-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/28/2014 05:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM
> VM can be started properly now, but a bug[1] has been reported that LXC
> containers are failing to start due to the missing "lxc_contexts" appconfig
> file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> - process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0" -
>
> I only see minimal differences between the virt module in the refpolicy and
> the one in the fedora one, and I'm maybe missing something, but it seems
> that some types are missing in both the refpolicy and the fedora policy. I
> find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example.
>
> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
>
There in there, I have attached the latest qemu policy. We use
svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox
- -X containers).
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLo/ocACgkQrlYvE4MpobM7gwCgwzHws/wTFcOry2KGauJ06UIn
1ggAoN2F+xfdaCOvc/rOOm7UpaQL+PQq
=3UGI
-END PGP SIGNATURE-
qemu.tgz
Description: GNU Zip compressed data