From: dac.override@gmail.com (Dominick Grift) Date: Sun, 14 Feb 2016 22:24:58 +0100 Subject: [refpolicy] lxc_contexts file used by libvirt In-Reply-To: <56C08898.6080608@debian.org> References: <56C08898.6080608@debian.org> Message-ID: <56C0F0AA.5040604@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/14/2016 03:00 PM, Laurent Bigonville wrote: > Hello, > > libvirt uses a config file which is not shipped by the refpolicy > (config/appconfig-*/lxc_contexts) > > The fedora policy contains the following file: > > process = "system_u:system_r:svirt_lxc_net_t:s0" content = > "system_u:object_r:virt_var_lib_t:s0" file = > "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = > "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process = > "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = > "system_u:system_r:svirt_lxc_net_t:s0" > > This file is not working with the refpolicy because > "svirt_sandbox_file_t" doesn't exist. > > The following file seems to work on my system: > > process = "system_u:system_r:svirt_lxc_net_t:s0" content = > "system_u:object_r:virt_var_lib_t:s0" file = > "system_u:object_r:svirt_lxc_file_t:s0" > > The processes of the lxc are running under > "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023" > > Looking at the libvirt code, I don't see sandbox_kvm_process and > sandbox_lxc_process being used anywhere (except in some test > file). > > Shouldn't this file be added to the refpolicy? > Yes, should be added. Its also in upstream libselinux > Cheers, > > Laurent Bigonville _______________________________________________ > refpolicy mailing list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJWwPClAAoJECV0jlU3+UdpEwEL/1kNDZMxfDANbEQ8Jff/3qEy UCtWFa59n0gbb5zLhQ3utUlal9Hcj2/yuZNH8IKbnUlKkziRBpPwJbBQ54bZzqZc vJ0D4+8B2rY3UkRDxo9mkS8r/3O4V3PVhzMIzIOuYjElGTqBBzTMO/JsDciI4ORs W7kbjCSr1HQmTpteo+WV8d4SFsRzHZ6avqw3qr/ljBuBfPT0Exeg4Ik0H4ZT+oW+ 4fqhF5V7czrDUwsmLeAQ2rALsia/Bw5g+zOtTt09jf+lflJyttO177emg3962GQ+ FHb3FHFM6mA7t+p1DKwzGiRGQTKegmP2IGjk6uNNAgwNlw2Tr9KVobewAn70D+Lt Jl7eq2c9WIQPHICoxryX5DSwcwGlu4Xds4usNv0tDXGCFeThkHxjbxJdazM4S/be f4+hqQYv+/VdazaZrkmnc3E0Sr1g73/byq7wi8XnI1GoDfKtJOK1YSSW7wNN8Mz2 29F4znz3xS0pt7MFp/ASgYhNFtTqSWIODz/ToSETtQ== =M48f -----END PGP SIGNATURE-----