From: mgrepl@redhat.com (Miroslav Grepl)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Missing appconfig file for libvirt and LXC containers
Date: Wed, 29 Jan 2014 22:12:56 +0100 [thread overview]
Message-ID: <52E96ED8.1020407@redhat.com> (raw)
In-Reply-To: <20140128111553.6c267725@soldur.bigon.be>
On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable.
> Qemu/KVM VM can be started properly now, but a bug[1] has been reported
> that LXC containers are failing to start due to the missing
> "lxc_contexts" appconfig file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> ---------
> process = "system_u:system_r:svirt_lxc_net_t:s0"
> content = "system_u:object_r:virt_var_lib_t:s0"
> file = "system_u:object_r:svirt_sandbox_file_t:s0"
> sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> ---------
>
> I only see minimal differences between the virt module in the refpolicy
> and the one in the fedora one, and I'm maybe missing something, but it
> seems that some types are missing in both the refpolicy and the fedora
> policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
> example.
I see all types are presented in virt.te,
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib
> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
next prev parent reply other threads:[~2014-01-29 21:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CADKfTWYXie4v8p3xavrPXaRBgpZCsJG8ZcU3+stQuZda=kP62g@mail.gmail.com>
[not found] ` <CADKfTWZeiGxt_2pP9BicBpPB2ydqz+_SEQcrNm5VqYkutNWtaw@mail.gmail.com>
[not found] ` <20140128072212.GA4601@bogon.sigxcpu.org>
2014-01-28 10:15 ` [refpolicy] Missing appconfig file for libvirt and LXC containers Laurent Bigonville
2014-01-29 13:13 ` Daniel J Walsh
2014-01-29 21:12 ` Miroslav Grepl [this message]
2014-01-29 22:09 ` Laurent Bigonville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52E96ED8.1020407@redhat.com \
--to=mgrepl@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.