[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSM denials with 4.7.0 RC1

On 5/4/16 8:58 AM, Jan Beulich wrote:
>>>> On 04.05.16 at 15:52, <cardoe@xxxxxxxxxx> wrote:
>> Hi all,
>>
>> Sometime after d4cd5a205973171475b8c63bc250c2803e0f51fa, I get the
>> following denials for any domU that attempts to run "xl". In my
>> situation my domU needs to run "xl devd" because its a driver domain.
>>
>> (XEN) avc:  denied  { xen_extraversion } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>> (XEN) avc:  denied  { xen_extraversion } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>> (XEN) avc:  denied  { xen_compile_info } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>> (XEN) avc:  denied  { xen_capabilities } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>> (XEN) avc:  denied  { xen_changeset } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>> (XEN) avc:  denied  { xen_pagesize } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>> (XEN) avc:  denied  { xen_commandline } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>> (XEN) avc:  denied  { xen_build_id } for domid=1
>> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
>> tclass=version
>>
>> I'm guessing a changed happened to xl so that it queries the version
>> info everytime it is run.
> 
> Perhaps it did that always, and it has become a problem only
> because of the XSM check which the version hypercall obtained
> recently?
> 
> Jan
> 

That would do it as well, thank you. I knew there was a change in this
code path recently and I remembered Konrad was active in it so I CC'd him.

If no one else proposes a change I'll look at making a patch tomorrow.

-- 
Doug Goldstein

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.