From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 17 Feb 2016 13:39:15 -0500 Subject: [refpolicy] lxc_contexts file used by libvirt In-Reply-To: <56C4AEBC.8020304@gmail.com> References: <56C08898.6080608@debian.org> <56C0F0AA.5040604@gmail.com> <56C4AE64.4010009@debian.org> <56C4AEBC.8020304@gmail.com> Message-ID: <56C4BE53.60301@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/17/2016 12:32 PM, Dominick Grift wrote: > On 02/17/2016 06:31 PM, Laurent Bigonville wrote: > > Le 14/02/16 22:24, Dominick Grift a ?crit : > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > >> > >> On 02/14/2016 03:00 PM, Laurent Bigonville wrote: > >>> Hello, > >>> > >>> libvirt uses a config file which is not shipped by the > >>> refpolicy (config/appconfig-*/lxc_contexts) > >>> > >>> The fedora policy contains the following file: > >>> > >>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = > >>> "system_u:object_r:virt_var_lib_t:s0" file = > >>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process > >>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process > >>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process > >>> = "system_u:system_r:svirt_lxc_net_t:s0" > >>> > >>> This file is not working with the refpolicy because > >>> "svirt_sandbox_file_t" doesn't exist. > >>> > >>> The following file seems to work on my system: > >>> > >>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = > >>> "system_u:object_r:virt_var_lib_t:s0" file = > >>> "system_u:object_r:svirt_lxc_file_t:s0" > >>> > >>> The processes of the lxc are running under > >>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023" > >>> > >>> Looking at the libvirt code, I don't see sandbox_kvm_process > >>> and sandbox_lxc_process being used anywhere (except in some > >>> test file). > >>> > >>> Shouldn't this file be added to the refpolicy? > >>> > >> Yes, should be added. Its also in upstream libselinux > > I can propose a patch, but I'm a bit concerned about the > > correctness of the content of the file tbh, especially the > > sandbox_*_process fields > > Yes, i would only include what i know for sure to be right. leave > everything else out > > > > > _______________________________________________ refpolicy mailing > > list refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy Which types are questionable?