From: bigon@debian.org (Laurent Bigonville) Date: Thu, 18 Feb 2016 12:07:38 +0100 Subject: [refpolicy] lxc_contexts file used by libvirt In-Reply-To: <56C4BE53.60301@redhat.com> References: <56C08898.6080608@debian.org> <56C0F0AA.5040604@gmail.com> <56C4AE64.4010009@debian.org> <56C4AEBC.8020304@gmail.com> <56C4BE53.60301@redhat.com> Message-ID: <56C5A5FA.9050201@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le 17/02/16 19:39, Daniel J Walsh a ?crit : > On 02/17/2016 12:32 PM, Dominick Grift wrote: >> On 02/17/2016 06:31 PM, Laurent Bigonville wrote: >>> Le 14/02/16 22:24, Dominick Grift a ?crit : >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>>> >>>> On 02/14/2016 03:00 PM, Laurent Bigonville wrote: >>>>> Hello, >>>>> >>>>> libvirt uses a config file which is not shipped by the >>>>> refpolicy (config/appconfig-*/lxc_contexts) >>>>> >>>>> The fedora policy contains the following file: >>>>> >>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = >>>>> "system_u:object_r:virt_var_lib_t:s0" file = >>>>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process >>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process >>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process >>>>> = "system_u:system_r:svirt_lxc_net_t:s0" >>>>> >>>>> This file is not working with the refpolicy because >>>>> "svirt_sandbox_file_t" doesn't exist. >>>>> >>>>> The following file seems to work on my system: >>>>> >>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = >>>>> "system_u:object_r:virt_var_lib_t:s0" file = >>>>> "system_u:object_r:svirt_lxc_file_t:s0" >>>>> >>>>> The processes of the lxc are running under >>>>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023" >>>>> >>>>> Looking at the libvirt code, I don't see sandbox_kvm_process >>>>> and sandbox_lxc_process being used anywhere (except in some >>>>> test file). >>>>> >>>>> Shouldn't this file be added to the refpolicy? >>>>> >>>> Yes, should be added. Its also in upstream libselinux >>> I can propose a patch, but I'm a bit concerned about the >>> correctness of the content of the file tbh, especially the >>> sandbox_*_process fields >> Yes, i would only include what i know for sure to be right. leave >> everything else out >> >> > Which types are questionable? I cannot find where the sandbox_*_process parameters are used. (https://codesearch.debian.net/results/sandbox_lxc_process/)