Debian Bug report logs - #736909
LXC selinux support not working

version graph

Package: selinux-policy-default; Maintainer for selinux-policy-default is Debian SELinux maintainers <[email protected]>; Source for selinux-policy-default is src:refpolicy (PTS, buildd, popcon).

Affects: libvirt, libvirt-bin

Reported by: Laurent Bigonville <[email protected]>

Date: Wed, 19 Sep 2012 22:54:02 UTC

Severity: important

Found in version refpolicy/2:2.20131214-1

Forwarded to [email protected]

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#736909: [refpolicy] Missing appconfig file for libvirt and LXC containers
Reply-To: Miroslav Grepl <[email protected]>, [email protected]
Resent-From: Miroslav Grepl <[email protected]>
Resent-To: [email protected]
Resent-CC: Debian SELinux maintainers <[email protected]>
X-Loop: [email protected]
Resent-Date: Wed, 29 Jan 2014 21:15:15 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 736909
X-Debian-PR-Package: selinux-policy-default
X-Debian-PR-Keywords: patch
X-Debian-PR-Source: refpolicy, selinux-policy-default
Received: via spool by [email protected] id=B736909.13910299867455
          (code B ref 736909); Wed, 29 Jan 2014 21:15:15 +0000
Received: (at 736909) by bugs.debian.org; 29 Jan 2014 21:13:06 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2-bugs.debian.org_2005_01_02
	(2011-06-06) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.0 required=4.0 tests=BAYES_00,RCVD_IN_DNSWL_HI,
	SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham
	version=3.3.2-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 29; hammy, 151; neutral, 68; spammy,
	0. spammytokens: hammytokens:0.000-+--bigonville, 0.000-+--Bigonville,
	0.000-+--libvirt, 0.000-+--H*f:sk:2014012, 0.000-+--H*UA:24.2.0
Received: from mx1.redhat.com ([209.132.183.28])
	by buxtehude.debian.org with esmtp (Exim 4.80)
	(envelope-from <[email protected]>)
	id 1W8cRU-0001vz-RK; Wed, 29 Jan 2014 21:13:06 +0000
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s0TLCxZn007203
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Wed, 29 Jan 2014 16:12:59 -0500
Received: from localhost.localdomain (vpn1-6-155.ams2.redhat.com [10.36.6.155])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s0TLCvX6009299;
	Wed, 29 Jan 2014 16:12:58 -0500
Message-ID: <[email protected]>
Date: Wed, 29 Jan 2014 22:12:56 +0100
From: Miroslav Grepl <[email protected]>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Laurent Bigonville <[email protected]>
CC: [email protected], [email protected],
        [email protected]
References: <CADKfTWYXie4v8p3xavrPXaRBgpZCsJG8ZcU3+stQuZda=kP62g@mail.gmail.com>	<CADKfTWZeiGxt_2pP9BicBpPB2ydqz+_SEQcrNm5VqYkutNWtaw@mail.gmail.com>	<[email protected]> <[email protected]>
In-Reply-To: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22

On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable.
> Qemu/KVM VM can be started properly now, but a bug[1] has been reported
> that LXC containers are failing to start due to the missing
> "lxc_contexts" appconfig file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> ---------
> process = "system_u:system_r:svirt_lxc_net_t:s0"
> content = "system_u:object_r:virt_var_lib_t:s0"
> file = "system_u:object_r:svirt_sandbox_file_t:s0"
> sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> ---------
>
> I only see minimal differences between the virt module in the refpolicy
> and the one in the fedora one, and I'm maybe missing something, but it
> seems that some types are missing in both the refpolicy and the fedora
> policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
> example.
I see all types are presented in virt.te,

https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib

> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
> _______________________________________________
> refpolicy mailing list
> [email protected]
> http://oss.tresys.com/mailman/listinfo/refpolicy

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Thu May 15 15:31:20 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.