Debian Bug report logs - #736909
LXC selinux support not working

version graph

Package: selinux-policy-default; Maintainer for selinux-policy-default is Debian SELinux maintainers <[email protected]>; Source for selinux-policy-default is src:refpolicy (PTS, buildd, popcon).

Affects: libvirt, libvirt-bin

Reported by: Laurent Bigonville <[email protected]>

Date: Wed, 19 Sep 2012 22:54:02 UTC

Severity: important

Found in version refpolicy/2:2.20131214-1

Forwarded to [email protected]

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#736909: [refpolicy] Missing appconfig file for libvirt and LXC containers
Reply-To: Laurent Bigonville <[email protected]>, [email protected]
Resent-From: Laurent Bigonville <[email protected]>
Resent-To: [email protected]
Resent-CC: Debian SELinux maintainers <[email protected]>
X-Loop: [email protected]
Resent-Date: Wed, 29 Jan 2014 22:12:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 736909
X-Debian-PR-Package: selinux-policy-default
X-Debian-PR-Keywords: patch
X-Debian-PR-Source: refpolicy, selinux-policy-default
Received: via spool by [email protected] id=B736909.13910333984926
          (code B ref 736909); Wed, 29 Jan 2014 22:12:02 +0000
Received: (at 736909) by bugs.debian.org; 29 Jan 2014 22:09:58 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2-bugs.debian.org_2005_01_02
	(2011-06-06) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.0 required=4.0 tests=BAYES_00,FROMDEVELOPER,
	MURPHY_DRUGS_REL8,SPF_HELO_PASS autolearn=ham
	version=3.3.2-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 23; hammy, 151; neutral, 118; spammy,
	0. spammytokens: hammytokens:0.000-+--H*UA:sk:x86_64-,
	0.000-+--H*x:sk:x86_64-, 0.000-+--H*r:TLSv1.2, 0.000-+--H*F:U*bigon,
	0.000-+--bigonville
Received: from anor.bigon.be ([91.121.173.99] ident=postfix)
	by buxtehude.debian.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <[email protected]>)
	id 1W8dKX-0001Go-UM; Wed, 29 Jan 2014 22:09:58 +0000
Received: from anor.bigon.be (localhost.localdomain [127.0.0.1])
	by anor.bigon.be (Postfix) with ESMTP id 4922A1A05E;
	Wed, 29 Jan 2014 23:09:55 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at bigon.be
Received: from anor.bigon.be ([127.0.0.1])
	by anor.bigon.be (anor.bigon.be [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id MFz4XreubnT8; Wed, 29 Jan 2014 23:09:52 +0100 (CET)
Received: from fornost.bigon.be (unknown [IPv6:2a02:578:85fc:1:226:18ff:fe08:6073])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(Client did not present a certificate)
	(Authenticated sender: bigon)
	by anor.bigon.be (Postfix) with ESMTPSA id F076B1A054;
	Wed, 29 Jan 2014 23:09:51 +0100 (CET)
Date: Wed, 29 Jan 2014 23:09:43 +0100
From: Laurent Bigonville <[email protected]>
To: Miroslav Grepl <[email protected]>
Cc: [email protected], [email protected],
 [email protected]
Message-ID: <[email protected]>
In-Reply-To: <[email protected]>
References: <CADKfTWYXie4v8p3xavrPXaRBgpZCsJG8ZcU3+stQuZda=kP62g@mail.gmail.com>
	<CADKfTWZeiGxt_2pP9BicBpPB2ydqz+_SEQcrNm5VqYkutNWtaw@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Le Wed, 29 Jan 2014 22:12:56 +0100,
Miroslav Grepl <[email protected]> a écrit :

Hi,

Thanks for your reply.

> On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> > Hi,
> >
> > Libvirt selinux security driver is now enabled in debian unstable.
> > Qemu/KVM VM can be started properly now, but a bug[1] has been
> > reported that LXC containers are failing to start due to the missing
> > "lxc_contexts" appconfig file.
> >
> > Looking at the fedora policy, it's indeed shipping that file with
> > the following content:
> >
> > ---------
> > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > content = "system_u:object_r:virt_var_lib_t:s0"
> > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> > ---------
> >
> > I only see minimal differences between the virt module in the
> > refpolicy and the one in the fedora one, and I'm maybe missing
> > something, but it seems that some types are missing in both the
> > refpolicy and the fedora policy. I find no signs of
> > "svirt_qemu_net_t" or "sandbox_file_t" for example.
> I see all types are presented in virt.te,
> 
> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib

Yes indeed, for some reasons I didn't found this /o\ The fact that
the .gitmodule of the selinux-policy repository is still pointing to
the refpolicy one is really confusing.

Anyway these types are not currently present in the upstream refpolicy,
so I guess I should try propose a patch to merge back the changes from
the fedora virt.pp module. Or do you have any plans to do this?

The delta between the two is unfortunately larger that I would have
expected.

Kind regards,

Laurent Bigonville

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Thu May 15 15:34:57 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.