From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Missing appconfig file for libvirt and LXC containers
Date: Wed, 29 Jan 2014 08:13:43 -0500 [thread overview]
Message-ID: <52E8FE87.3040100@redhat.com> (raw)
In-Reply-To: <20140128111553.6c267725@soldur.bigon.be>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/28/2014 05:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM
> VM can be started properly now, but a bug[1] has been reported that LXC
> containers are failing to start due to the missing "lxc_contexts" appconfig
> file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0" ---------
>
> I only see minimal differences between the virt module in the refpolicy and
> the one in the fedora one, and I'm maybe missing something, but it seems
> that some types are missing in both the refpolicy and the fedora policy. I
> find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example.
>
> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
>
There in there, I have attached the latest qemu policy. We use
svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox
- -X containers).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLo/ocACgkQrlYvE4MpobM7gwCgwzHws/wTFcOry2KGauJ06UIn
1ggAoN2F+xfdaCOvc/rOOm7UpaQL+PQq
=3UGI
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qemu.tgz
Type: application/x-gzip
Size: 2304 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140129/228c0bcc/attachment.tgz
next prev parent reply other threads:[~2014-01-29 13:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CADKfTWYXie4v8p3xavrPXaRBgpZCsJG8ZcU3+stQuZda=kP62g@mail.gmail.com>
[not found] ` <CADKfTWZeiGxt_2pP9BicBpPB2ydqz+_SEQcrNm5VqYkutNWtaw@mail.gmail.com>
[not found] ` <20140128072212.GA4601@bogon.sigxcpu.org>
2014-01-28 10:15 ` [refpolicy] Missing appconfig file for libvirt and LXC containers Laurent Bigonville
2014-01-29 13:13 ` Daniel J Walsh [this message]
2014-01-29 21:12 ` Miroslav Grepl
2014-01-29 22:09 ` Laurent Bigonville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52E8FE87.3040100@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.