[DSE-Dev] Bug#736909: [refpolicy] Missing appconfig file for libvirt and LXC containers

[Evgeni Golov]

Ohai,

On Wed, Jan 29, 2014 at 11:09:43PM +0100, Laurent Bigonville wrote:
> > > Libvirt selinux security driver is now enabled in debian unstable.
> > > Qemu/KVM VM can be started properly now, but a bug[1] has been
> > > reported that LXC containers are failing to start due to the missing
> > > "lxc_contexts" appconfig file.
> > >
> > > Looking at the fedora policy, it's indeed shipping that file with
> > > the following content:
> > >
> > > ---------
> > > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > > content = "system_u:object_r:virt_var_lib_t:s0"
> > > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> > > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> > > ---------
> > >
> > > I only see minimal differences between the virt module in the
> > > refpolicy and the one in the fedora one, and I'm maybe missing
> > > something, but it seems that some types are missing in both the
> > > refpolicy and the fedora policy. I find no signs of
> > > "svirt_qemu_net_t" or "sandbox_file_t" for example.
> > I see all types are presented in virt.te,
> > 
> > https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib
> 
> Yes indeed, for some reasons I didn't found this /o\ The fact that
> the .gitmodule of the selinux-policy repository is still pointing to
> the refpolicy one is really confusing.
> 
> Anyway these types are not currently present in the upstream refpolicy,
> so I guess I should try propose a patch to merge back the changes from
> the fedora virt.pp module. Or do you have any plans to do this?
> 
> The delta between the two is unfortunately larger that I would have
> expected.

Upstream now ships an lxc_contexts file [1], but I have no idea how to test it in libvirt properly?

Regards
Evgeni

[1] https://github.com/TresysTechnology/refpolicy/commit/ca6fefc3c899a39a95402a82e2beda6cb5a98aa9