[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] flask/policy: allow configure_domain call during domain creation

To: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxxxxx>
From: Andrii Tseglytskyi <andrii.tseglytskyi@xxxxxxxxxxxxxxx>
Date: Fri, 29 Aug 2014 15:46:14 +0300
Delivery-date: Fri, 29 Aug 2014 12:46:38 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi Julien,

Could you please verify, looks like this is needed for your series ->
http://lists.xen.org/archives/html/xen-devel/2014-07/msg04101.html
([PATCH v2 08/21] xen/arm: Initialize the virtual GIC  later)

Without this I see an error during domU creation:

avc:  denied  { configure_domain } for domid=0 target=1
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t
tclass=domain2


Regards,
Andrii

On Fri, Aug 29, 2014 at 3:41 PM, Andrii Tseglytskyi
<andrii.tseglytskyi@xxxxxxxxxxxxxxx> wrote:
> If XSM is enabled XEN_DOMCTL_configure_domain call should be allowed
> during domU creation, otherwise domain will not be created.
>
> Signed-off-by: Andrii Tseglytskyi <andrii.tseglytskyi@xxxxxxxxxxxxxxx>
> ---
>  tools/flask/policy/policy/modules/xen/xen.if | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
> b/tools/flask/policy/policy/modules/xen/xen.if
> index dedc035..e598772 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -49,7 +49,7 @@ define(`create_domain_common', `
>                         getdomaininfo hypercall setvcpucontext 
> setextvcpucontext
>                         getscheduler getvcpuinfo getvcpuextstate getaddrsize
>                         getaffinity setaffinity };
> -       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim  
> set_max_evtchn };
> +       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim  
> set_max_evtchn configure_domain };
>         allow $1 $2:security check_context;
>         allow $1 $2:shadow enable;
>         allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
> mmuext_op };
> --
> 1.9.1
>



-- 

Andrii Tseglytskyi | Embedded Dev
GlobalLogic
www.globallogic.com

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] flask/policy: allow configure_domain call during domain creation
  - From: Julien Grall

References:
- [Xen-devel] [PATCH] flask/policy: allow configure_domain call during domain creation
  - From: Andrii Tseglytskyi

Prev by Date: [Xen-devel] [PATCH] flask/policy: allow configure_domain call during domain creation
Next by Date: [Xen-devel] [RFC PATCH] cpufreq: make cpufreq driver more generalizable
Previous by thread: [Xen-devel] [PATCH] flask/policy: allow configure_domain call during domain creation
Next by thread: Re: [Xen-devel] [PATCH] flask/policy: allow configure_domain call during domain creation
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.