Your message dated Tue, 28 Jan 2014 11:15:53 +0100 with message-id <20140128111553.6c267...@soldur.bigon.be> has caused the report #736909, regarding LXC selinux support not working to be marked as having been forwarded to the upstream software author(s) refpol...@oss.tresys.com
(NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 736909: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Hi, Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM VM can be started properly now, but a bug[1] has been reported that LXC containers are failing to start due to the missing "lxc_contexts" appconfig file. Looking at the fedora policy, it's indeed shipping that file with the following content: --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content = "system_u:object_r:virt_var_lib_t:s0" file = "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" --------- I only see minimal differences between the virt module in the refpolicy and the one in the fedora one, and I'm maybe missing something, but it seems that some types are missing in both the refpolicy and the fedora policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example. So an idea how we could make libvirt happy with LXC containers? Cheers, Laurent Bigonville [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909 PS: could you please keep the 736909-forwarded CC while replying.
--- End Message ---
