[refpolicy] Missing appconfig file for libvirt and LXC containers
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 29 08:13:43 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 01/28/2014 05:15 AM, Laurent Bigonville wrote:
> Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM
> VM can be started properly now, but a bug has been reported that LXC
> containers are failing to start due to the missing "lxc_contexts" appconfig
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
> --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0" ---------
> I only see minimal differences between the virt module in the refpolicy and
> the one in the fedora one, and I'm maybe missing something, but it seems
> that some types are missing in both the refpolicy and the fedora policy. I
> find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example.
> So an idea how we could make libvirt happy with LXC containers?
> Laurent Bigonville
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
> PS: could you please keep the 736909-forwarded CC while replying.
There in there, I have attached the latest qemu policy. We use
svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox
- -X containers).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2304 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140129/228c0bcc/attachment.tgz
More information about the refpolicy