[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.5] flask/policy: Updates for example XSM policy



On Tue, Sep 23, 2014 at 10:01:48AM +0100, Wei Liu wrote:
> On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
> > The example XSM policy was missing permission for dom0_t to migrate
> > domains with label domU_t; add these permissions.
> > 
> > Reported-by: Wei Liu <wei.liu2@xxxxxxxxxx>
> > Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> 
> Thanks.
> 
> This seems to work to a certain degree. I now hit a new error when
> trying to save a domain (PV and HVM).
> 
> (XEN) avc:  denied  { map_read } for domid=0 target=32754 
> scontext=system_u:sysu

The above line was trimmed.

(XEN) avc:  denied  { map_read } for domid=0 target=32754 
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domxen_t tclass=mmu

I added the following lines in xen.te
 allow dom0_t domxen_t:mmu map_read;

Then came across another error when trying to resume DomU (that is the
operation after saving).

(XEN) avc:  denied  { resume } for domid=0 target=1 
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t 
tclass=domain

Even if I ran it in permissive mode it still failed with the same error
because "resume" is not defined in policy (not sure if this is the right
term).

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.