On 05/04/2016 09:52 AM, Doug Goldstein wrote:
Hi all,
Sometime after d4cd5a205973171475b8c63bc250c2803e0f51fa, I get the
following denials for any domU that attempts to run "xl". In my
situation my domU needs to run "xl devd" because its a driver domain.
(XEN) avc: denied { xen_extraversion } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc: denied { xen_extraversion } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc: denied { xen_compile_info } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc: denied { xen_capabilities } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc: denied { xen_changeset } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc: denied { xen_pagesize } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
These 6 denials should not happen with the policy in 4.7.0-rc1; are
you using an older policy?
(XEN) avc: denied { xen_commandline } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
(XEN) avc: denied { xen_build_id } for domid=1
scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
tclass=version
If these show up for domUs in normal operation (and I think using
"xl devd" probably qualifies for that), then they probably need
dontaudit rules.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
