_file_t" doesn't exist.

The following file seems to work on my system:

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"

The processes of the lxc are running under 
"system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"

Looking at the libvirt code, I don't see sandbox_kvm_process and 
sandbox_lxc_process being used anywhere (except in some test file).

Shouldn't this file be added to the refpolicy?

Cheers,

Laurent Bigonville