|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH for-4.5] flask/policy: Updates for example XSM policy
On Tue, Sep 23, 2014 at 10:01:48AM +0100, Wei Liu wrote:
> On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
> > The example XSM policy was missing permission for dom0_t to migrate
> > domains with label domU_t; add these permissions.
> >
> > Reported-by: Wei Liu <wei.liu2@xxxxxxxxxx>
> > Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
>
> Thanks.
>
> This seems to work to a certain degree. I now hit a new error when
> trying to save a domain (PV and HVM).
>
> (XEN) avc: denied { map_read } for domid=0 target=32754
> scontext=system_u:sysu
The above line was trimmed.
(XEN) avc: denied { map_read } for domid=0 target=32754
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domxen_t tclass=mmu
I added the following lines in xen.te
allow dom0_t domxen_t:mmu map_read;
Then came across another error when trying to resume DomU (that is the
operation after saving).
(XEN) avc: denied { resume } for domid=0 target=1
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t
tclass=domain
Even if I ran it in permissive mode it still failed with the same error
because "resume" is not defined in policy (not sure if this is the right
term).
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |