Ohai, On Wed, Jan 29, 2014 at 11:09:43PM +0100, Laurent Bigonville wrote: > > > Libvirt selinux security driver is now enabled in debian unstable. > > > Qemu/KVM VM can be started properly now, but a bug[1] has been > > > reported that LXC containers are failing to start due to the missing > > > "lxc_contexts" appconfig file. > > > > > > Looking at the fedora policy, it's indeed shipping that file with > > > the following content: > > > > > > --------- > > > process = "system_u:system_r:svirt_lxc_net_t:s0" > > > content = "system_u:object_r:virt_var_lib_t:s0" > > > file = "system_u:object_r:svirt_sandbox_file_t:s0" > > > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" > > > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" > > > --------- > > > > > > I only see minimal differences between the virt module in the > > > refpolicy and the one in the fedora one, and I'm maybe missing > > > something, but it seems that some types are missing in both the > > > refpolicy and the fedora policy. I find no signs of > > > "svirt_qemu_net_t" or "sandbox_file_t" for example. > > I see all types are presented in virt.te, > > > > https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib > > Yes indeed, for some reasons I didn't found this /o\ The fact that > the .gitmodule of the selinux-policy repository is still pointing to > the refpolicy one is really confusing. > > Anyway these types are not currently present in the upstream refpolicy, > so I guess I should try propose a patch to merge back the changes from > the fedora virt.pp module. Or do you have any plans to do this? > > The delta between the two is unfortunately larger that I would have > expected.
Upstream now ships an lxc_contexts file [1], but I have no idea how to test it in libvirt properly? Regards Evgeni [1] https://github.com/TresysTechnology/refpolicy/commit/ca6fefc3c899a39a95402a82e2beda6cb5a98aa9 _______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
