From: dac.override@gmail.com (Dominick Grift)
Date: Wed, 17 Feb 2016 18:32:44 +0100
Subject: [refpolicy] lxc_contexts file used by libvirt
In-Reply-To: <56C4AE64.4010009@debian.org>
References: <56C08898.6080608@debian.org> <56C0F0AA.5040604@gmail.com>
	<56C4AE64.4010009@debian.org>
Message-ID: <56C4AEBC.8020304@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/17/2016 06:31 PM, Laurent Bigonville wrote:
> Le 14/02/16 22:24, Dominick Grift a ?crit :
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> On 02/14/2016 03:00 PM, Laurent Bigonville wrote:
>>> Hello,
>>> 
>>> libvirt uses a config file which is not shipped by the
>>> refpolicy (config/appconfig-*/lxc_contexts)
>>> 
>>> The fedora policy contains the following file:
>>> 
>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = 
>>> "system_u:object_r:virt_var_lib_t:s0" file = 
>>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process
>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process
>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process
>>> = "system_u:system_r:svirt_lxc_net_t:s0"
>>> 
>>> This file is not working with the refpolicy because 
>>> "svirt_sandbox_file_t" doesn't exist.
>>> 
>>> The following file seems to work on my system:
>>> 
>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = 
>>> "system_u:object_r:virt_var_lib_t:s0" file = 
>>> "system_u:object_r:svirt_lxc_file_t:s0"
>>> 
>>> The processes of the lxc are running under 
>>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023"
>>> 
>>> Looking at the libvirt code, I don't see sandbox_kvm_process
>>> and sandbox_lxc_process being used anywhere (except in some
>>> test file).
>>> 
>>> Shouldn't this file be added to the refpolicy?
>>> 
>> Yes, should be added. Its also in upstream libselinux
> I can propose a patch, but I'm a bit concerned about the
> correctness of the content of the file tbh, especially the
> sandbox_*_process fields

Yes, i would only include what i know for sure to be right. leave
everything else out


> 
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJWxK63AAoJECV0jlU3+UdppIsL/RHOPdus/xizeanlO1XFXoAr
mcEDRch+7svpuzH8iE0iGwWtc7p5H28BXZWgmZKETiIXzTSKCgLKalvyPhe13ecy
qbE4rmow8u0oM0VI9uErcaIlQiQgcd4rQyU/QajKrpsDskMSbO9PKekdVLSFelEd
p5aXTOLz67TbM02mGrmOR5SV8OQqfG4k36oA+USeW37FF8cBAqD7B4ivucCnpIsG
eSAq7av3WeiSN9UlxEw8VdDUWJbM+95p/0HuQA0Yh7dJLJ4IsWVtmTEFiee8hYD2
j5a0kMWjoDNppJFy8J2/pGsFJzJSVgpAB2tQ6k/a00SV/cf45oSwooHivz529/zM
+/Gyn934XW9GZx60bOMjvX9oSEC+Zp15o3bwv8zqxR1zJwRPvV2UfVdEeBSvL2HG
b5GXP1Vqgg33birnaesS5VMvDvDEb04FgdZ31+zxlGGKh+Zqzafj7pYdEkYl8dAm
kiY4MVgyiLBqK8tkGrwZV7U0VGw3grOz6Dj9ECoMmw==
=DgMs
-----END PGP SIGNATURE-----