From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 14 Feb 2016 22:24:58 +0100
Subject: [refpolicy] lxc_contexts file used by libvirt
In-Reply-To: <56C08898.6080608@debian.org>
References: <56C08898.6080608@debian.org>
Message-ID: <56C0F0AA.5040604@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
> Hello,
> 
> libvirt uses a config file which is not shipped by the refpolicy 
> (config/appconfig-*/lxc_contexts)
> 
> The fedora policy contains the following file:
> 
> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0"
> 
> This file is not working with the refpolicy because 
> "svirt_sandbox_file_t" doesn't exist.
> 
> The following file seems to work on my system:
> 
> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_lxc_file_t:s0"
> 
> The processes of the lxc are running under 
> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
> 
> Looking at the libvirt code, I don't see sandbox_kvm_process and 
> sandbox_lxc_process being used anywhere (except in some test
> file).
> 
> Shouldn't this file be added to the refpolicy?
> 

Yes, should be added. Its also in upstream libselinux

> Cheers,
> 
> Laurent Bigonville _______________________________________________ 
> refpolicy mailing list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJWwPClAAoJECV0jlU3+UdpEwEL/1kNDZMxfDANbEQ8Jff/3qEy
UCtWFa59n0gbb5zLhQ3utUlal9Hcj2/yuZNH8IKbnUlKkziRBpPwJbBQ54bZzqZc
vJ0D4+8B2rY3UkRDxo9mkS8r/3O4V3PVhzMIzIOuYjElGTqBBzTMO/JsDciI4ORs
W7kbjCSr1HQmTpteo+WV8d4SFsRzHZ6avqw3qr/ljBuBfPT0Exeg4Ik0H4ZT+oW+
4fqhF5V7czrDUwsmLeAQ2rALsia/Bw5g+zOtTt09jf+lflJyttO177emg3962GQ+
FHb3FHFM6mA7t+p1DKwzGiRGQTKegmP2IGjk6uNNAgwNlw2Tr9KVobewAn70D+Lt
Jl7eq2c9WIQPHICoxryX5DSwcwGlu4Xds4usNv0tDXGCFeThkHxjbxJdazM4S/be
f4+hqQYv+/VdazaZrkmnc3E0Sr1g73/byq7wi8XnI1GoDfKtJOK1YSSW7wNN8Mz2
29F4znz3xS0pt7MFp/ASgYhNFtTqSWIODz/ToSETtQ==
=M48f
-----END PGP SIGNATURE-----