|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Ping: Re: Flask default policy mismatch vs dummy
>>> On 26.10.18 at 23:41, <dgdegra@xxxxxxx> wrote:
>> -----Original Message-----
>> From: Jan Beulich <JBeulich@xxxxxxxx>
>> Sent: Friday, October 26, 2018 7:16 AM
>> To: Daniel de Graaf <dgdegra@xxxxxxxxxxxxx>
>> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>; xen-devel@xxxxxxxxxxxxx
>> Subject: [Non-DoD Source] Ping: Re: Flask default policy mismatch vs dummy
>>
>> >>> On 11.10.18 at 13:40, <JBeulich@xxxxxxxx> wrote:
>> >>>> On 11.10.18 at 10:05, <andrew.cooper3@xxxxxxxxxx> wrote:
>> >> Found while looking at some OSSTest logs.
>> >>
>> >> Oct 9 14:03:09.579037 (XEN) avc: denied { setup } for domid=0
>> >> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:xen_t
>> >> tclass=resource
>> >> Oct 9 14:03:09.590863 [ 0.522193] Failed to report MMCONFIG
>> >> reservation
>> >> state for PCI MMCONFIG 0000 [bus 00-7f] to hypervisor (-13)
>> >>
>> >> If someone has some tuits, please feel free. If not, I'll see what I
>> >> can do when I've got some time.
>> >
>> > How about this?
>> >
>> > Jan
>>
>> Daniel, do you have any thoughts here?
>>
>> Thanks, Jan
>
> This looks like a missing allow rule in the policy for dom0; something like:
>
> allow dom0_t xen_t: resource setup;
>
> in dom0.te at the end near the admin_device() statements. I'm not at my
> Linux system at the moment, otherwise I'd make a patch.
Okay, if the adjustment is to be in the rules, then I'll leave it
to you (or anyone else who wants to pick it up).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |