Xen project Mailing List

Re: [Xen-devel] XSM denials with 4.7.0 RC1

To: Doug Goldstein <cardoe@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Wed, 4 May 2016 13:20:26 -0400

Delivery-date: Wed, 04 May 2016 17:20:34 +0000

Ironport-phdr: 9a23:kryYzhyFA9E6+zTXCy+O+j09IxM/srCxBDY+r6Qd0OgRIJqq85mqBkHD//Il1AaPBtWKraoewLOP6ujJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09fr2zQd6DyZztnLnrotX6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FiFf0LRAghZkwy+cKjmh7HQRCT63oaGjEdmwBEBAXt5xjgUpD89CD9s7w5kGOKMMuzQb0qVDCK66ZwVASumCoBcTkj/yuf3tx9iudXrQysozR7wpXIe8eFOfw4ebnSK4A0X21EC+pYUS1MBsuQYsMgFeMIM64Mo4bxqlQUpDOiFAKsA6Xp0TYOiXjoi/5pm989GB3LiVRzV+kFt27Z+ZCvbKo=

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 05/04/2016 09:52 AM, Doug Goldstein wrote:

Hi all,

Sometime after d4cd5a205973171475b8c63bc250c2803e0f51fa, I get the
following denials for any domU that attempts to run "xl". In my
situation my domU needs to run "xl devd" because its a driver domain.

(XEN) avc:  denied  { xen_extraversion } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc:  denied  { xen_extraversion } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc:  denied  { xen_compile_info } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc:  denied  { xen_capabilities } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc:  denied  { xen_changeset } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc:  denied  { xen_pagesize } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version

These 6 denials should not happen with the policy in 4.7.0-rc1; are you using an older policy?

(XEN) avc:  denied  { xen_commandline } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc:  denied  { xen_build_id } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version

If these show up for domUs in normal operation (and I think using "xl devd" probably qualifies for that), then they probably need dontaudit rules. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.