From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Big Strong <fangtuo90@gmail.com>, dgdegra@tycho.nsa.gov
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Jan Beulich <JBeulich@suse.com>,
xen-devel <xen-devel@lists.xen.org>
Subject: Re: unable to create domain after enabling XSM
Date: Tue, 17 May 2016 09:41:59 -0400 [thread overview]
Message-ID: <20160517134159.GD29103@char.us.oracle.com> (raw)
In-Reply-To: <CAFnE1f1zs5tYF7SZFCOZuhKEtbYNVjWKT0tC-=f+B3svGg0_XQ@mail.gmail.com>
On Tue, May 17, 2016 at 04:58:03PM +0800, Big Strong wrote:
> I should add the xsm=policy option to the end of the xen.cfg instead of as
> an option. Sorry for the fault.
>
> However, another problem is that when I modified the policy and reload it
> using '*xl loadpolicy*', the policy seemed not working.
>
> The policy I add is *'allow domU_t security_t:security check_context; allow
> domU_t domU_t_self:hvm gethvmc;*', and it is successfully loaded.
>
> But executing XEN_DOMCTL_gethvmcontext_partial in domU_t would still cause
> the following violations:
>
> *(XEN) avc: denied { gethvmc } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self
> tclass=hvm*
>
> Rebooting xen with the new policy doesn't work too. BTW, the domU_t I
> created is a HVM, I hope that is not the problem.
Rebootin meaning you put the policy on the boot partition and your xen.cfg
has xsm=<name of file>?
And it loads the policy? You can see that Xen has loaded it?
I am going to assume that the policy is loaded just fine - it just that the
policy you wrote is not doing what it is expected.
And oddly enough, you did not CC the XSM maintainer here. He may
be able to help.
>
> 2016-05-17 16:33 GMT+08:00 Jan Beulich <JBeulich@suse.com>:
>
> > >>> On 16.05.16 at 17:00, <fangtuo90@gmail.com> wrote:
> > > Actually I did that, but the policy is not loaded at all. 'xl list -Z'
> > show
> > > no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0'
> > is
> > > ingnored during booting. (the policy file is moved to the same directory
> > as
> > > xen.cfg)
> >
> > If you suspect it to be ignored, then please provide logs so we
> > can identify _where_ it gets ignored: The early EFI loader should
> > be pulling it into memory (note that the respective messages will
> > only be visible in a serial log if you also enable serial output for
> > EFI itself), and then XSM should be consuming it. Which of the
> > two goes wrong would be quite helpful to know, the more that it
> > looks like this works for others (e.g. Konrad).
> >
> > Jan
> >
> >
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-05-17 13:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-15 14:25 unable to create domain after enabling XSM Big Strong
2016-05-15 14:36 ` Andrew Cooper
2016-05-16 3:08 ` Big Strong
2016-05-16 8:54 ` Big Strong
2016-05-16 9:43 ` Andrew Cooper
2016-05-16 13:43 ` Konrad Rzeszutek Wilk
2016-05-16 15:00 ` Big Strong
2016-05-17 8:33 ` Jan Beulich
2016-05-17 8:58 ` Big Strong
2016-05-17 13:41 ` Konrad Rzeszutek Wilk [this message]
2016-05-17 14:17 ` Big Strong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160517134159.GD29103@char.us.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=fangtuo90@gmail.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.