Xen project Mailing List

Re: [Xen-devel] XSM: new set of "avc denied"

From: Ian Campbell <ian.campbell@xxxxxxxxxx>

Date: Tue, 26 May 2015 10:13:31 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Tue, 26 May 2015 09:14:28 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, 2015-05-25 at 10:40 +0100, Wei Liu wrote: > I had a look at Osstest's latest xen-unstable run [0]. With Ian's patch > series we finally passed the point of guest creation on x86. > > We now have a new set of "avc denied". Thanks for picking up on these, I was just about to. > May 24 20:18:05.945118 (XEN) avc: denied { get_vnumainfo } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self > tclass=domain2 > > This is HVM loader trying to call get_vnumainfo > > May 24 20:28:50.593013 (XEN) avc: denied { logdirty } for domid=0 target=3 > scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t > tclass=shadow > May 24 20:29:20.721085 (XEN) avc: denied { disable } for domid=0 target=3 > scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t > tclass=shadow > May 24 20:29:20.737023 (XEN) avc: denied { disable } for domid=0 target=3 > scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t > tclass=shadow > > The above failures made guest local migration test fail for both PV and HVM > guests. Yes, this seems to be the biggest cause of failures > May 24 14:36:47.541016 (XEN) avc: denied { writeconsole } for domid=1 > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t tclass=xen > > This is PV specific, I think it was due to PV guest was configured to write to > console and XSM (rightfully?) rejected that. I think this is from the use of xen_raw_console_write early on in the Linux pvops kernel. By default these would be nop on a debug=n hypervisor, and they are controllable with the guest_loglvl hypervisor option in both debug cases, I think. I think XSM rejecting is valid, but I'd also be happy with a change to allow it and rely on the handling via the console options as folks like. Ian. > My guess is that HVM is not > configured to write to console so I don't see that in HVM test cases. Correct, although I would expect hvmloader to have been even more chatty, guess I am wrong about that. FWIW I saw quite a few of these from the stubdom mini-os when I tested stub-dm as well. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.