[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] unable to create domain after enabling XSM

  • To: xen-devel <xen-devel@xxxxxxxxxxxxx>
  • From: Big Strong <fangtuo90@xxxxxxxxx>
  • Date: Sun, 15 May 2016 22:25:23 +0800
  • Delivery-date: Sun, 15 May 2016 14:25:54 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
Hi,

I've configured xen 4.6.0 with xsm enabled and use the default flask policy to boot the dom0.
However, when I tried to create a domU, it will fail for following reasons:

(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  granted  { load_policy } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:security_t tclass=security
(XEN) avc:  granted  { load_policy } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:security_t tclass=security

So I added following rules to xen.te, which is achived by 'sudo xl dmesg | grep avc | audit2allow'

allow dom0_t xen_t:domain getdomaininfo;
allow dom0_t xen_t:event send;
allow dom0_t xen_t:grant copy;
allow dom0_t xen_t:hvm { trackdirtyvram irqlevel };
allow dom0_t xen_t:domain { destroy pause };
allow dom0_t self:event send;

And recompiled the flask policy and load it using 'xl loadpolicy', however, the creation of domU (both hvm and pv, with or without seclable) will still fail for the following reasons, even though there are no avc violations.

$ sudo xl create ~/xen-config/ubuntu-hvm3
Parsing config from /home/john/xen-config/ubuntu-hvm
libxl: error: libxl_device.c:952:device_backend_callback: unable to add device with path /local/domain/0/backend/vbd/5/51712
libxl: error: libxl_device.c:952:device_backend_callback: unable to add device with path /local/domain/0/backend/vbd/5/5632
libxl: error: libxl_create.c:1174:domcreate_launch_dm: unable to add disk devices
libxl: error: libxl_dm.c:1956:kill_device_model: unable to find device model pid in /local/domain/5/image/device-model-pid
libxl: error: libxl.c:1628:libxl__destroy_domid: libxl__destroy_device_model failed for 5
libxl: error: libxl_device.c:952:device_backend_callback: unable to remove device with path /local/domain/0/backend/vbd/5/51712
libxl: error: libxl_device.c:952:device_backend_callback: unable to remove device with path /local/domain/0/backend/vbd/5/5632
libxl: error: libxl.c:1665:devices_destroy_cb: libxl__devices_destroy failed for 5
libxl: error: libxl.c:1591:libxl__destroy_domid: non-existant domain 5
libxl: error: libxl.c:1549:domain_destroy_callback: unable to destroy guest with domid 5
libxl: error: libxl.c:1476:domain_destroy_cb: destruction of domain 5 failed

When the xsm is disabled, the creation succeed. What are these errors mean anyway?
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.