Xen project Mailing List

Re: [Xen-devel] XSM denials with 4.7.0 RC1

Date: Wed, 4 May 2016 15:05:38 +0100

Cc: ross.lagerwall@xxxxxxxxxx, Wei Liu <wei.liu2@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 04 May 2016 14:05:46 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

CC Konrad and Ross On Wed, May 04, 2016 at 08:52:24AM -0500, Doug Goldstein wrote: > Hi all, > > Sometime after d4cd5a205973171475b8c63bc250c2803e0f51fa, I get the > following denials for any domU that attempts to run "xl". In my > situation my domU needs to run "xl devd" because its a driver domain. > > (XEN) avc: denied { xen_extraversion } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > (XEN) avc: denied { xen_extraversion } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > (XEN) avc: denied { xen_compile_info } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > (XEN) avc: denied { xen_capabilities } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > (XEN) avc: denied { xen_changeset } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > (XEN) avc: denied { xen_pagesize } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > (XEN) avc: denied { xen_commandline } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > (XEN) avc: denied { xen_build_id } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t > tclass=version > > I'm guessing a changed happened to xl so that it queries the version > info everytime it is run. > I think the root cause is that we have now altered xen_version hypercall for xsplice. We might need to update the hook, the default policy (assuming that's what you use) or both. Wei. > -- > Doug Goldstein > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxx > http://lists.xen.org/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.