[refpolicy] Missing appconfig file for libvirt and LXC containers

Laurent Bigonville bigon at debian.org
Wed Jan 29 17:09:43 EST 2014


Le Wed, 29 Jan 2014 22:12:56 +0100,
Miroslav Grepl <mgrepl at redhat.com> a écrit :

Hi,

Thanks for your reply.

> On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> > Hi,
> >
> > Libvirt selinux security driver is now enabled in debian unstable.
> > Qemu/KVM VM can be started properly now, but a bug[1] has been
> > reported that LXC containers are failing to start due to the missing
> > "lxc_contexts" appconfig file.
> >
> > Looking at the fedora policy, it's indeed shipping that file with
> > the following content:
> >
> > ---------
> > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > content = "system_u:object_r:virt_var_lib_t:s0"
> > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> > ---------
> >
> > I only see minimal differences between the virt module in the
> > refpolicy and the one in the fedora one, and I'm maybe missing
> > something, but it seems that some types are missing in both the
> > refpolicy and the fedora policy. I find no signs of
> > "svirt_qemu_net_t" or "sandbox_file_t" for example.
> I see all types are presented in virt.te,
> 
> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib

Yes indeed, for some reasons I didn't found this /o\ The fact that
the .gitmodule of the selinux-policy repository is still pointing to
the refpolicy one is really confusing.

Anyway these types are not currently present in the upstream refpolicy,
so I guess I should try propose a patch to merge back the changes from
the fedora virt.pp module. Or do you have any plans to do this?

The delta between the two is unfortunately larger that I would have
expected.

Kind regards,

Laurent Bigonville


More information about the refpolicy mailing list