[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] How to use xl in domU

Hello

I know by configuring XSM and FLASK policy it is possible to use xl in domU. But how can this be implemented? I've compiled xen with XSM enabled and booted the xen-linux kernel with FLASK policy configured.


~$ sudo xl dmesg | grep avc
(XEN) avc: Âdenied Â{ create } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ getdomaininfo } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ max_vcpus } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ create } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:object_r:dom0_t tclass=event
(XEN) avc: Âdenied Â{ bind } for domid=0 scontext=system_u:object_r:dom0_t tcontext=system_u:system_r:dom0_t tclass=event
(XEN) avc: Âdenied Â{ getvcpuinfo } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ getaffinity } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ setaffinity } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ setdomainmaxmem } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ settsc } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain2
(XEN) avc: Âdenied Â{ enable } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=shadow
(XEN) avc: Âdenied Â{ getaddrsize } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ adjust } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=mmu
(XEN) avc: Âdenied Â{ map_read map_write } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=mmu
(XEN) avc: Âdenied Â{ setparam } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=hvm
(XEN) avc: Âdenied Â{ cacheflush } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain2
(XEN) avc: Âdenied Â{ sethvmc } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=hvm
(XEN) avc: Âdenied Â{ stat } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=mmu
(XEN) avc: Âdenied Â{ physmap } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=mmu
(XEN) avc: Âdenied Â{ setup } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=grant
(XEN) avc: Âdenied Â{ getscheduler } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ setscheduler } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain2
(XEN) avc: Âdenied Â{ set_max_evtchn } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain2
(XEN) avc: Âdenied Â{ getparam } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=hvm
(XEN) avc: Âdenied Â{ getvcpuextstate } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ set_cpuid } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain2
(XEN) avc: Âdenied Â{ map_read map_write } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=grant
(XEN) avc: Âdenied Â{ create } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:object_r:unlabeled_t tclass=event
(XEN) avc: Âdenied Â{ bind } for domid=0 target=1 scontext=system_u:object_r:unlabeled_t tcontext=system_u:system_r:unlabeled_t tclass=event
(XEN) avc: Âdenied Â{ status } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:object_r:unlabeled_t tclass=event
(XEN) avc: Âdenied Â{ irqlevel } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=hvm
(XEN) avc: Âdenied Â{ hvmctl } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=hvm
(XEN) avc: Âdenied Â{ unpause } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ pcilevel } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=hvm
(XEN) avc: Âdenied Â{ send } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:object_r:unlabeled_t tclass=event
(XEN) avc: Âdenied Â{ updatemp } for domid=0 target=2 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=mmu
(XEN) avc: Âdenied Â{ trackdirtyvram } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=hvm
(XEN) avc: Âdenied Â{ setvcpuextstate } for domid=0 target=2 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain
(XEN) avc: Âdenied Â{ cacheflush } for domid=0 target=2 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain2
(XEN) avc: Âdenied Â{ pause } for domid=0 target=3 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain
(XEN) avc: Âdenied Â{ destroy } for domid=0 target=3 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:unlabeled_t tclass=domain


So I create policy rules with:

$ sudo xl dmesg | grep avc | audit2allow
#============= dom0_t ==============
allow dom0_t unlabeled_t:domain { destroy pause shutdown };
allow dom0_t unlabeled_t:grant unmap;
allow dom0_t unlabeled_t:hvm { pcilevel trackdirtyvram };
#============= domU_t ==============
allow domU_t xen_t:xen writeconsole;
#============= unlabeled_t ==============
allow unlabeled_t irq_t:resource remove_irq;

And reboot the xen-linux kernel with the new policy. Then
Â
'xl dmesg | grep avc |grep audit2allow' Âin dom0 shows nothing.Â

So I believe the XSM should not be the problem. And

~$ sudo xl list -Z
Name                    ÂID  Mem VCPUs   ÂState  Time(s)  Security Label
Domain-0 Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 0 Â8191 Â Â 1 Â Â r----- Â Â Â48.6 system_u:system_r:dom0_t
ubuntu-hvm                  1 Â2048   1   -b----    2.1 system_u:system_r:unlabeled_t
ubuntu-pv2 Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2 Â1024 Â Â 1 Â Â -b---- Â Â Â 0.5 system_u:system_r:domU_t
Â
I want to use xl toostack in ubuntu-pv2 to manage ubuntu-hvm. But in ubuntu-pv2:

$ sudo xl list
ERROR: ÂCan't find version 4.4 of xen utils, bailing out!
$ dpkg -l|grep xen-utils-common
ii Âxen-utils-common          Â4.4.2-0ubuntu0.14.04.2        Âall     ÂXen administrative tools - common files
$ lsmod |grep xen
xen_privcmd      Â13243 Â0
xen_kbdfront      12797 Â0
xen_fbfront      Â17552 Â1
fb_sys_fops      Â12703 Â1 xen_fbfront
syscopyarea      Â12529 Â1 xen_fbfront
sysfillrect      Â12701 Â1 xen_fbfront
sysimgblt       Â12640 Â1 xen_fbfront

So where is the problem? Any suggestions will be welcome.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.