From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 18 Feb 2016 08:48:41 -0500 Subject: [refpolicy] lxc_contexts file used by libvirt In-Reply-To: <56C5A5FA.9050201@debian.org> References: <56C08898.6080608@debian.org> <56C0F0AA.5040604@gmail.com> <56C4AE64.4010009@debian.org> <56C4AEBC.8020304@gmail.com> <56C4BE53.60301@redhat.com> <56C5A5FA.9050201@debian.org> Message-ID: <56C5CBB9.3000909@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/18/2016 06:07 AM, Laurent Bigonville wrote: > Le 17/02/16 19:39, Daniel J Walsh a ?crit : >> On 02/17/2016 12:32 PM, Dominick Grift wrote: >>> On 02/17/2016 06:31 PM, Laurent Bigonville wrote: >>>> Le 14/02/16 22:24, Dominick Grift a ?crit : >>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>>>> >>>>> On 02/14/2016 03:00 PM, Laurent Bigonville wrote: >>>>>> Hello, >>>>>> >>>>>> libvirt uses a config file which is not shipped by the >>>>>> refpolicy (config/appconfig-*/lxc_contexts) >>>>>> >>>>>> The fedora policy contains the following file: >>>>>> >>>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = >>>>>> "system_u:object_r:virt_var_lib_t:s0" file = >>>>>> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process >>>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process >>>>>> = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process >>>>>> = "system_u:system_r:svirt_lxc_net_t:s0" >>>>>> >>>>>> This file is not working with the refpolicy because >>>>>> "svirt_sandbox_file_t" doesn't exist. >>>>>> >>>>>> The following file seems to work on my system: >>>>>> >>>>>> process = "system_u:system_r:svirt_lxc_net_t:s0" content = >>>>>> "system_u:object_r:virt_var_lib_t:s0" file = >>>>>> "system_u:object_r:svirt_lxc_file_t:s0" >>>>>> >>>>>> The processes of the lxc are running under >>>>>> "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023" >>>>>> >>>>>> Looking at the libvirt code, I don't see sandbox_kvm_process >>>>>> and sandbox_lxc_process being used anywhere (except in some >>>>>> test file). >>>>>> >>>>>> Shouldn't this file be added to the refpolicy? >>>>>> >>>>> Yes, should be added. Its also in upstream libselinux >>>> I can propose a patch, but I'm a bit concerned about the >>>> correctness of the content of the file tbh, especially the >>>> sandbox_*_process fields >>> Yes, i would only include what i know for sure to be right. leave >>> everything else out >>> >>> >> Which types are questionable? > I cannot find where the sandbox_*_process parameters are used. > (https://codesearch.debian.net/results/sandbox_lxc_process/) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy They were added for libvirt. I see these names in their tests suite, although I am not sure h ow they are using them.