[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] unable to create domain after enabling XSM

As you suggested, I used xen 4.7.0-rc2 to test it again and the problem still exists.

$ sudo xl create xen-config/win7
Parsing config from xen-config/win7
libxl: error: libxl_device.c:1033:device_backend_callback: unable to add device with path /local/domain/0/backend/vbd/1/51712
libxl: error: libxl_create.c:1252:domcreate_launch_dm: unable to add disk devices
libxl: error: libxl_device.c:1033:device_backend_callback: unable to remove device with path /local/domain/0/backend/vbd/1/51712
libxl: error: libxl.c:1636:devices_destroy_cb: libxl__devices_destroy failed for 1
libxl: error: libxl.c:1564:libxl__destroy_domid: non-existant domain 1
libxl: error: libxl.c:1523:domain_destroy_callback: unable to destroy guest with domid 1
libxl: error: libxl.c:1452:domain_destroy_cb: destruction of domain 1 failed

Denied behaviors:

~$ sudo xl dmesg | grep avc
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event

Corresponding rules:

~$ sudo xl dmesg | grep avc | audit2allow
#============= dom0_t ==============
allow dom0_t self:event send;

When I tried to add this rule to xen.te, it says  

libsepol.check_assertion_helper: neverallow on line 2023 violated by allow dom0_t dom0_t:event { send };

So I comment the following restriction in policy.conf and recompile flask policy with the new rule added.

neverallow * ~event_type:event { create send status };

This time no rule violations are generated by checking 'xl dmesg| grep avc', but the errors in the very first place when creating domU (both hvm and pv, with or without seclabel) still exist. 

Basic info of xen configuration:

$ sudo xl info
host                   : storage
release                : 3.19.0
version                : #1 SMP Tue Dec 8 09:27:36 CST 2015
machine                : x86_64
nr_cpus                : 6
max_cpu_id             : 143
nr_nodes               : 1
cores_per_socket       : 6
threads_per_core       : 1
cpu_mhz                : 1600
hw_caps                : b7ebfbff:77fef3ff:2c100800:00000021:00000001:000037ab:                                                                                                                                00000000:00000100
virt_caps              : hvm hvm_directio
total_memory           : 32667
free_memory            : 24046
sharing_freed_memory   : 0
sharing_used_memory    : 0
outstanding_claims     : 0
free_cpus              : 0
xen_major              : 4
xen_minor              : 7
xen_extra              : .0-rc
xen_version            : 4.7.0-rc
xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-                                                                                                                                x86_32p hvm-3.0-x86_64
xen_scheduler          : credit
xen_pagesize           : 4096
platform_params        : virt_start=0xffff800000000000
xen_changeset          : Fri May 13 18:15:34 2016 +0100 git:4f6aea0-dirty
xen_commandline        : loglvl=all guest_loglvl=all com2=115200,8n1 console=co                                                                                                                                m2,vga dom0_mem=8g,max:8g dom0_max_vcpus=1 dom0_vcpus_pin=true hap_1gb=false ha                                                                                                                                p_2mb=false altp2m=1 debug gdb=com2 flask=late
cc_compiler            : gcc (Ubuntu/Linaro 4.7.3-12ubuntu1) 4.7.3
cc_compile_by          : john
cc_compile_domain      :
cc_compile_date        : Mon May 16 09:31:31 CST 2016
build_id               : a24e288d6620ab380b91abf6e93917c0b0e26651
xend_config_format     : 4

BTW, I load flask policy after dom0 boots by using 'xl loadpolicy'

Xenstore logs:

[20160516T02:48:50.847Z]  A12          newconn
[20160516T02:48:50.860Z]  A12.1        rm        /local/domain/1
[20160516T02:48:50.860Z]  A12.1        write     /local/domain/1
[20160516T02:48:50.860Z]  A12.1        setperms  /local/domain/1 n0 r1
[20160516T02:48:50.860Z]  A12.1        rm        /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
[20160516T02:48:50.861Z]  A12.1        write     /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
[20160516T02:48:50.861Z]  A12.1        setperms  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac n0 r1
[20160516T02:48:50.861Z]  A12.1        rm        /libxl/1
[20160516T02:48:50.861Z]  A12.1        write     /libxl/1
[20160516T02:48:50.862Z]  A12.1        setperms  /libxl/1 n0
[20160516T02:48:50.862Z]  A12.1        write     /local/domain/1/vm /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
[20160516T02:48:50.864Z]  A12.1        write     /local/domain/1/name win7
[20160516T02:48:50.864Z]  A12.1        write     /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
[20160516T02:48:50.864Z]  A12.1        write     /local/domain/1/cpu
[20160516T02:48:50.865Z]  A12.1        setperms  /local/domain/1/cpu n0 r1
[20160516T02:48:50.865Z]  A12.1        write     /local/domain/1/memory
[20160516T02:48:50.865Z]  A12.1        setperms  /local/domain/1/memory n0 r1
[20160516T02:48:50.865Z]  A12.1        write     /local/domain/1/device
[20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/device n0 r1
[20160516T02:48:50.866Z]  A12.1        write     /local/domain/1/control
[20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/control n0 r1
[20160516T02:48:50.866Z]  A12.1        write     /local/domain/1/hvmloader
[20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/hvmloader n0 r1
[20160516T02:48:50.867Z]  A12.1        write     /local/domain/1/control/shutdown
[20160516T02:48:50.867Z]  A12.1        setperms  /local/domain/1/control/shutdown n1
[20160516T02:48:50.867Z]  A12.1        write     /local/domain/1/device/suspend/event-channel
[20160516T02:48:50.868Z]  A12.1        setperms  /local/domain/1/device/suspend/event-channel n1
[20160516T02:48:50.868Z]  A12.1        write     /local/domain/1/data
[20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/data n1
[20160516T02:48:50.869Z]  A12.1        write     /local/domain/1/drivers
[20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/drivers n1
[20160516T02:48:50.869Z]  A12.1        write     /local/domain/1/feature
[20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/feature n1
[20160516T02:48:50.870Z]  A12.1        write     /local/domain/1/attr
[20160516T02:48:50.870Z]  A12.1        setperms  /local/domain/1/attr n1
[20160516T02:48:50.871Z]  A12.1        write     /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/uuid b3084abf-0b69-45cb-9128-ad3ea4ff00ac
[20160516T02:48:50.871Z]  A12.1        write     /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
[20160516T02:48:50.872Z]  A12.1        write     /local/domain/1/control/platform-feature-multiprocessor-suspend 1
[20160516T02:48:50.872Z]  A12.1        write     /local/domain/1/control/platform-feature-xs_reset_watches 1
[20160516T02:48:50.872Z]  A12.1        commit
[20160516T02:48:50.872Z]  A12          write     /libxl/1/dm-version qemu_xen
[20160516T02:48:51.561Z]  A12.2        write     /local/domain/1/memory/static-max 1048576
[20160516T02:48:51.561Z]  A12.2        write     /local/domain/1/memory/target 1040384
[20160516T02:48:51.561Z]  A12.2        write     /local/domain/1/memory/videoram 8192
[20160516T02:48:51.561Z]  A12.2        write     /local/domain/1/domid 1
[20160516T02:48:51.561Z]  A12.2        write     /local/domain/1/store/port 1
[20160516T02:48:51.562Z]  A12.2        write     /local/domain/1/store/ring-ref 1044476
[20160516T02:48:51.562Z]  A12.2        write     /local/domain/1/cpu/0/availability online
[20160516T02:48:51.562Z]  A12.2        write     /local/domain/1/platform/acpi 1
[20160516T02:48:51.562Z]  A12.2        write     /local/domain/1/platform/acpi_s3 1
[20160516T02:48:51.563Z]  A12.2        write     /local/domain/1/platform/acpi_s4 1
[20160516T02:48:51.563Z]  A12.2        write     /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/rtc/timeoffset
[20160516T02:48:51.563Z]  A12.2        write     /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/image/ostype hvm
[20160516T02:48:51.563Z]  A12.2        write     /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/start_time 1463366930.87
[20160516T02:48:51.563Z]  A12.2        commit
[20160516T02:48:51.564Z]  D1           newconn
[20160516T02:48:51.564Z]  A4           w event   @introduceDomain domlist
[20160516T02:48:51.564Z]  A4           watch     /local/domain/1/console dom1
[20160516T02:48:51.565Z]  A4           w event   /local/domain/1/console dom1
[20160516T02:48:51.565Z]  A12          write     /libxl/1/dm-version qemu_xen
[20160516T02:48:51.566Z]  A12.3        rm        /local/domain/1/device/vbd/51712
[20160516T02:48:51.566Z]  A12.3        mkdir     /local/domain/1/device/vbd/51712
[20160516T02:48:51.566Z]  A12.3        setperms  /local/domain/1/device/vbd/51712 n1 r0
[20160516T02:48:51.567Z]  A12.3        write     /local/domain/1/device/vbd/51712/backend /local/domain/0/backend/vbd/1/51712
[20160516T02:48:51.567Z]  A12.3        write     /local/domain/1/device/vbd/51712/backend-id 0
[20160516T02:48:51.567Z]  A12.3        setperms  /local/domain/1/device/vbd/51712/backend-id n1 r0
[20160516T02:48:51.567Z]  A12.3        write     /local/domain/1/device/vbd/51712/state 1
[20160516T02:48:51.567Z]  A12.3        setperms  /local/domain/1/device/vbd/51712/state n1 r0
[20160516T02:48:51.568Z]  A12.3        write     /local/domain/1/device/vbd/51712/virtual-device 51712
[20160516T02:48:51.568Z]  A12.3        setperms  /local/domain/1/device/vbd/51712/virtual-device n1 r0
[20160516T02:48:51.568Z]  A12.3        write     /local/domain/1/device/vbd/51712/device-type disk
[20160516T02:48:51.568Z]  A12.3        setperms  /local/domain/1/device/vbd/51712/device-type n1 r0
[20160516T02:48:51.568Z]  A12.3        rm        /local/domain/0/backend/vbd/1/51712
[20160516T02:48:51.568Z]  A12.3        mkdir     /local/domain/0/backend/vbd/1/51712
[20160516T02:48:51.569Z]  A12.3        setperms  /local/domain/0/backend/vbd/1/51712 n0 r1
[20160516T02:48:51.569Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/frontend /local/domain/1/device/vbd/51712
[20160516T02:48:51.569Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/params /dev/storage-vg/win7
[20160516T02:48:51.569Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/script /etc/xen/scripts/block
[20160516T02:48:51.569Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/frontend-id 1
[20160516T02:48:51.570Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/online 1
[20160516T02:48:51.570Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/removable 0
[20160516T02:48:51.570Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/bootable 1
[20160516T02:48:51.570Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/state 1
[20160516T02:48:51.570Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/dev xvda
[20160516T02:48:51.571Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/type phy
[20160516T02:48:51.571Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/mode w
[20160516T02:48:51.571Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/device-type disk
[20160516T02:48:51.571Z]  A12.3        write     /local/domain/0/backend/vbd/1/51712/discard-enable 1
[20160516T02:48:51.571Z]  A12.3        commit
[20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712 FFFFFFFF81CA73E0
[20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712 FFFFFFFF81CA73E0
[20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712/frontend FFFFFFFF81CA73E0
[20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712/params FFFFFFFF81CA73E0
[20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712/script FFFFFFFF81CA73E0
[20160516T02:48:51.572Z]  A12          watch     /local/domain/0/backend/vbd/1/51712/state 3/0
[20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712/frontend-id FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/online FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  A12          w event   /local/domain/0/backend/vbd/1/51712/state 3/0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/removable FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/bootable FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/state FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/dev FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/type FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/mode FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/device-type FFFFFFFF81CA73E0
[20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/discard-enable FFFFFFFF81CA73E0
[20160516T02:49:01.581Z]  A12          unwatch   /local/domain/0/backend/vbd/1/51712/state 3/0
[20160516T02:49:01.585Z]  A12.4        rm        /local/domain/1/device/vbd/51712
[20160516T02:49:01.585Z]  A12.4        rm        /local/domain/1/device/vbd
[20160516T02:49:01.586Z]  A12.4        write     /local/domain/0/backend/vbd/1/51712/online 0
[20160516T02:49:01.586Z]  A12.4        write     /local/domain/0/backend/vbd/1/51712/state 5
[20160516T02:49:01.586Z]  A12.4        commit
[20160516T02:49:01.586Z]  D0           w event   backend/vbd/1/51712/online FFFFFFFF81CA73E0
[20160516T02:49:01.586Z]  D0           w event   backend/vbd/1/51712/state FFFFFFFF81CA73E0
[20160516T02:49:01.587Z]  A12          watch     /local/domain/0/backend/vbd/1/51712/state 3/1
[20160516T02:49:01.587Z]  A12          w event   /local/domain/0/backend/vbd/1/51712/state 3/1
[20160516T02:49:11.596Z]  A12          unwatch   /local/domain/0/backend/vbd/1/51712/state 3/1
[20160516T02:49:11.598Z]  A12.5        rm        /local/domain/1/device/vbd/51712
[20160516T02:49:11.598Z]  A12.5        rm        /local/domain/0/backend/vbd/1/51712
[20160516T02:49:11.599Z]  A12.5        rm        /local/domain/0/backend/vbd/1
[20160516T02:49:11.599Z]  A12.5        rm        /local/domain/0/backend/vbd
[20160516T02:49:11.600Z]  A12.5        rm        /local/domain/0/backend
[20160516T02:49:11.600Z]  A12.5        commit
[20160516T02:49:11.600Z]  A5           w event   backend/qnic/0 be:0x7fea03f3bc24:0:0x7fea04383ba0
[20160516T02:49:11.600Z]  D0           w event   backend/vbd/1/51712 FFFFFFFF81CA73E0
[20160516T02:49:11.600Z]  A5           w event   backend/qdisk/0 be:0x7fea03f3bc1e:0:0x7fea04377780
[20160516T02:49:11.601Z]  A5           w event   backend/vfb/0 be:0x7fea03f3bc1a:0:0x7fea0437bb20
[20160516T02:49:11.601Z]  A5           w event   backend/vkbd/0 be:0x7fea03f3bc15:0:0x7fea0437bac0
[20160516T02:49:11.601Z]  A5           w event   backend/console/0 be:0x7fea03f3bc0d:0:0x7fea0437a580
[20160516T02:49:11.602Z]  A12          rm        /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
[20160516T02:49:11.602Z]  A12          rm        /local/domain/1
[20160516T02:49:11.602Z]  A4           w event   /local/domain/1/console dom1
[20160516T02:49:11.603Z]  A12          rm        /libxl/1
[20160516T02:49:11.603Z]  A12          rm        /local/domain/1/hvmloader
[20160516T02:49:11.992Z]  D1           endconn
[20160516T02:49:11.992Z]  A4           w event   @releaseDomain domlist
[20160516T02:49:11.992Z]  A4           unwatch   /local/domain/1/console dom1
[20160516T02:49:11.995Z]  A12          endconn
[20160516T02:49:28.875Z]  A13          newconn
[20160516T02:49:28.880Z]  A13          endconn
[20160516T02:49:43.894Z]  D0           w event   backend/vbd/1 FFFFFFFF81CA73E0
[20160516T02:50:13.918Z]  D0           w event   backend/vbd/1 FFFFFFFF81CA73E0
[20160516T02:50:43.942Z]  D0           w event   backend/vbd/1 FFFFFFFF81CA73E0
[20160516T02:51:13.967Z]  D0           w event   backend/vbd/1 FFFFFFFF81CA73E0
[20160516T02:51:43.992Z]  D0           w event   backend/vbd/1 FFFFFFFF81CA73E0

If you need any further information, please feel free to ask. Any suggestions will be appreciated.

2016-05-15 22:36 GMT+08:00 Andrew Cooper <andrew.cooper3@xxxxxxxxxx>:
On 15/05/16 15:25, Big Strong wrote:
Hi,

I've configured xen 4.6.0 with xsm enabled and use the default flask policy to boot the dom0.

 For issues like this, please always use the latest stable branch, in this case making that Xen 4.6.1+.  It is entirely possible that bugfixes have been backported.

In this case, can you try current master (or 4.7.0-rc2)? Some of these errors have definitely been fixed in the 4.7 dev period.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.