On Mon, 2015-12-14 at 11:11 +0000, George Dunlap wrote: > On Mon, Dec 14, 2015 at 10:14 AM, Ian Campbell <ian.campb...@citrix.com> > wrote: > > On Fri, 2015-12-11 at 15:16 +0000, Ian Campbell wrote: > > > > > > I have a new flight going on (65755) with flask=permissive instead of > > > flask=enforcing (assuming I didn't botch the osstest modifications to > > > support that setting via a runvar). > > > > I did botch the mods, but luckily permissive is the default, so I got > > what > > I wanted ;-) > > > > > If that test passes, prints the AVC message but not the missing IRQ > > > message > > > then I think that would be our smoking gun. > > > > http://logs.test-lab.xenproject.org/osstest/logs/65758/ > > > > From serial-merlot1.log: > > > > Dec 11 18:01:57.001037 (XEN) Flask: 64 avtab hash slots, 236 rules. > > Dec 11 18:01:57.009023 (XEN) Flask: 64 avtab hash slots, 236 rules. > > Dec 11 18:01:57.017004 (XEN) Flask: 3 users, 3 roles, 36 types, 2 > > bools > > Dec 11 18:01:57.017038 (XEN) Flask: 12 classes, 236 rules > > Dec 11 18:01:57.025015 (XEN) Flask: Starting in permissive mode. > > [...] > > Dec 11 18:06:01.229194 (XEN) avc: denied { pcilevel } for domid=2 > > target=1 scontext=system_u:system_r:dm_dom_t > > tcontext=system_u:system_r:domU_t_target tclass=hvm > > > > http://logs.test-lab.xenproject.org/osstest/logs/65758/test-amd64-amd64 > > -xl-qemut-stubdom-debianhvm-amd64-xsm/merlot1---var-log-xen-qemu-dm- > > debianhvm.guest.osstest--incoming.log.10 > > So wait -- does flask not report denials when in enforcing mode?
It does, I'm not sure what made you think otherwise, earlier in the thread I quoted such a denial and it was that which lead me down this path. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
