From: bigon@debian.org (Laurent Bigonville)
Date: Wed, 17 Feb 2016 18:31:16 +0100
Subject: [refpolicy] lxc_contexts file used by libvirt
In-Reply-To: <56C0F0AA.5040604@gmail.com>
References: <56C08898.6080608@debian.org> <56C0F0AA.5040604@gmail.com>
Message-ID: <56C4AE64.4010009@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le 14/02/16 22:24, Dominick Grift a ?crit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
>> Hello,
>>
>> libvirt uses a config file which is not shipped by the refpolicy
>> (config/appconfig-*/lxc_contexts)
>>
>> The fedora policy contains the following file:
>>
>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>> "system_u:object_r:virt_var_lib_t:s0" file =
>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
>> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process =
>> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
>> "system_u:system_r:svirt_lxc_net_t:s0"
>>
>> This file is not working with the refpolicy because
>> "svirt_sandbox_file_t" doesn't exist.
>>
>> The following file seems to work on my system:
>>
>> process = "system_u:system_r:svirt_lxc_net_t:s0" content =
>> "system_u:object_r:virt_var_lib_t:s0" file =
>> "system_u:object_r:svirt_lxc_file_t:s0"
>>
>> The processes of the lxc are running under
>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
>>
>> Looking at the libvirt code, I don't see sandbox_kvm_process and
>> sandbox_lxc_process being used anywhere (except in some test
>> file).
>>
>> Shouldn't this file be added to the refpolicy?
>>
> Yes, should be added. Its also in upstream libselinux
I can propose a patch, but I'm a bit concerned about the correctness of 
the content of the file tbh, especially the sandbox_*_process fields