-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/28/2014 05:15 AM, Laurent Bigonville wrote: > Hi, > > Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM > VM can be started properly now, but a bug[1] has been reported that LXC > containers are failing to start due to the missing "lxc_contexts" appconfig > file. > > Looking at the fedora policy, it's indeed shipping that file with the > following content: > > --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content = > "system_u:object_r:virt_var_lib_t:s0" file = > "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = > "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = > "system_u:system_r:svirt_lxc_net_t:s0" --------- > > I only see minimal differences between the virt module in the refpolicy and > the one in the fedora one, and I'm maybe missing something, but it seems > that some types are missing in both the refpolicy and the fedora policy. I > find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example. > > So an idea how we could make libvirt happy with LXC containers? > > Cheers, > > Laurent Bigonville > > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 > > PS: could you please keep the 736909-forwarded CC while replying. >
There in there, I have attached the latest qemu policy. We use svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox - -X containers). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLo/ocACgkQrlYvE4MpobM7gwCgwzHws/wTFcOry2KGauJ06UIn 1ggAoN2F+xfdaCOvc/rOOm7UpaQL+PQq =3UGI -----END PGP SIGNATURE-----
qemu.tgz
Description: GNU Zip compressed data