unable to create domain after enabling XSM

All of lore.kernel.org
 help / color / mirror / Atom feed

* unable to create domain after enabling XSM
@ 2016-05-15 14:25 Big Strong
  2016-05-15 14:36 ` Andrew Cooper
  0 siblings, 1 reply; 11+ messages in thread
From: Big Strong @ 2016-05-15 14:25 UTC (permalink / raw)
  To: xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 4649 bytes --]

Hi,

I've configured xen 4.6.0 with xsm enabled and use the default flask policy
to boot the dom0.
However, when I tried to create a domU, it will fail for following reasons:

>
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  granted  { load_policy } for domid=0
> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:security_t
> tclass=security
> (XEN) avc:  granted  { load_policy } for domid=0
> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:security_t
> tclass=security


So I added following rules to xen.te, which is achived by 'sudo xl dmesg |
grep avc | audit2allow'

>
> allow dom0_t xen_t:domain getdomaininfo;
> allow dom0_t xen_t:event send;
> allow dom0_t xen_t:grant copy;
> allow dom0_t xen_t:hvm { trackdirtyvram irqlevel };
> allow dom0_t xen_t:domain { destroy pause };
> allow dom0_t self:event send;


And recompiled the flask policy and load it using 'xl loadpolicy', however,
the creation of domU (both hvm and pv, with or without seclable) will still
fail for the following reasons, even though there are no avc violations.

$ sudo xl create ~/xen-config/ubuntu-hvm3
> Parsing config from /home/john/xen-config/ubuntu-hvm
> libxl: error: libxl_device.c:952:device_backend_callback: unable to add
> device with path /local/domain/0/backend/vbd/5/51712
> libxl: error: libxl_device.c:952:device_backend_callback: unable to add
> device with path /local/domain/0/backend/vbd/5/5632
> libxl: error: libxl_create.c:1174:domcreate_launch_dm: unable to add disk
> devices
> libxl: error: libxl_dm.c:1956:kill_device_model: unable to find device
> model pid in /local/domain/5/image/device-model-pid
> libxl: error: libxl.c:1628:libxl__destroy_domid:
> libxl__destroy_device_model failed for 5
> libxl: error: libxl_device.c:952:device_backend_callback: unable to remove
> device with path /local/domain/0/backend/vbd/5/51712
> libxl: error: libxl_device.c:952:device_backend_callback: unable to remove
> device with path /local/domain/0/backend/vbd/5/5632
> libxl: error: libxl.c:1665:devices_destroy_cb: libxl__devices_destroy
> failed for 5
> libxl: error: libxl.c:1591:libxl__destroy_domid: non-existant domain 5
> libxl: error: libxl.c:1549:domain_destroy_callback: unable to destroy
> guest with domid 5
> libxl: error: libxl.c:1476:domain_destroy_cb: destruction of domain 5
> failed


When the xsm is disabled, the creation succeed. What are these errors mean
anyway?

[-- Attachment #1.2: Type: text/html, Size: 5464 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-15 14:25 unable to create domain after enabling XSM Big Strong
@ 2016-05-15 14:36 ` Andrew Cooper
  2016-05-16  3:08   ` Big Strong
  0 siblings, 1 reply; 11+ messages in thread
From: Andrew Cooper @ 2016-05-15 14:36 UTC (permalink / raw)
  To: Big Strong, xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 446 bytes --]

On 15/05/16 15:25, Big Strong wrote:
> Hi,
>
> I've configured xen 4.6.0 with xsm enabled and use the default flask
> policy to boot the dom0.

For issues like this, please always use the latest stable branch, in
this case making that Xen 4.6.1+.  It is entirely possible that bugfixes
have been backported.

In this case, can you try current master (or 4.7.0-rc2)? Some of these
errors have definitely been fixed in the 4.7 dev period.

~Andrew

[-- Attachment #1.2: Type: text/html, Size: 1006 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-15 14:36 ` Andrew Cooper
@ 2016-05-16  3:08   ` Big Strong
  2016-05-16  8:54     ` Big Strong
  0 siblings, 1 reply; 11+ messages in thread
From: Big Strong @ 2016-05-16  3:08 UTC (permalink / raw)
  To: Andrew Cooper; +Cc: xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 18948 bytes --]

As you suggested, I used xen 4.7.0-rc2 to test it again and the problem
still exists.

$ sudo xl create xen-config/win7
> Parsing config from xen-config/win7
> libxl: error: libxl_device.c:1033:device_backend_callback: unable to add
> device with path /local/domain/0/backend/vbd/1/51712
> libxl: error: libxl_create.c:1252:domcreate_launch_dm: unable to add disk
> devices
> libxl: error: libxl_device.c:1033:device_backend_callback: unable to
> remove device with path /local/domain/0/backend/vbd/1/51712
> libxl: error: libxl.c:1636:devices_destroy_cb: libxl__devices_destroy
> failed for 1
> libxl: error: libxl.c:1564:libxl__destroy_domid: non-existant domain 1
> libxl: error: libxl.c:1523:domain_destroy_callback: unable to destroy
> guest with domid 1
> libxl: error: libxl.c:1452:domain_destroy_cb: destruction of domain 1
> failed


Denied behaviors:

~$ sudo xl dmesg | grep avc
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc:  denied  { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event


Corresponding rules:

~$ sudo xl dmesg | grep avc | audit2allow
> #============= dom0_t ==============
> allow dom0_t self:event send;


When I tried to add this rule to xen.te, it says

libsepol.check_assertion_helper: neverallow on line 2023 violated by allow
> dom0_t dom0_t:event { send };
>

So I comment the following restriction in policy.conf and recompile flask
policy with the new rule added.

neverallow * ~event_type:event { create send status };


This time no rule violations are generated by checking 'xl dmesg| grep
avc', but the errors in the very first place when creating domU (both hvm
and pv, with or without seclabel) still exist.

Basic info of xen configuration:

$ sudo xl info
> host                   : storage
> release                : 3.19.0
> version                : #1 SMP Tue Dec 8 09:27:36 CST 2015
> machine                : x86_64
> nr_cpus                : 6
> max_cpu_id             : 143
> nr_nodes               : 1
> cores_per_socket       : 6
> threads_per_core       : 1
> cpu_mhz                : 1600
> hw_caps                :
> b7ebfbff:77fef3ff:2c100800:00000021:00000001:000037ab:
>
>                                00000000:00000100
> virt_caps              : hvm hvm_directio
> total_memory           : 32667
> free_memory            : 24046
> sharing_freed_memory   : 0
> sharing_used_memory    : 0
> outstanding_claims     : 0
> free_cpus              : 0
> xen_major              : 4
> xen_minor              : 7
> xen_extra              : .0-rc
> xen_version            : 4.7.0-rc
> xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32
> hvm-3.0-
>                                                              x86_32p
> hvm-3.0-x86_64
> xen_scheduler          : credit
> xen_pagesize           : 4096
> platform_params        : virt_start=0xffff800000000000
> xen_changeset          : Fri May 13 18:15:34 2016 +0100 git:4f6aea0-dirty
> xen_commandline        : loglvl=all guest_loglvl=all com2=115200,8n1
> console=co
>                                                                m2,vga
> dom0_mem=8g,max:8g dom0_max_vcpus=1 dom0_vcpus_pin=true hap_1gb=false ha
>
>                                                  p_2mb=false altp2m=1 debug
> gdb=com2 flask=late
> cc_compiler            : gcc (Ubuntu/Linaro 4.7.3-12ubuntu1) 4.7.3
> cc_compile_by          : john
> cc_compile_domain      :
> cc_compile_date        : Mon May 16 09:31:31 CST 2016
> build_id               : a24e288d6620ab380b91abf6e93917c0b0e26651
> xend_config_format     : 4


BTW, I load flask policy after dom0 boots by using 'xl loadpolicy'

Xenstore logs:

>
> [20160516T02:48:50.847Z]  A12          newconn
> [20160516T02:48:50.860Z]  A12.1        rm        /local/domain/1
> [20160516T02:48:50.860Z]  A12.1        write     /local/domain/1
> [20160516T02:48:50.860Z]  A12.1        setperms  /local/domain/1 n0 r1
> [20160516T02:48:50.860Z]  A12.1        rm
>  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.861Z]  A12.1        write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.861Z]  A12.1        setperms
>  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac n0 r1
> [20160516T02:48:50.861Z]  A12.1        rm        /libxl/1
> [20160516T02:48:50.861Z]  A12.1        write     /libxl/1
> [20160516T02:48:50.862Z]  A12.1        setperms  /libxl/1 n0
> [20160516T02:48:50.862Z]  A12.1        write     /local/domain/1/vm
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.864Z]  A12.1        write     /local/domain/1/name win7
> [20160516T02:48:50.864Z]  A12.1        write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
> [20160516T02:48:50.864Z]  A12.1        write     /local/domain/1/cpu
> [20160516T02:48:50.865Z]  A12.1        setperms  /local/domain/1/cpu n0 r1
> [20160516T02:48:50.865Z]  A12.1        write     /local/domain/1/memory
> [20160516T02:48:50.865Z]  A12.1        setperms  /local/domain/1/memory n0
> r1
> [20160516T02:48:50.865Z]  A12.1        write     /local/domain/1/device
> [20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/device n0
> r1
> [20160516T02:48:50.866Z]  A12.1        write     /local/domain/1/control
> [20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/control
> n0 r1
> [20160516T02:48:50.866Z]  A12.1        write     /local/domain/1/hvmloader
> [20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/hvmloader
> n0 r1
> [20160516T02:48:50.867Z]  A12.1        write
> /local/domain/1/control/shutdown
> [20160516T02:48:50.867Z]  A12.1        setperms
>  /local/domain/1/control/shutdown n1
> [20160516T02:48:50.867Z]  A12.1        write
> /local/domain/1/device/suspend/event-channel
> [20160516T02:48:50.868Z]  A12.1        setperms
>  /local/domain/1/device/suspend/event-channel n1
> [20160516T02:48:50.868Z]  A12.1        write     /local/domain/1/data
> [20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/data n1
> [20160516T02:48:50.869Z]  A12.1        write     /local/domain/1/drivers
> [20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/drivers n1
> [20160516T02:48:50.869Z]  A12.1        write     /local/domain/1/feature
> [20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/feature n1
> [20160516T02:48:50.870Z]  A12.1        write     /local/domain/1/attr
> [20160516T02:48:50.870Z]  A12.1        setperms  /local/domain/1/attr n1
> [20160516T02:48:50.871Z]  A12.1        write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/uuid
> b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.871Z]  A12.1        write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
> [20160516T02:48:50.872Z]  A12.1        write
> /local/domain/1/control/platform-feature-multiprocessor-suspend 1
> [20160516T02:48:50.872Z]  A12.1        write
> /local/domain/1/control/platform-feature-xs_reset_watches 1
> [20160516T02:48:50.872Z]  A12.1        commit
> [20160516T02:48:50.872Z]  A12          write     /libxl/1/dm-version
> qemu_xen
> [20160516T02:48:51.561Z]  A12.2        write
> /local/domain/1/memory/static-max 1048576
> [20160516T02:48:51.561Z]  A12.2        write
> /local/domain/1/memory/target 1040384
> [20160516T02:48:51.561Z]  A12.2        write
> /local/domain/1/memory/videoram 8192
> [20160516T02:48:51.561Z]  A12.2        write     /local/domain/1/domid 1
> [20160516T02:48:51.561Z]  A12.2        write
> /local/domain/1/store/port 1
> [20160516T02:48:51.562Z]  A12.2        write
> /local/domain/1/store/ring-ref 1044476
> [20160516T02:48:51.562Z]  A12.2        write
> /local/domain/1/cpu/0/availability online
> [20160516T02:48:51.562Z]  A12.2        write
> /local/domain/1/platform/acpi 1
> [20160516T02:48:51.562Z]  A12.2        write
> /local/domain/1/platform/acpi_s3 1
> [20160516T02:48:51.563Z]  A12.2        write
> /local/domain/1/platform/acpi_s4 1
> [20160516T02:48:51.563Z]  A12.2        write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/rtc/timeoffset
> [20160516T02:48:51.563Z]  A12.2        write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/image/ostype hvm
> [20160516T02:48:51.563Z]  A12.2        write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/start_time 1463366930.87
> [20160516T02:48:51.563Z]  A12.2        commit
> [20160516T02:48:51.564Z]  D1           newconn
> [20160516T02:48:51.564Z]  A4           w event   @introduceDomain domlist
> [20160516T02:48:51.564Z]  A4           watch     /local/domain/1/console
> dom1
> [20160516T02:48:51.565Z]  A4           w event   /local/domain/1/console
> dom1
> [20160516T02:48:51.565Z]  A12          write     /libxl/1/dm-version
> qemu_xen
> [20160516T02:48:51.566Z]  A12.3        rm
>  /local/domain/1/device/vbd/51712
> [20160516T02:48:51.566Z]  A12.3        mkdir
> /local/domain/1/device/vbd/51712
> [20160516T02:48:51.566Z]  A12.3        setperms
>  /local/domain/1/device/vbd/51712 n1 r0
> [20160516T02:48:51.567Z]  A12.3        write
> /local/domain/1/device/vbd/51712/backend /local/domain/0/backend/vbd/1/51712
> [20160516T02:48:51.567Z]  A12.3        write
> /local/domain/1/device/vbd/51712/backend-id 0
> [20160516T02:48:51.567Z]  A12.3        setperms
>  /local/domain/1/device/vbd/51712/backend-id n1 r0
> [20160516T02:48:51.567Z]  A12.3        write
> /local/domain/1/device/vbd/51712/state 1
> [20160516T02:48:51.567Z]  A12.3        setperms
>  /local/domain/1/device/vbd/51712/state n1 r0
> [20160516T02:48:51.568Z]  A12.3        write
> /local/domain/1/device/vbd/51712/virtual-device 51712
> [20160516T02:48:51.568Z]  A12.3        setperms
>  /local/domain/1/device/vbd/51712/virtual-device n1 r0
> [20160516T02:48:51.568Z]  A12.3        write
> /local/domain/1/device/vbd/51712/device-type disk
> [20160516T02:48:51.568Z]  A12.3        setperms
>  /local/domain/1/device/vbd/51712/device-type n1 r0
> [20160516T02:48:51.568Z]  A12.3        rm
>  /local/domain/0/backend/vbd/1/51712
> [20160516T02:48:51.568Z]  A12.3        mkdir
> /local/domain/0/backend/vbd/1/51712
> [20160516T02:48:51.569Z]  A12.3        setperms
>  /local/domain/0/backend/vbd/1/51712 n0 r1
> [20160516T02:48:51.569Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/frontend
> /local/domain/1/device/vbd/51712
> [20160516T02:48:51.569Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/params /dev/storage-vg/win7
> [20160516T02:48:51.569Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/script /etc/xen/scripts/block
> [20160516T02:48:51.569Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/frontend-id 1
> [20160516T02:48:51.570Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/online 1
> [20160516T02:48:51.570Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/removable 0
> [20160516T02:48:51.570Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/bootable 1
> [20160516T02:48:51.570Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/state 1
> [20160516T02:48:51.570Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/dev xvda
> [20160516T02:48:51.571Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/type phy
> [20160516T02:48:51.571Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/mode w
> [20160516T02:48:51.571Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/device-type disk
> [20160516T02:48:51.571Z]  A12.3        write
> /local/domain/0/backend/vbd/1/51712/discard-enable 1
> [20160516T02:48:51.571Z]  A12.3        commit
> [20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712
> FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712
> FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z]  D0           w event
> backend/vbd/1/51712/frontend FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z]  D0           w event
> backend/vbd/1/51712/params FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z]  D0           w event
> backend/vbd/1/51712/script FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z]  A12          watch
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:48:51.572Z]  D0           w event
> backend/vbd/1/51712/frontend-id FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event
> backend/vbd/1/51712/online FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  A12          w event
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:48:51.573Z]  D0           w event
> backend/vbd/1/51712/removable FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event
> backend/vbd/1/51712/bootable FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/state
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/dev
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/type
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/mode
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event
> backend/vbd/1/51712/device-type FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z]  D0           w event
> backend/vbd/1/51712/discard-enable FFFFFFFF81CA73E0
> [20160516T02:49:01.581Z]  A12          unwatch
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:49:01.585Z]  A12.4        rm
>  /local/domain/1/device/vbd/51712
> [20160516T02:49:01.585Z]  A12.4        rm        /local/domain/1/device/vbd
> [20160516T02:49:01.586Z]  A12.4        write
> /local/domain/0/backend/vbd/1/51712/online 0
> [20160516T02:49:01.586Z]  A12.4        write
> /local/domain/0/backend/vbd/1/51712/state 5
> [20160516T02:49:01.586Z]  A12.4        commit
> [20160516T02:49:01.586Z]  D0           w event
> backend/vbd/1/51712/online FFFFFFFF81CA73E0
> [20160516T02:49:01.586Z]  D0           w event   backend/vbd/1/51712/state
> FFFFFFFF81CA73E0
> [20160516T02:49:01.587Z]  A12          watch
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:01.587Z]  A12          w event
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:11.596Z]  A12          unwatch
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:11.598Z]  A12.5        rm
>  /local/domain/1/device/vbd/51712
> [20160516T02:49:11.598Z]  A12.5        rm
>  /local/domain/0/backend/vbd/1/51712
> [20160516T02:49:11.599Z]  A12.5        rm
>  /local/domain/0/backend/vbd/1
> [20160516T02:49:11.599Z]  A12.5        rm
>  /local/domain/0/backend/vbd
> [20160516T02:49:11.600Z]  A12.5        rm        /local/domain/0/backend
> [20160516T02:49:11.600Z]  A12.5        commit
> [20160516T02:49:11.600Z]  A5           w event   backend/qnic/0
> be:0x7fea03f3bc24:0:0x7fea04383ba0
> [20160516T02:49:11.600Z]  D0           w event   backend/vbd/1/51712
> FFFFFFFF81CA73E0
> [20160516T02:49:11.600Z]  A5           w event   backend/qdisk/0
> be:0x7fea03f3bc1e:0:0x7fea04377780
> [20160516T02:49:11.601Z]  A5           w event   backend/vfb/0
> be:0x7fea03f3bc1a:0:0x7fea0437bb20
> [20160516T02:49:11.601Z]  A5           w event   backend/vkbd/0
> be:0x7fea03f3bc15:0:0x7fea0437bac0
> [20160516T02:49:11.601Z]  A5           w event   backend/console/0
> be:0x7fea03f3bc0d:0:0x7fea0437a580
> [20160516T02:49:11.602Z]  A12          rm
>  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:49:11.602Z]  A12          rm        /local/domain/1
> [20160516T02:49:11.602Z]  A4           w event   /local/domain/1/console
> dom1
> [20160516T02:49:11.603Z]  A12          rm        /libxl/1
> [20160516T02:49:11.603Z]  A12          rm        /local/domain/1/hvmloader
> [20160516T02:49:11.992Z]  D1           endconn
> [20160516T02:49:11.992Z]  A4           w event   @releaseDomain domlist
> [20160516T02:49:11.992Z]  A4           unwatch   /local/domain/1/console
> dom1
> [20160516T02:49:11.995Z]  A12          endconn
> [20160516T02:49:28.875Z]  A13          newconn
> [20160516T02:49:28.880Z]  A13          endconn
> [20160516T02:49:43.894Z]  D0           w event   backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:50:13.918Z]  D0           w event   backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:50:43.942Z]  D0           w event   backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:51:13.967Z]  D0           w event   backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:51:43.992Z]  D0           w event   backend/vbd/1
> FFFFFFFF81CA73E0


If you need any further information, please feel free to ask. Any
suggestions will be appreciated.

2016-05-15 22:36 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:

> On 15/05/16 15:25, Big Strong wrote:
>
> Hi,
>
> I've configured xen 4.6.0 with xsm enabled and use the default flask
> policy to boot the dom0.
>
>
> For issues like this, please always use the latest stable branch, in this
> case making that Xen 4.6.1+.  It is entirely possible that bugfixes have
> been backported.
>
> In this case, can you try current master (or 4.7.0-rc2)? Some of these
> errors have definitely been fixed in the 4.7 dev period.
>
> ~Andrew
>

[-- Attachment #1.2: Type: text/html, Size: 23309 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-16  3:08   ` Big Strong
@ 2016-05-16  8:54     ` Big Strong
  2016-05-16  9:43       ` Andrew Cooper
  0 siblings, 1 reply; 11+ messages in thread
From: Big Strong @ 2016-05-16  8:54 UTC (permalink / raw)
  To: Andrew Cooper; +Cc: xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 19590 bytes --]

Problem solved by booting xen with grub instead of efi. The deep reason is
unknown.

2016-05-16 11:08 GMT+08:00 Big Strong <fangtuo90@gmail.com>:

> As you suggested, I used xen 4.7.0-rc2 to test it again and the problem
> still exists.
>
> $ sudo xl create xen-config/win7
>> Parsing config from xen-config/win7
>> libxl: error: libxl_device.c:1033:device_backend_callback: unable to add
>> device with path /local/domain/0/backend/vbd/1/51712
>> libxl: error: libxl_create.c:1252:domcreate_launch_dm: unable to add disk
>> devices
>> libxl: error: libxl_device.c:1033:device_backend_callback: unable to
>> remove device with path /local/domain/0/backend/vbd/1/51712
>> libxl: error: libxl.c:1636:devices_destroy_cb: libxl__devices_destroy
>> failed for 1
>> libxl: error: libxl.c:1564:libxl__destroy_domid: non-existant domain 1
>> libxl: error: libxl.c:1523:domain_destroy_callback: unable to destroy
>> guest with domid 1
>> libxl: error: libxl.c:1452:domain_destroy_cb: destruction of domain 1
>> failed
>
>
> Denied behaviors:
>
> ~$ sudo xl dmesg | grep avc
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc:  denied  { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>
>
> Corresponding rules:
>
> ~$ sudo xl dmesg | grep avc | audit2allow
>> #============= dom0_t ==============
>> allow dom0_t self:event send;
>
>
> When I tried to add this rule to xen.te, it says
>
> libsepol.check_assertion_helper: neverallow on line 2023 violated by allow
>> dom0_t dom0_t:event { send };
>>
>
> So I comment the following restriction in policy.conf and recompile flask
> policy with the new rule added.
>
> neverallow * ~event_type:event { create send status };
>
>
> This time no rule violations are generated by checking 'xl dmesg| grep
> avc', but the errors in the very first place when creating domU (both hvm
> and pv, with or without seclabel) still exist.
>
> Basic info of xen configuration:
>
> $ sudo xl info
>> host                   : storage
>> release                : 3.19.0
>> version                : #1 SMP Tue Dec 8 09:27:36 CST 2015
>> machine                : x86_64
>> nr_cpus                : 6
>> max_cpu_id             : 143
>> nr_nodes               : 1
>> cores_per_socket       : 6
>> threads_per_core       : 1
>> cpu_mhz                : 1600
>> hw_caps                :
>> b7ebfbff:77fef3ff:2c100800:00000021:00000001:000037ab:
>>
>>                                00000000:00000100
>> virt_caps              : hvm hvm_directio
>> total_memory           : 32667
>> free_memory            : 24046
>> sharing_freed_memory   : 0
>> sharing_used_memory    : 0
>> outstanding_claims     : 0
>> free_cpus              : 0
>> xen_major              : 4
>> xen_minor              : 7
>> xen_extra              : .0-rc
>> xen_version            : 4.7.0-rc
>> xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32
>> hvm-3.0-
>>                                                              x86_32p
>> hvm-3.0-x86_64
>> xen_scheduler          : credit
>> xen_pagesize           : 4096
>> platform_params        : virt_start=0xffff800000000000
>> xen_changeset          : Fri May 13 18:15:34 2016 +0100 git:4f6aea0-dirty
>> xen_commandline        : loglvl=all guest_loglvl=all com2=115200,8n1
>> console=co
>>                                                                m2,vga
>> dom0_mem=8g,max:8g dom0_max_vcpus=1 dom0_vcpus_pin=true hap_1gb=false ha
>>
>>                                                  p_2mb=false altp2m=1 debug
>> gdb=com2 flask=late
>> cc_compiler            : gcc (Ubuntu/Linaro 4.7.3-12ubuntu1) 4.7.3
>> cc_compile_by          : john
>> cc_compile_domain      :
>> cc_compile_date        : Mon May 16 09:31:31 CST 2016
>> build_id               : a24e288d6620ab380b91abf6e93917c0b0e26651
>> xend_config_format     : 4
>
>
> BTW, I load flask policy after dom0 boots by using 'xl loadpolicy'
>
> Xenstore logs:
>
>>
>> [20160516T02:48:50.847Z]  A12          newconn
>> [20160516T02:48:50.860Z]  A12.1        rm        /local/domain/1
>> [20160516T02:48:50.860Z]  A12.1        write     /local/domain/1
>> [20160516T02:48:50.860Z]  A12.1        setperms  /local/domain/1 n0 r1
>> [20160516T02:48:50.860Z]  A12.1        rm
>>  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.861Z]  A12.1        write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.861Z]  A12.1        setperms
>>  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac n0 r1
>> [20160516T02:48:50.861Z]  A12.1        rm        /libxl/1
>> [20160516T02:48:50.861Z]  A12.1        write     /libxl/1
>> [20160516T02:48:50.862Z]  A12.1        setperms  /libxl/1 n0
>> [20160516T02:48:50.862Z]  A12.1        write     /local/domain/1/vm
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.864Z]  A12.1        write     /local/domain/1/name win7
>> [20160516T02:48:50.864Z]  A12.1        write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
>> [20160516T02:48:50.864Z]  A12.1        write     /local/domain/1/cpu
>> [20160516T02:48:50.865Z]  A12.1        setperms  /local/domain/1/cpu n0 r1
>> [20160516T02:48:50.865Z]  A12.1        write     /local/domain/1/memory
>> [20160516T02:48:50.865Z]  A12.1        setperms  /local/domain/1/memory
>> n0 r1
>> [20160516T02:48:50.865Z]  A12.1        write     /local/domain/1/device
>> [20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/device
>> n0 r1
>> [20160516T02:48:50.866Z]  A12.1        write     /local/domain/1/control
>> [20160516T02:48:50.866Z]  A12.1        setperms  /local/domain/1/control
>> n0 r1
>> [20160516T02:48:50.866Z]  A12.1        write     /local/domain/1/hvmloader
>> [20160516T02:48:50.866Z]  A12.1        setperms
>>  /local/domain/1/hvmloader n0 r1
>> [20160516T02:48:50.867Z]  A12.1        write
>> /local/domain/1/control/shutdown
>> [20160516T02:48:50.867Z]  A12.1        setperms
>>  /local/domain/1/control/shutdown n1
>> [20160516T02:48:50.867Z]  A12.1        write
>> /local/domain/1/device/suspend/event-channel
>> [20160516T02:48:50.868Z]  A12.1        setperms
>>  /local/domain/1/device/suspend/event-channel n1
>> [20160516T02:48:50.868Z]  A12.1        write     /local/domain/1/data
>> [20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/data n1
>> [20160516T02:48:50.869Z]  A12.1        write     /local/domain/1/drivers
>> [20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/drivers
>> n1
>> [20160516T02:48:50.869Z]  A12.1        write     /local/domain/1/feature
>> [20160516T02:48:50.869Z]  A12.1        setperms  /local/domain/1/feature
>> n1
>> [20160516T02:48:50.870Z]  A12.1        write     /local/domain/1/attr
>> [20160516T02:48:50.870Z]  A12.1        setperms  /local/domain/1/attr n1
>> [20160516T02:48:50.871Z]  A12.1        write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/uuid
>> b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.871Z]  A12.1        write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
>> [20160516T02:48:50.872Z]  A12.1        write
>> /local/domain/1/control/platform-feature-multiprocessor-suspend 1
>> [20160516T02:48:50.872Z]  A12.1        write
>> /local/domain/1/control/platform-feature-xs_reset_watches 1
>> [20160516T02:48:50.872Z]  A12.1        commit
>> [20160516T02:48:50.872Z]  A12          write     /libxl/1/dm-version
>> qemu_xen
>> [20160516T02:48:51.561Z]  A12.2        write
>> /local/domain/1/memory/static-max 1048576
>> [20160516T02:48:51.561Z]  A12.2        write
>> /local/domain/1/memory/target 1040384
>> [20160516T02:48:51.561Z]  A12.2        write
>> /local/domain/1/memory/videoram 8192
>> [20160516T02:48:51.561Z]  A12.2        write     /local/domain/1/domid 1
>> [20160516T02:48:51.561Z]  A12.2        write
>> /local/domain/1/store/port 1
>> [20160516T02:48:51.562Z]  A12.2        write
>> /local/domain/1/store/ring-ref 1044476
>> [20160516T02:48:51.562Z]  A12.2        write
>> /local/domain/1/cpu/0/availability online
>> [20160516T02:48:51.562Z]  A12.2        write
>> /local/domain/1/platform/acpi 1
>> [20160516T02:48:51.562Z]  A12.2        write
>> /local/domain/1/platform/acpi_s3 1
>> [20160516T02:48:51.563Z]  A12.2        write
>> /local/domain/1/platform/acpi_s4 1
>> [20160516T02:48:51.563Z]  A12.2        write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/rtc/timeoffset
>> [20160516T02:48:51.563Z]  A12.2        write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/image/ostype hvm
>> [20160516T02:48:51.563Z]  A12.2        write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/start_time 1463366930.87
>> [20160516T02:48:51.563Z]  A12.2        commit
>> [20160516T02:48:51.564Z]  D1           newconn
>> [20160516T02:48:51.564Z]  A4           w event   @introduceDomain domlist
>> [20160516T02:48:51.564Z]  A4           watch     /local/domain/1/console
>> dom1
>> [20160516T02:48:51.565Z]  A4           w event   /local/domain/1/console
>> dom1
>> [20160516T02:48:51.565Z]  A12          write     /libxl/1/dm-version
>> qemu_xen
>> [20160516T02:48:51.566Z]  A12.3        rm
>>  /local/domain/1/device/vbd/51712
>> [20160516T02:48:51.566Z]  A12.3        mkdir
>> /local/domain/1/device/vbd/51712
>> [20160516T02:48:51.566Z]  A12.3        setperms
>>  /local/domain/1/device/vbd/51712 n1 r0
>> [20160516T02:48:51.567Z]  A12.3        write
>> /local/domain/1/device/vbd/51712/backend /local/domain/0/backend/vbd/1/51712
>> [20160516T02:48:51.567Z]  A12.3        write
>> /local/domain/1/device/vbd/51712/backend-id 0
>> [20160516T02:48:51.567Z]  A12.3        setperms
>>  /local/domain/1/device/vbd/51712/backend-id n1 r0
>> [20160516T02:48:51.567Z]  A12.3        write
>> /local/domain/1/device/vbd/51712/state 1
>> [20160516T02:48:51.567Z]  A12.3        setperms
>>  /local/domain/1/device/vbd/51712/state n1 r0
>> [20160516T02:48:51.568Z]  A12.3        write
>> /local/domain/1/device/vbd/51712/virtual-device 51712
>> [20160516T02:48:51.568Z]  A12.3        setperms
>>  /local/domain/1/device/vbd/51712/virtual-device n1 r0
>> [20160516T02:48:51.568Z]  A12.3        write
>> /local/domain/1/device/vbd/51712/device-type disk
>> [20160516T02:48:51.568Z]  A12.3        setperms
>>  /local/domain/1/device/vbd/51712/device-type n1 r0
>> [20160516T02:48:51.568Z]  A12.3        rm
>>  /local/domain/0/backend/vbd/1/51712
>> [20160516T02:48:51.568Z]  A12.3        mkdir
>> /local/domain/0/backend/vbd/1/51712
>> [20160516T02:48:51.569Z]  A12.3        setperms
>>  /local/domain/0/backend/vbd/1/51712 n0 r1
>> [20160516T02:48:51.569Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/frontend
>> /local/domain/1/device/vbd/51712
>> [20160516T02:48:51.569Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/params /dev/storage-vg/win7
>> [20160516T02:48:51.569Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/script /etc/xen/scripts/block
>> [20160516T02:48:51.569Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/frontend-id 1
>> [20160516T02:48:51.570Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/online 1
>> [20160516T02:48:51.570Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/removable 0
>> [20160516T02:48:51.570Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/bootable 1
>> [20160516T02:48:51.570Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/state 1
>> [20160516T02:48:51.570Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/dev xvda
>> [20160516T02:48:51.571Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/type phy
>> [20160516T02:48:51.571Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/mode w
>> [20160516T02:48:51.571Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/device-type disk
>> [20160516T02:48:51.571Z]  A12.3        write
>> /local/domain/0/backend/vbd/1/51712/discard-enable 1
>> [20160516T02:48:51.571Z]  A12.3        commit
>> [20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z]  D0           w event   backend/vbd/1/51712
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z]  D0           w event
>> backend/vbd/1/51712/frontend FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z]  D0           w event
>> backend/vbd/1/51712/params FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z]  D0           w event
>> backend/vbd/1/51712/script FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z]  A12          watch
>> /local/domain/0/backend/vbd/1/51712/state 3/0
>> [20160516T02:48:51.572Z]  D0           w event
>> backend/vbd/1/51712/frontend-id FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event
>> backend/vbd/1/51712/online FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  A12          w event
>> /local/domain/0/backend/vbd/1/51712/state 3/0
>> [20160516T02:48:51.573Z]  D0           w event
>> backend/vbd/1/51712/removable FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event
>> backend/vbd/1/51712/bootable FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event
>> backend/vbd/1/51712/state FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/dev
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/type
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event   backend/vbd/1/51712/mode
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event
>> backend/vbd/1/51712/device-type FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z]  D0           w event
>> backend/vbd/1/51712/discard-enable FFFFFFFF81CA73E0
>> [20160516T02:49:01.581Z]  A12          unwatch
>> /local/domain/0/backend/vbd/1/51712/state 3/0
>> [20160516T02:49:01.585Z]  A12.4        rm
>>  /local/domain/1/device/vbd/51712
>> [20160516T02:49:01.585Z]  A12.4        rm
>>  /local/domain/1/device/vbd
>> [20160516T02:49:01.586Z]  A12.4        write
>> /local/domain/0/backend/vbd/1/51712/online 0
>> [20160516T02:49:01.586Z]  A12.4        write
>> /local/domain/0/backend/vbd/1/51712/state 5
>> [20160516T02:49:01.586Z]  A12.4        commit
>> [20160516T02:49:01.586Z]  D0           w event
>> backend/vbd/1/51712/online FFFFFFFF81CA73E0
>> [20160516T02:49:01.586Z]  D0           w event
>> backend/vbd/1/51712/state FFFFFFFF81CA73E0
>> [20160516T02:49:01.587Z]  A12          watch
>> /local/domain/0/backend/vbd/1/51712/state 3/1
>> [20160516T02:49:01.587Z]  A12          w event
>> /local/domain/0/backend/vbd/1/51712/state 3/1
>> [20160516T02:49:11.596Z]  A12          unwatch
>> /local/domain/0/backend/vbd/1/51712/state 3/1
>> [20160516T02:49:11.598Z]  A12.5        rm
>>  /local/domain/1/device/vbd/51712
>> [20160516T02:49:11.598Z]  A12.5        rm
>>  /local/domain/0/backend/vbd/1/51712
>> [20160516T02:49:11.599Z]  A12.5        rm
>>  /local/domain/0/backend/vbd/1
>> [20160516T02:49:11.599Z]  A12.5        rm
>>  /local/domain/0/backend/vbd
>> [20160516T02:49:11.600Z]  A12.5        rm        /local/domain/0/backend
>> [20160516T02:49:11.600Z]  A12.5        commit
>> [20160516T02:49:11.600Z]  A5           w event   backend/qnic/0
>> be:0x7fea03f3bc24:0:0x7fea04383ba0
>> [20160516T02:49:11.600Z]  D0           w event   backend/vbd/1/51712
>> FFFFFFFF81CA73E0
>> [20160516T02:49:11.600Z]  A5           w event   backend/qdisk/0
>> be:0x7fea03f3bc1e:0:0x7fea04377780
>> [20160516T02:49:11.601Z]  A5           w event   backend/vfb/0
>> be:0x7fea03f3bc1a:0:0x7fea0437bb20
>> [20160516T02:49:11.601Z]  A5           w event   backend/vkbd/0
>> be:0x7fea03f3bc15:0:0x7fea0437bac0
>> [20160516T02:49:11.601Z]  A5           w event   backend/console/0
>> be:0x7fea03f3bc0d:0:0x7fea0437a580
>> [20160516T02:49:11.602Z]  A12          rm
>>  /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:49:11.602Z]  A12          rm        /local/domain/1
>> [20160516T02:49:11.602Z]  A4           w event   /local/domain/1/console
>> dom1
>> [20160516T02:49:11.603Z]  A12          rm        /libxl/1
>> [20160516T02:49:11.603Z]  A12          rm        /local/domain/1/hvmloader
>> [20160516T02:49:11.992Z]  D1           endconn
>> [20160516T02:49:11.992Z]  A4           w event   @releaseDomain domlist
>> [20160516T02:49:11.992Z]  A4           unwatch   /local/domain/1/console
>> dom1
>> [20160516T02:49:11.995Z]  A12          endconn
>> [20160516T02:49:28.875Z]  A13          newconn
>> [20160516T02:49:28.880Z]  A13          endconn
>> [20160516T02:49:43.894Z]  D0           w event   backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:50:13.918Z]  D0           w event   backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:50:43.942Z]  D0           w event   backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:51:13.967Z]  D0           w event   backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:51:43.992Z]  D0           w event   backend/vbd/1
>> FFFFFFFF81CA73E0
>
>
> If you need any further information, please feel free to ask. Any
> suggestions will be appreciated.
>
> 2016-05-15 22:36 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:
>
>> On 15/05/16 15:25, Big Strong wrote:
>>
>> Hi,
>>
>> I've configured xen 4.6.0 with xsm enabled and use the default flask
>> policy to boot the dom0.
>>
>>
>> For issues like this, please always use the latest stable branch, in this
>> case making that Xen 4.6.1+.  It is entirely possible that bugfixes have
>> been backported.
>>
>> In this case, can you try current master (or 4.7.0-rc2)? Some of these
>> errors have definitely been fixed in the 4.7 dev period.
>>
>> ~Andrew
>>
>
>

[-- Attachment #1.2: Type: text/html, Size: 23809 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-16  8:54     ` Big Strong
@ 2016-05-16  9:43       ` Andrew Cooper
  2016-05-16 13:43         ` Konrad Rzeszutek Wilk
  0 siblings, 1 reply; 11+ messages in thread
From: Andrew Cooper @ 2016-05-16  9:43 UTC (permalink / raw)
  To: Big Strong; +Cc: xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 387 bytes --]

On 16/05/16 09:54, Big Strong wrote:
> Problem solved by booting xen with grub instead of efi. The deep
> reason is unknown.

Ah - that is very useful to know, and now obvious.  EFI has no concept
of modules, which probably means the XSM policy doesn't get loaded.

FWIW, there is a plan to change how XSM policies are done in the future,
by embedding the policy at build time.

~Andrew

[-- Attachment #1.2: Type: text/html, Size: 886 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-16  9:43       ` Andrew Cooper
@ 2016-05-16 13:43         ` Konrad Rzeszutek Wilk
  2016-05-16 15:00           ` Big Strong
  0 siblings, 1 reply; 11+ messages in thread
From: Konrad Rzeszutek Wilk @ 2016-05-16 13:43 UTC (permalink / raw)
  To: Andrew Cooper; +Cc: Big Strong, xen-devel

On Mon, May 16, 2016 at 10:43:49AM +0100, Andrew Cooper wrote:
> On 16/05/16 09:54, Big Strong wrote:
> > Problem solved by booting xen with grub instead of efi. The deep
> > reason is unknown.
> 
> Ah - that is very useful to know, and now obvious.  EFI has no concept
> of modules, which probably means the XSM policy doesn't get loaded.

It does. You just add in xen.cfg:
[konrad@x230 efi]$ more xen.cfg 
[global]
default=xtt

[xtt]
options=console=com1,vga com1=115200,8n1 loglvl=all guest_loglvl=all
kernel=vmlinuz console=hvc0
ramdisk=initramfs.cpio.gz
xsm=xenpolicy

The 'xsm' attribute.
?
> 
> FWIW, there is a plan to change how XSM policies are done in the future,
> by embedding the policy at build time.
> 
> ~Andrew

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-16 13:43         ` Konrad Rzeszutek Wilk
@ 2016-05-16 15:00           ` Big Strong
  2016-05-17  8:33             ` Jan Beulich
  0 siblings, 1 reply; 11+ messages in thread
From: Big Strong @ 2016-05-16 15:00 UTC (permalink / raw)
  To: Konrad Rzeszutek Wilk; +Cc: Andrew Cooper, xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 1236 bytes --]

Actually I did that, but the policy is not loaded at all. 'xl list -Z' show
no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0' is
ingnored during booting. (the policy file is moved to the same directory as
xen.cfg)

2016-05-16 21:43 GMT+08:00 Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>:

> On Mon, May 16, 2016 at 10:43:49AM +0100, Andrew Cooper wrote:
> > On 16/05/16 09:54, Big Strong wrote:
> > > Problem solved by booting xen with grub instead of efi. The deep
> > > reason is unknown.
> >
> > Ah - that is very useful to know, and now obvious.  EFI has no concept
> > of modules, which probably means the XSM policy doesn't get loaded.
>
> It does. You just add in xen.cfg:
> [konrad@x230 efi]$ more xen.cfg
> [global]
> default=xtt
>
> [xtt]
> options=console=com1,vga com1=115200,8n1 loglvl=all guest_loglvl=all
> kernel=vmlinuz console=hvc0
> ramdisk=initramfs.cpio.gz
> xsm=xenpolicy
>
> The 'xsm' attribute.
> ?
> >
> > FWIW, there is a plan to change how XSM policies are done in the future,
> > by embedding the policy at build time.
> >
> > ~Andrew
>
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xen.org
> > http://lists.xen.org/xen-devel
>
>

[-- Attachment #1.2: Type: text/html, Size: 1879 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-16 15:00           ` Big Strong
@ 2016-05-17  8:33             ` Jan Beulich
  2016-05-17  8:58               ` Big Strong
  0 siblings, 1 reply; 11+ messages in thread
From: Jan Beulich @ 2016-05-17  8:33 UTC (permalink / raw)
  To: Big Strong; +Cc: Andrew Cooper, xen-devel

>>> On 16.05.16 at 17:00, <fangtuo90@gmail.com> wrote:
> Actually I did that, but the policy is not loaded at all. 'xl list -Z' show
> no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0' is
> ingnored during booting. (the policy file is moved to the same directory as
> xen.cfg)

If you suspect it to be ignored, then please provide logs so we
can identify _where_ it gets ignored: The early EFI loader should
be pulling it into memory (note that the respective messages will
only be visible in a serial log if you also enable serial output for
EFI itself), and then XSM should be consuming it. Which of the
two goes wrong would be quite helpful to know, the more that it
looks like this works for others (e.g. Konrad).

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-17  8:33             ` Jan Beulich
@ 2016-05-17  8:58               ` Big Strong
  2016-05-17 13:41                 ` Konrad Rzeszutek Wilk
  0 siblings, 1 reply; 11+ messages in thread
From: Big Strong @ 2016-05-17  8:58 UTC (permalink / raw)
  To: Jan Beulich; +Cc: Andrew Cooper, xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 1581 bytes --]

I should add the xsm=policy option to the end of the xen.cfg instead of as
an option. Sorry for the fault.

However, another problem is that when I modified the policy and reload it
using '*xl loadpolicy*', the policy seemed not working.

The policy I add is *'allow domU_t security_t:security check_context; allow
domU_t domU_t_self:hvm gethvmc;*', and it is successfully loaded.

But executing XEN_DOMCTL_gethvmcontext_partial in domU_t would still cause
the following violations:

*(XEN) avc:  denied  { gethvmc } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self
tclass=hvm*

Rebooting xen with the new policy doesn't work too. BTW, the domU_t I
created is a HVM, I hope that is not the problem.

2016-05-17 16:33 GMT+08:00 Jan Beulich <JBeulich@suse.com>:

> >>> On 16.05.16 at 17:00, <fangtuo90@gmail.com> wrote:
> > Actually I did that, but the policy is not loaded at all. 'xl list -Z'
> show
> > no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0'
> is
> > ingnored during booting. (the policy file is moved to the same directory
> as
> > xen.cfg)
>
> If you suspect it to be ignored, then please provide logs so we
> can identify _where_ it gets ignored: The early EFI loader should
> be pulling it into memory (note that the respective messages will
> only be visible in a serial log if you also enable serial output for
> EFI itself), and then XSM should be consuming it. Which of the
> two goes wrong would be quite helpful to know, the more that it
> looks like this works for others (e.g. Konrad).
>
> Jan
>
>

[-- Attachment #1.2: Type: text/html, Size: 2248 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-17  8:58               ` Big Strong
@ 2016-05-17 13:41                 ` Konrad Rzeszutek Wilk
  2016-05-17 14:17                   ` Big Strong
  0 siblings, 1 reply; 11+ messages in thread
From: Konrad Rzeszutek Wilk @ 2016-05-17 13:41 UTC (permalink / raw)
  To: Big Strong, dgdegra; +Cc: Andrew Cooper, Jan Beulich, xen-devel

On Tue, May 17, 2016 at 04:58:03PM +0800, Big Strong wrote:
> I should add the xsm=policy option to the end of the xen.cfg instead of as
> an option. Sorry for the fault.
> 
> However, another problem is that when I modified the policy and reload it
> using '*xl loadpolicy*', the policy seemed not working.
> 
> The policy I add is *'allow domU_t security_t:security check_context; allow
> domU_t domU_t_self:hvm gethvmc;*', and it is successfully loaded.
> 
> But executing XEN_DOMCTL_gethvmcontext_partial in domU_t would still cause
> the following violations:
> 
> *(XEN) avc:  denied  { gethvmc } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self
> tclass=hvm*
> 
> Rebooting xen with the new policy doesn't work too. BTW, the domU_t I
> created is a HVM, I hope that is not the problem.

Rebootin meaning you put the policy on the boot partition and your xen.cfg
has xsm=<name of file>?

And it loads the policy? You can see that Xen has loaded it?

I am going to assume that the policy is loaded just fine - it just that the
policy you wrote is not doing what it is expected.

And oddly enough, you did not CC the XSM maintainer here. He may
be able to help.

> 
> 2016-05-17 16:33 GMT+08:00 Jan Beulich <JBeulich@suse.com>:
> 
> > >>> On 16.05.16 at 17:00, <fangtuo90@gmail.com> wrote:
> > > Actually I did that, but the policy is not loaded at all. 'xl list -Z'
> > show
> > > no lable on guests. It seems like that the option 'xsm=xen-policy-4.6.0'
> > is
> > > ingnored during booting. (the policy file is moved to the same directory
> > as
> > > xen.cfg)
> >
> > If you suspect it to be ignored, then please provide logs so we
> > can identify _where_ it gets ignored: The early EFI loader should
> > be pulling it into memory (note that the respective messages will
> > only be visible in a serial log if you also enable serial output for
> > EFI itself), and then XSM should be consuming it. Which of the
> > two goes wrong would be quite helpful to know, the more that it
> > looks like this works for others (e.g. Konrad).
> >
> > Jan
> >
> >

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: unable to create domain after enabling XSM
  2016-05-17 13:41                 ` Konrad Rzeszutek Wilk
@ 2016-05-17 14:17                   ` Big Strong
  0 siblings, 0 replies; 11+ messages in thread
From: Big Strong @ 2016-05-17 14:17 UTC (permalink / raw)
  To: Konrad Rzeszutek Wilk; +Cc: Andrew Cooper, dgdegra, Jan Beulich, xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 144 bytes --]

Thanks very much, it turns out to be the problem of modules.conf. I turn
the xen module off for mistake, I'm very sorry for the time you spend.

[-- Attachment #1.2: Type: text/html, Size: 169 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2016-05-17 14:17 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-15 14:25 unable to create domain after enabling XSM Big Strong
2016-05-15 14:36 ` Andrew Cooper
2016-05-16  3:08   ` Big Strong
2016-05-16  8:54     ` Big Strong
2016-05-16  9:43       ` Andrew Cooper
2016-05-16 13:43         ` Konrad Rzeszutek Wilk
2016-05-16 15:00           ` Big Strong
2016-05-17  8:33             ` Jan Beulich
2016-05-17  8:58               ` Big Strong
2016-05-17 13:41                 ` Konrad Rzeszutek Wilk
2016-05-17 14:17                   ` Big Strong

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.