[DSE-Dev] Bug#736909: [refpolicy] Missing appconfig file for libvirt and LXC containers
Miroslav Grepl
mgrepl at redhat.com
Wed Jan 29 21:12:56 UTC 2014
On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable.
> Qemu/KVM VM can be started properly now, but a bug[1] has been reported
> that LXC containers are failing to start due to the missing
> "lxc_contexts" appconfig file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> ---------
> process = "system_u:system_r:svirt_lxc_net_t:s0"
> content = "system_u:object_r:virt_var_lib_t:s0"
> file = "system_u:object_r:svirt_sandbox_file_t:s0"
> sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> ---------
>
> I only see minimal differences between the virt module in the refpolicy
> and the one in the fedora one, and I'm maybe missing something, but it
> seems that some types are missing in both the refpolicy and the fedora
> policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
> example.
I see all types are presented in virt.te,
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib
> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
More information about the SELinux-devel
mailing list