From: dac.override@gmail.com (Dominick Grift) Date: Wed, 17 Feb 2016 18:32:44 +0100 Subject: [refpolicy] lxc_contexts file used by libvirt In-Reply-To: <56C4AE64.4010009@debian.org> References: <56C08898.6080608@debian.org> <56C0F0AA.5040604@gmail.com> <56C4AE64.4010009@debian.org> Message-ID: <56C4AEBC.8020304@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/17/2016 06:31 PM, Laurent Bigonville wrote: > Le 14/02/16 22:24, Dominick Grift a ?crit : >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> On 02/14/2016 03:00 PM, Laurent Bigonville wrote: >>> Hello, >>> >>> libvirt uses a config file which is not shipped by the >>> refpolicy (config/appconfig-*/lxc_contexts) >>> >>> The fedora policy contains the following file: >>> >>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = >>> "system_u:object_r:virt_var_lib_t:s0" file = >>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process >>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process >>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process >>> = "system_u:system_r:svirt_lxc_net_t:s0" >>> >>> This file is not working with the refpolicy because >>> "svirt_sandbox_file_t" doesn't exist. >>> >>> The following file seems to work on my system: >>> >>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = >>> "system_u:object_r:virt_var_lib_t:s0" file = >>> "system_u:object_r:svirt_lxc_file_t:s0" >>> >>> The processes of the lxc are running under >>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023" >>> >>> Looking at the libvirt code, I don't see sandbox_kvm_process >>> and sandbox_lxc_process being used anywhere (except in some >>> test file). >>> >>> Shouldn't this file be added to the refpolicy? >>> >> Yes, should be added. Its also in upstream libselinux > I can propose a patch, but I'm a bit concerned about the > correctness of the content of the file tbh, especially the > sandbox_*_process fields Yes, i would only include what i know for sure to be right. leave everything else out > > _______________________________________________ refpolicy mailing > list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJWxK63AAoJECV0jlU3+UdppIsL/RHOPdus/xizeanlO1XFXoAr mcEDRch+7svpuzH8iE0iGwWtc7p5H28BXZWgmZKETiIXzTSKCgLKalvyPhe13ecy qbE4rmow8u0oM0VI9uErcaIlQiQgcd4rQyU/QajKrpsDskMSbO9PKekdVLSFelEd p5aXTOLz67TbM02mGrmOR5SV8OQqfG4k36oA+USeW37FF8cBAqD7B4ivucCnpIsG eSAq7av3WeiSN9UlxEw8VdDUWJbM+95p/0HuQA0Yh7dJLJ4IsWVtmTEFiee8hYD2 j5a0kMWjoDNppJFy8J2/pGsFJzJSVgpAB2tQ6k/a00SV/cf45oSwooHivz529/zM +/Gyn934XW9GZx60bOMjvX9oSEC+Zp15o3bwv8zqxR1zJwRPvV2UfVdEeBSvL2HG b5GXP1Vqgg33birnaesS5VMvDvDEb04FgdZ31+zxlGGKh+Zqzafj7pYdEkYl8dAm kiY4MVgyiLBqK8tkGrwZV7U0VGw3grOz6Dj9ECoMmw== =DgMs -----END PGP SIGNATURE-----