From: Ian Campbell <ian.campbell@citrix.com>
To: Wei Liu <wei.liu2@citrix.com>
Cc: xen-devel@lists.xenproject.org, Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: XSM: new set of "avc denied"
Date: Tue, 26 May 2015 10:13:31 +0100 [thread overview]
Message-ID: <1432631611.14664.71.camel@citrix.com> (raw)
In-Reply-To: <20150525094032.GV19083@zion.uk.xensource.com>
On Mon, 2015-05-25 at 10:40 +0100, Wei Liu wrote:
> I had a look at Osstest's latest xen-unstable run [0]. With Ian's patch
> series we finally passed the point of guest creation on x86.
>
> We now have a new set of "avc denied".
Thanks for picking up on these, I was just about to.
> May 24 20:18:05.945118 (XEN) avc: denied { get_vnumainfo } for domid=1 scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self tclass=domain2
>
> This is HVM loader trying to call get_vnumainfo
>
> May 24 20:28:50.593013 (XEN) avc: denied { logdirty } for domid=0 target=3 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=shadow
> May 24 20:29:20.721085 (XEN) avc: denied { disable } for domid=0 target=3 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=shadow
> May 24 20:29:20.737023 (XEN) avc: denied { disable } for domid=0 target=3 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=shadow
>
> The above failures made guest local migration test fail for both PV and HVM
> guests.
Yes, this seems to be the biggest cause of failures
> May 24 14:36:47.541016 (XEN) avc: denied { writeconsole } for domid=1 scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t tclass=xen
>
> This is PV specific, I think it was due to PV guest was configured to write to
> console and XSM (rightfully?) rejected that.
I think this is from the use of xen_raw_console_write early on in the
Linux pvops kernel.
By default these would be nop on a debug=n hypervisor, and they are
controllable with the guest_loglvl hypervisor option in both debug
cases, I think.
I think XSM rejecting is valid, but I'd also be happy with a change to
allow it and rely on the handling via the console options as folks like.
Ian.
> My guess is that HVM is not
> configured to write to console so I don't see that in HVM test cases.
Correct, although I would expect hvmloader to have been even more
chatty, guess I am wrong about that.
FWIW I saw quite a few of these from the stubdom mini-os when I tested
stub-dm as well.
Ian.
next prev parent reply other threads:[~2015-05-26 9:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-25 9:40 XSM: new set of "avc denied" Wei Liu
2015-05-26 9:13 ` Ian Campbell [this message]
2015-05-26 9:34 ` Jan Beulich
2015-05-26 18:19 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432631611.14664.71.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.