[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] unable to create domain after enabling XSM

To: Big Strong <fangtuo90@xxxxxxxxx>, dgdegra@xxxxxxxxxxxxx
From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Date: Tue, 17 May 2016 09:41:59 -0400
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Tue, 17 May 2016 13:42:18 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, May 17, 2016 at 04:58:03PM +0800, Big Strong wrote:
> I should add the xsm=policy option to the end of the xen.cfg instead of as
> an option. Sorry for the fault.
> 
> However, another problem is that when I modified the policy and reload it
> using '*xl loadpolicy*', the policy seemed not working.
> 
> The policy I add is *'allow domU_t security_t:security check_context; allow
> domU_t domU_t_self:hvm gethvmc;*', and it is successfully loaded.
> 
> But executing XEN_DOMCTL_gethvmcontext_partial in domU_t would still cause
> the following violations:
> 
> *(XEN) avc:  denied  { gethvmc } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self
> tclass=hvm*
> 
> Rebooting xen with the new policy doesn't work too. BTW, the domU_t I
> created is a HVM, I hope that is not the problem.

Rebootin meaning you put the policy on the boot partition and your xen.cfg
has xsm=<name of file>?

And it loads the policy? You can see that Xen has loaded it?

I am going to assume that the policy is loaded just fine - it just that the
policy you wrote is not doing what it is expected.

And oddly enough, you did not CC the XSM maintainer here. He may
be able to help.

> 
> 2016-05-17 16:33 GMT+08:00 Jan Beulich <JBeulich@xxxxxxxx>:
> 
> > >>> On 16.05.16 at 17:00, <fangtuo90@xxxxxxxxx> wrote:
> > > Actually I did that, but the policy is not loaded at all. 'xl list -Z'
> > show
> > > no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0'
> > is
> > > ingnored during booting. (the policy file is moved to the same directory
> > as
> > > xen.cfg)
> >
> > If you suspect it to be ignored, then please provide logs so we
> > can identify _where_ it gets ignored: The early EFI loader should
> > be pulling it into memory (note that the respective messages will
> > only be visible in a serial log if you also enable serial output for
> > EFI itself), and then XSM should be consuming it. Which of the
> > two goes wrong would be quite helpful to know, the more that it
> > looks like this works for others (e.g. Konrad).
> >
> > Jan
> >
> >

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Big Strong

References:
- [Xen-devel] unable to create domain after enabling XSM
  - From: Big Strong
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Andrew Cooper
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Big Strong
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Big Strong
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Andrew Cooper
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Konrad Rzeszutek Wilk
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Big Strong
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Jan Beulich
- Re: [Xen-devel] unable to create domain after enabling XSM
  - From: Big Strong

Prev by Date: Re: [Xen-devel] Question about running Xen on NVIDIA Jetson-TK1
Next by Date: [Xen-devel] [Vote Results] Minor change to governance document at http://www.xenproject.org/developers/governance.html (Vote before May 16th)
Previous by thread: Re: [Xen-devel] unable to create domain after enabling XSM
Next by thread: Re: [Xen-devel] unable to create domain after enabling XSM
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.