[refpolicy] Missing appconfig file for libvirt and LXC containers

Daniel J Walsh dwalsh at redhat.com
Wed Jan 29 08:13:43 EST 2014

Hash: SHA1

On 01/28/2014 05:15 AM, Laurent Bigonville wrote:
> Hi,
> Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM
> VM can be started properly now, but a bug[1] has been reported that LXC
> containers are failing to start due to the missing "lxc_contexts" appconfig
> file.
> Looking at the fedora policy, it's indeed shipping that file with the 
> following content:
> --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0" ---------
> I only see minimal differences between the virt module in the refpolicy and
> the one in the fedora one, and I'm maybe missing something, but it seems
> that some types are missing in both the refpolicy and the fedora policy. I
> find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example.
> So an idea how we could make libvirt happy with LXC containers?
> Cheers,
> Laurent Bigonville
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
> PS: could you please keep the 736909-forwarded CC while replying.

There in there,   I have attached the latest qemu policy.  We use
svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox
- -X containers).

Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: qemu.tgz
Type: application/x-gzip
Size: 2304 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140129/228c0bcc/attachment.tgz 

More information about the refpolicy mailing list