Le Wed, 29 Jan 2014 22:12:56 +0100, Miroslav Grepl <mgr...@redhat.com> a écrit :
Hi, Thanks for your reply. > On 01/28/2014 11:15 AM, Laurent Bigonville wrote: > > Hi, > > > > Libvirt selinux security driver is now enabled in debian unstable. > > Qemu/KVM VM can be started properly now, but a bug[1] has been > > reported that LXC containers are failing to start due to the missing > > "lxc_contexts" appconfig file. > > > > Looking at the fedora policy, it's indeed shipping that file with > > the following content: > > > > --------- > > process = "system_u:system_r:svirt_lxc_net_t:s0" > > content = "system_u:object_r:virt_var_lib_t:s0" > > file = "system_u:object_r:svirt_sandbox_file_t:s0" > > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" > > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" > > --------- > > > > I only see minimal differences between the virt module in the > > refpolicy and the one in the fedora one, and I'm maybe missing > > something, but it seems that some types are missing in both the > > refpolicy and the fedora policy. I find no signs of > > "svirt_qemu_net_t" or "sandbox_file_t" for example. > I see all types are presented in virt.te, > > https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib Yes indeed, for some reasons I didn't found this /o\ The fact that the .gitmodule of the selinux-policy repository is still pointing to the refpolicy one is really confusing. Anyway these types are not currently present in the upstream refpolicy, so I guess I should try propose a patch to merge back the changes from the fedora virt.pp module. Or do you have any plans to do this? The delta between the two is unfortunately larger that I would have expected. Kind regards, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org