[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSM denials with 4.7.0 RC1



> 
> Well it turns out yes I was using a bad policy. I grabbed the policy
> updates from master and not from 4.7.0-rc1 when I merged them with my
> policy. So yes the above are incorrect and noise on my part. master
> wasn't (and still isn't) at the same point that 4.7.0-rc1 was at.
> 
> > 
> >> (XEN) avc:  denied  { xen_commandline } for domid=1
> >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> >> tclass=version
> >> (XEN) avc:  denied  { xen_build_id } for domid=1
> >> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> >> tclass=version
> > 
> > If these show up for domUs in normal operation (and I think using
> > "xl devd" probably qualifies for that), then they probably need
> > dontaudit rules.
> > 
> 
> These are still happening for any domD running "xl devd".

Is 'domD' not part of domain_type?

As in the policy has:

allow domain_type xen_t:version {                                               
    xen_extraversion xen_compile_info xen_capabilities                          
    xen_changeset xen_pagesize xen_guest_handle                                 
};  

Is domD under a different type? In which case it sounds as if you
are using a non-default XSM policy?

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.