Xen project Mailing List

Re: [Xen-devel] XSM denials with 4.7.0 RC1

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

From: Doug Goldstein <cardoe@xxxxxxxxxx>

Date: Wed, 4 May 2016 14:35:55 -0500

Delivery-date: Wed, 04 May 2016 19:36:18 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 5/4/16 12:20 PM, Daniel De Graaf wrote: > On 05/04/2016 09:52 AM, Doug Goldstein wrote: >> Hi all, >> >> Sometime after d4cd5a205973171475b8c63bc250c2803e0f51fa, I get the >> following denials for any domU that attempts to run "xl". In my >> situation my domU needs to run "xl devd" because its a driver domain. >> >> (XEN) avc: denied { xen_extraversion } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version >> (XEN) avc: denied { xen_extraversion } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version >> (XEN) avc: denied { xen_compile_info } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version >> (XEN) avc: denied { xen_capabilities } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version >> (XEN) avc: denied { xen_changeset } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version >> (XEN) avc: denied { xen_pagesize } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version > > These 6 denials should not happen with the policy in 4.7.0-rc1; are > you using an older policy? Well it turns out yes I was using a bad policy. I grabbed the policy updates from master and not from 4.7.0-rc1 when I merged them with my policy. So yes the above are incorrect and noise on my part. master wasn't (and still isn't) at the same point that 4.7.0-rc1 was at. > >> (XEN) avc: denied { xen_commandline } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version >> (XEN) avc: denied { xen_build_id } for domid=1 >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t >> tclass=version > > If these show up for domUs in normal operation (and I think using > "xl devd" probably qualifies for that), then they probably need > dontaudit rules. > These are still happening for any domD running "xl devd". -- Doug Goldstein

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.