[refpolicy] Missing appconfig file for libvirt and LXC containers

Laurent Bigonville bigon at debian.org
Tue Jan 28 05:15:53 EST 2014


Hi,

Libvirt selinux security driver is now enabled in debian unstable.
Qemu/KVM VM can be started properly now, but a bug[1] has been reported
that LXC containers are failing to start due to the missing
"lxc_contexts" appconfig file.

Looking at the fedora policy, it's indeed shipping that file with the
following content:

---------
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
---------

I only see minimal differences between the virt module in the refpolicy
and the one in the fedora one, and I'm maybe missing something, but it
seems that some types are missing in both the refpolicy and the fedora
policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
example.

So an idea how we could make libvirt happy with LXC containers?

Cheers,

Laurent Bigonville


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909

PS: could you please keep the 736909-forwarded CC while replying.


More information about the refpolicy mailing list