* [refpolicy] Missing appconfig file for libvirt and LXC containers [not found] ` <20140128072212.GA4601@bogon.sigxcpu.org> @ 2014-01-28 10:15 ` Laurent Bigonville 2014-01-29 13:13 ` Daniel J Walsh 2014-01-29 21:12 ` Miroslav Grepl 0 siblings, 2 replies; 4+ messages in thread From: Laurent Bigonville @ 2014-01-28 10:15 UTC (permalink / raw) To: refpolicy Hi, Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM VM can be started properly now, but a bug[1] has been reported that LXC containers are failing to start due to the missing "lxc_contexts" appconfig file. Looking at the fedora policy, it's indeed shipping that file with the following content: --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content = "system_u:object_r:virt_var_lib_t:s0" file = "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" --------- I only see minimal differences between the virt module in the refpolicy and the one in the fedora one, and I'm maybe missing something, but it seems that some types are missing in both the refpolicy and the fedora policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example. So an idea how we could make libvirt happy with LXC containers? Cheers, Laurent Bigonville [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 PS: could you please keep the 736909-forwarded CC while replying. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] Missing appconfig file for libvirt and LXC containers 2014-01-28 10:15 ` [refpolicy] Missing appconfig file for libvirt and LXC containers Laurent Bigonville @ 2014-01-29 13:13 ` Daniel J Walsh 2014-01-29 21:12 ` Miroslav Grepl 1 sibling, 0 replies; 4+ messages in thread From: Daniel J Walsh @ 2014-01-29 13:13 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/28/2014 05:15 AM, Laurent Bigonville wrote: > Hi, > > Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM > VM can be started properly now, but a bug[1] has been reported that LXC > containers are failing to start due to the missing "lxc_contexts" appconfig > file. > > Looking at the fedora policy, it's indeed shipping that file with the > following content: > > --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content = > "system_u:object_r:virt_var_lib_t:s0" file = > "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = > "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = > "system_u:system_r:svirt_lxc_net_t:s0" --------- > > I only see minimal differences between the virt module in the refpolicy and > the one in the fedora one, and I'm maybe missing something, but it seems > that some types are missing in both the refpolicy and the fedora policy. I > find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example. > > So an idea how we could make libvirt happy with LXC containers? > > Cheers, > > Laurent Bigonville > > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 > > PS: could you please keep the 736909-forwarded CC while replying. > There in there, I have attached the latest qemu policy. We use svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox - -X containers). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLo/ocACgkQrlYvE4MpobM7gwCgwzHws/wTFcOry2KGauJ06UIn 1ggAoN2F+xfdaCOvc/rOOm7UpaQL+PQq =3UGI -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: qemu.tgz Type: application/x-gzip Size: 2304 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140129/228c0bcc/attachment.tgz ^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] Missing appconfig file for libvirt and LXC containers 2014-01-28 10:15 ` [refpolicy] Missing appconfig file for libvirt and LXC containers Laurent Bigonville 2014-01-29 13:13 ` Daniel J Walsh @ 2014-01-29 21:12 ` Miroslav Grepl 2014-01-29 22:09 ` Laurent Bigonville 1 sibling, 1 reply; 4+ messages in thread From: Miroslav Grepl @ 2014-01-29 21:12 UTC (permalink / raw) To: refpolicy On 01/28/2014 11:15 AM, Laurent Bigonville wrote: > Hi, > > Libvirt selinux security driver is now enabled in debian unstable. > Qemu/KVM VM can be started properly now, but a bug[1] has been reported > that LXC containers are failing to start due to the missing > "lxc_contexts" appconfig file. > > Looking at the fedora policy, it's indeed shipping that file with the > following content: > > --------- > process = "system_u:system_r:svirt_lxc_net_t:s0" > content = "system_u:object_r:virt_var_lib_t:s0" > file = "system_u:object_r:svirt_sandbox_file_t:s0" > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" > --------- > > I only see minimal differences between the virt module in the refpolicy > and the one in the fedora one, and I'm maybe missing something, but it > seems that some types are missing in both the refpolicy and the fedora > policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for > example. I see all types are presented in virt.te, https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib > So an idea how we could make libvirt happy with LXC containers? > > Cheers, > > Laurent Bigonville > > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 > > PS: could you please keep the 736909-forwarded CC while replying. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] Missing appconfig file for libvirt and LXC containers 2014-01-29 21:12 ` Miroslav Grepl @ 2014-01-29 22:09 ` Laurent Bigonville 0 siblings, 0 replies; 4+ messages in thread From: Laurent Bigonville @ 2014-01-29 22:09 UTC (permalink / raw) To: refpolicy Le Wed, 29 Jan 2014 22:12:56 +0100, Miroslav Grepl <mgrepl@redhat.com> a ?crit : Hi, Thanks for your reply. > On 01/28/2014 11:15 AM, Laurent Bigonville wrote: > > Hi, > > > > Libvirt selinux security driver is now enabled in debian unstable. > > Qemu/KVM VM can be started properly now, but a bug[1] has been > > reported that LXC containers are failing to start due to the missing > > "lxc_contexts" appconfig file. > > > > Looking at the fedora policy, it's indeed shipping that file with > > the following content: > > > > --------- > > process = "system_u:system_r:svirt_lxc_net_t:s0" > > content = "system_u:object_r:virt_var_lib_t:s0" > > file = "system_u:object_r:svirt_sandbox_file_t:s0" > > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" > > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" > > --------- > > > > I only see minimal differences between the virt module in the > > refpolicy and the one in the fedora one, and I'm maybe missing > > something, but it seems that some types are missing in both the > > refpolicy and the fedora policy. I find no signs of > > "svirt_qemu_net_t" or "sandbox_file_t" for example. > I see all types are presented in virt.te, > > https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib Yes indeed, for some reasons I didn't found this /o\ The fact that the .gitmodule of the selinux-policy repository is still pointing to the refpolicy one is really confusing. Anyway these types are not currently present in the upstream refpolicy, so I guess I should try propose a patch to merge back the changes from the fedora virt.pp module. Or do you have any plans to do this? The delta between the two is unfortunately larger that I would have expected. Kind regards, Laurent Bigonville ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-01-29 22:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CADKfTWYXie4v8p3xavrPXaRBgpZCsJG8ZcU3+stQuZda=kP62g@mail.gmail.com>
[not found] ` <CADKfTWZeiGxt_2pP9BicBpPB2ydqz+_SEQcrNm5VqYkutNWtaw@mail.gmail.com>
[not found] ` <20140128072212.GA4601@bogon.sigxcpu.org>
2014-01-28 10:15 ` [refpolicy] Missing appconfig file for libvirt and LXC containers Laurent Bigonville
2014-01-29 13:13 ` Daniel J Walsh
2014-01-29 21:12 ` Miroslav Grepl
2014-01-29 22:09 ` Laurent Bigonville
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.