Problem solved by booting xen with grub instead of efi. The deep reason is
unknown.
2016-05-16 11:08 GMT+08:00 Big Strong <fangtu...@gmail.com>:
> As you suggested, I used xen 4.7.0-rc2 to test it again and the problem
> still exists.
>
> $ sudo xl create xen-config/win7
>> Parsing config from xen-config/win7
>> libxl: error: libxl_device.c:1033:device_backend_callback: unable to add
>> device with path /local/domain/0/backend/vbd/1/51712
>> libxl: error: libxl_create.c:1252:domcreate_launch_dm: unable to add disk
>> devices
>> libxl: error: libxl_device.c:1033:device_backend_callback: unable to
>> remove device with path /local/domain/0/backend/vbd/1/51712
>> libxl: error: libxl.c:1636:devices_destroy_cb: libxl__devices_destroy
>> failed for 1
>> libxl: error: libxl.c:1564:libxl__destroy_domid: non-existant domain 1
>> libxl: error: libxl.c:1523:domain_destroy_callback: unable to destroy
>> guest with domid 1
>> libxl: error: libxl.c:1452:domain_destroy_cb: destruction of domain 1
>> failed
>
>
> Denied behaviors:
>
> ~$ sudo xl dmesg | grep avc
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>> (XEN) avc: denied { send } for domid=0
>> scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:dom0_t
>> tclass=event
>
>
> Corresponding rules:
>
> ~$ sudo xl dmesg | grep avc | audit2allow
>> #============= dom0_t ==============
>> allow dom0_t self:event send;
>
>
> When I tried to add this rule to xen.te, it says
>
> libsepol.check_assertion_helper: neverallow on line 2023 violated by allow
>> dom0_t dom0_t:event { send };
>>
>
> So I comment the following restriction in policy.conf and recompile flask
> policy with the new rule added.
>
> neverallow * ~event_type:event { create send status };
>
>
> This time no rule violations are generated by checking 'xl dmesg| grep
> avc', but the errors in the very first place when creating domU (both hvm
> and pv, with or without seclabel) still exist.
>
> Basic info of xen configuration:
>
> $ sudo xl info
>> host : storage
>> release : 3.19.0
>> version : #1 SMP Tue Dec 8 09:27:36 CST 2015
>> machine : x86_64
>> nr_cpus : 6
>> max_cpu_id : 143
>> nr_nodes : 1
>> cores_per_socket : 6
>> threads_per_core : 1
>> cpu_mhz : 1600
>> hw_caps :
>> b7ebfbff:77fef3ff:2c100800:00000021:00000001:000037ab:
>>
>> 00000000:00000100
>> virt_caps : hvm hvm_directio
>> total_memory : 32667
>> free_memory : 24046
>> sharing_freed_memory : 0
>> sharing_used_memory : 0
>> outstanding_claims : 0
>> free_cpus : 0
>> xen_major : 4
>> xen_minor : 7
>> xen_extra : .0-rc
>> xen_version : 4.7.0-rc
>> xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32
>> hvm-3.0-
>> x86_32p
>> hvm-3.0-x86_64
>> xen_scheduler : credit
>> xen_pagesize : 4096
>> platform_params : virt_start=0xffff800000000000
>> xen_changeset : Fri May 13 18:15:34 2016 +0100 git:4f6aea0-dirty
>> xen_commandline : loglvl=all guest_loglvl=all com2=115200,8n1
>> console=co
>> m2,vga
>> dom0_mem=8g,max:8g dom0_max_vcpus=1 dom0_vcpus_pin=true hap_1gb=false ha
>>
>> p_2mb=false altp2m=1 debug
>> gdb=com2 flask=late
>> cc_compiler : gcc (Ubuntu/Linaro 4.7.3-12ubuntu1) 4.7.3
>> cc_compile_by : john
>> cc_compile_domain :
>> cc_compile_date : Mon May 16 09:31:31 CST 2016
>> build_id : a24e288d6620ab380b91abf6e93917c0b0e26651
>> xend_config_format : 4
>
>
> BTW, I load flask policy after dom0 boots by using 'xl loadpolicy'
>
> Xenstore logs:
>
>>
>> [20160516T02:48:50.847Z] A12 newconn
>> [20160516T02:48:50.860Z] A12.1 rm /local/domain/1
>> [20160516T02:48:50.860Z] A12.1 write /local/domain/1
>> [20160516T02:48:50.860Z] A12.1 setperms /local/domain/1 n0 r1
>> [20160516T02:48:50.860Z] A12.1 rm
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.861Z] A12.1 write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.861Z] A12.1 setperms
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac n0 r1
>> [20160516T02:48:50.861Z] A12.1 rm /libxl/1
>> [20160516T02:48:50.861Z] A12.1 write /libxl/1
>> [20160516T02:48:50.862Z] A12.1 setperms /libxl/1 n0
>> [20160516T02:48:50.862Z] A12.1 write /local/domain/1/vm
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.864Z] A12.1 write /local/domain/1/name win7
>> [20160516T02:48:50.864Z] A12.1 write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
>> [20160516T02:48:50.864Z] A12.1 write /local/domain/1/cpu
>> [20160516T02:48:50.865Z] A12.1 setperms /local/domain/1/cpu n0 r1
>> [20160516T02:48:50.865Z] A12.1 write /local/domain/1/memory
>> [20160516T02:48:50.865Z] A12.1 setperms /local/domain/1/memory
>> n0 r1
>> [20160516T02:48:50.865Z] A12.1 write /local/domain/1/device
>> [20160516T02:48:50.866Z] A12.1 setperms /local/domain/1/device
>> n0 r1
>> [20160516T02:48:50.866Z] A12.1 write /local/domain/1/control
>> [20160516T02:48:50.866Z] A12.1 setperms /local/domain/1/control
>> n0 r1
>> [20160516T02:48:50.866Z] A12.1 write /local/domain/1/hvmloader
>> [20160516T02:48:50.866Z] A12.1 setperms
>> /local/domain/1/hvmloader n0 r1
>> [20160516T02:48:50.867Z] A12.1 write
>> /local/domain/1/control/shutdown
>> [20160516T02:48:50.867Z] A12.1 setperms
>> /local/domain/1/control/shutdown n1
>> [20160516T02:48:50.867Z] A12.1 write
>> /local/domain/1/device/suspend/event-channel
>> [20160516T02:48:50.868Z] A12.1 setperms
>> /local/domain/1/device/suspend/event-channel n1
>> [20160516T02:48:50.868Z] A12.1 write /local/domain/1/data
>> [20160516T02:48:50.869Z] A12.1 setperms /local/domain/1/data n1
>> [20160516T02:48:50.869Z] A12.1 write /local/domain/1/drivers
>> [20160516T02:48:50.869Z] A12.1 setperms /local/domain/1/drivers
>> n1
>> [20160516T02:48:50.869Z] A12.1 write /local/domain/1/feature
>> [20160516T02:48:50.869Z] A12.1 setperms /local/domain/1/feature
>> n1
>> [20160516T02:48:50.870Z] A12.1 write /local/domain/1/attr
>> [20160516T02:48:50.870Z] A12.1 setperms /local/domain/1/attr n1
>> [20160516T02:48:50.871Z] A12.1 write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/uuid
>> b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:48:50.871Z] A12.1 write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
>> [20160516T02:48:50.872Z] A12.1 write
>> /local/domain/1/control/platform-feature-multiprocessor-suspend 1
>> [20160516T02:48:50.872Z] A12.1 write
>> /local/domain/1/control/platform-feature-xs_reset_watches 1
>> [20160516T02:48:50.872Z] A12.1 commit
>> [20160516T02:48:50.872Z] A12 write /libxl/1/dm-version
>> qemu_xen
>> [20160516T02:48:51.561Z] A12.2 write
>> /local/domain/1/memory/static-max 1048576
>> [20160516T02:48:51.561Z] A12.2 write
>> /local/domain/1/memory/target 1040384
>> [20160516T02:48:51.561Z] A12.2 write
>> /local/domain/1/memory/videoram 8192
>> [20160516T02:48:51.561Z] A12.2 write /local/domain/1/domid 1
>> [20160516T02:48:51.561Z] A12.2 write
>> /local/domain/1/store/port 1
>> [20160516T02:48:51.562Z] A12.2 write
>> /local/domain/1/store/ring-ref 1044476
>> [20160516T02:48:51.562Z] A12.2 write
>> /local/domain/1/cpu/0/availability online
>> [20160516T02:48:51.562Z] A12.2 write
>> /local/domain/1/platform/acpi 1
>> [20160516T02:48:51.562Z] A12.2 write
>> /local/domain/1/platform/acpi_s3 1
>> [20160516T02:48:51.563Z] A12.2 write
>> /local/domain/1/platform/acpi_s4 1
>> [20160516T02:48:51.563Z] A12.2 write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/rtc/timeoffset
>> [20160516T02:48:51.563Z] A12.2 write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/image/ostype hvm
>> [20160516T02:48:51.563Z] A12.2 write
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/start_time 1463366930.87
>> [20160516T02:48:51.563Z] A12.2 commit
>> [20160516T02:48:51.564Z] D1 newconn
>> [20160516T02:48:51.564Z] A4 w event @introduceDomain domlist
>> [20160516T02:48:51.564Z] A4 watch /local/domain/1/console
>> dom1
>> [20160516T02:48:51.565Z] A4 w event /local/domain/1/console
>> dom1
>> [20160516T02:48:51.565Z] A12 write /libxl/1/dm-version
>> qemu_xen
>> [20160516T02:48:51.566Z] A12.3 rm
>> /local/domain/1/device/vbd/51712
>> [20160516T02:48:51.566Z] A12.3 mkdir
>> /local/domain/1/device/vbd/51712
>> [20160516T02:48:51.566Z] A12.3 setperms
>> /local/domain/1/device/vbd/51712 n1 r0
>> [20160516T02:48:51.567Z] A12.3 write
>> /local/domain/1/device/vbd/51712/backend /local/domain/0/backend/vbd/1/51712
>> [20160516T02:48:51.567Z] A12.3 write
>> /local/domain/1/device/vbd/51712/backend-id 0
>> [20160516T02:48:51.567Z] A12.3 setperms
>> /local/domain/1/device/vbd/51712/backend-id n1 r0
>> [20160516T02:48:51.567Z] A12.3 write
>> /local/domain/1/device/vbd/51712/state 1
>> [20160516T02:48:51.567Z] A12.3 setperms
>> /local/domain/1/device/vbd/51712/state n1 r0
>> [20160516T02:48:51.568Z] A12.3 write
>> /local/domain/1/device/vbd/51712/virtual-device 51712
>> [20160516T02:48:51.568Z] A12.3 setperms
>> /local/domain/1/device/vbd/51712/virtual-device n1 r0
>> [20160516T02:48:51.568Z] A12.3 write
>> /local/domain/1/device/vbd/51712/device-type disk
>> [20160516T02:48:51.568Z] A12.3 setperms
>> /local/domain/1/device/vbd/51712/device-type n1 r0
>> [20160516T02:48:51.568Z] A12.3 rm
>> /local/domain/0/backend/vbd/1/51712
>> [20160516T02:48:51.568Z] A12.3 mkdir
>> /local/domain/0/backend/vbd/1/51712
>> [20160516T02:48:51.569Z] A12.3 setperms
>> /local/domain/0/backend/vbd/1/51712 n0 r1
>> [20160516T02:48:51.569Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/frontend
>> /local/domain/1/device/vbd/51712
>> [20160516T02:48:51.569Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/params /dev/storage-vg/win7
>> [20160516T02:48:51.569Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/script /etc/xen/scripts/block
>> [20160516T02:48:51.569Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/frontend-id 1
>> [20160516T02:48:51.570Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/online 1
>> [20160516T02:48:51.570Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/removable 0
>> [20160516T02:48:51.570Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/bootable 1
>> [20160516T02:48:51.570Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/state 1
>> [20160516T02:48:51.570Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/dev xvda
>> [20160516T02:48:51.571Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/type phy
>> [20160516T02:48:51.571Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/mode w
>> [20160516T02:48:51.571Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/device-type disk
>> [20160516T02:48:51.571Z] A12.3 write
>> /local/domain/0/backend/vbd/1/51712/discard-enable 1
>> [20160516T02:48:51.571Z] A12.3 commit
>> [20160516T02:48:51.572Z] D0 w event backend/vbd/1/51712
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z] D0 w event backend/vbd/1/51712
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z] D0 w event
>> backend/vbd/1/51712/frontend FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z] D0 w event
>> backend/vbd/1/51712/params FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z] D0 w event
>> backend/vbd/1/51712/script FFFFFFFF81CA73E0
>> [20160516T02:48:51.572Z] A12 watch
>> /local/domain/0/backend/vbd/1/51712/state 3/0
>> [20160516T02:48:51.572Z] D0 w event
>> backend/vbd/1/51712/frontend-id FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event
>> backend/vbd/1/51712/online FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] A12 w event
>> /local/domain/0/backend/vbd/1/51712/state 3/0
>> [20160516T02:48:51.573Z] D0 w event
>> backend/vbd/1/51712/removable FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event
>> backend/vbd/1/51712/bootable FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event
>> backend/vbd/1/51712/state FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event backend/vbd/1/51712/dev
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event backend/vbd/1/51712/type
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event backend/vbd/1/51712/mode
>> FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event
>> backend/vbd/1/51712/device-type FFFFFFFF81CA73E0
>> [20160516T02:48:51.573Z] D0 w event
>> backend/vbd/1/51712/discard-enable FFFFFFFF81CA73E0
>> [20160516T02:49:01.581Z] A12 unwatch
>> /local/domain/0/backend/vbd/1/51712/state 3/0
>> [20160516T02:49:01.585Z] A12.4 rm
>> /local/domain/1/device/vbd/51712
>> [20160516T02:49:01.585Z] A12.4 rm
>> /local/domain/1/device/vbd
>> [20160516T02:49:01.586Z] A12.4 write
>> /local/domain/0/backend/vbd/1/51712/online 0
>> [20160516T02:49:01.586Z] A12.4 write
>> /local/domain/0/backend/vbd/1/51712/state 5
>> [20160516T02:49:01.586Z] A12.4 commit
>> [20160516T02:49:01.586Z] D0 w event
>> backend/vbd/1/51712/online FFFFFFFF81CA73E0
>> [20160516T02:49:01.586Z] D0 w event
>> backend/vbd/1/51712/state FFFFFFFF81CA73E0
>> [20160516T02:49:01.587Z] A12 watch
>> /local/domain/0/backend/vbd/1/51712/state 3/1
>> [20160516T02:49:01.587Z] A12 w event
>> /local/domain/0/backend/vbd/1/51712/state 3/1
>> [20160516T02:49:11.596Z] A12 unwatch
>> /local/domain/0/backend/vbd/1/51712/state 3/1
>> [20160516T02:49:11.598Z] A12.5 rm
>> /local/domain/1/device/vbd/51712
>> [20160516T02:49:11.598Z] A12.5 rm
>> /local/domain/0/backend/vbd/1/51712
>> [20160516T02:49:11.599Z] A12.5 rm
>> /local/domain/0/backend/vbd/1
>> [20160516T02:49:11.599Z] A12.5 rm
>> /local/domain/0/backend/vbd
>> [20160516T02:49:11.600Z] A12.5 rm /local/domain/0/backend
>> [20160516T02:49:11.600Z] A12.5 commit
>> [20160516T02:49:11.600Z] A5 w event backend/qnic/0
>> be:0x7fea03f3bc24:0:0x7fea04383ba0
>> [20160516T02:49:11.600Z] D0 w event backend/vbd/1/51712
>> FFFFFFFF81CA73E0
>> [20160516T02:49:11.600Z] A5 w event backend/qdisk/0
>> be:0x7fea03f3bc1e:0:0x7fea04377780
>> [20160516T02:49:11.601Z] A5 w event backend/vfb/0
>> be:0x7fea03f3bc1a:0:0x7fea0437bb20
>> [20160516T02:49:11.601Z] A5 w event backend/vkbd/0
>> be:0x7fea03f3bc15:0:0x7fea0437bac0
>> [20160516T02:49:11.601Z] A5 w event backend/console/0
>> be:0x7fea03f3bc0d:0:0x7fea0437a580
>> [20160516T02:49:11.602Z] A12 rm
>> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
>> [20160516T02:49:11.602Z] A12 rm /local/domain/1
>> [20160516T02:49:11.602Z] A4 w event /local/domain/1/console
>> dom1
>> [20160516T02:49:11.603Z] A12 rm /libxl/1
>> [20160516T02:49:11.603Z] A12 rm /local/domain/1/hvmloader
>> [20160516T02:49:11.992Z] D1 endconn
>> [20160516T02:49:11.992Z] A4 w event @releaseDomain domlist
>> [20160516T02:49:11.992Z] A4 unwatch /local/domain/1/console
>> dom1
>> [20160516T02:49:11.995Z] A12 endconn
>> [20160516T02:49:28.875Z] A13 newconn
>> [20160516T02:49:28.880Z] A13 endconn
>> [20160516T02:49:43.894Z] D0 w event backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:50:13.918Z] D0 w event backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:50:43.942Z] D0 w event backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:51:13.967Z] D0 w event backend/vbd/1
>> FFFFFFFF81CA73E0
>> [20160516T02:51:43.992Z] D0 w event backend/vbd/1
>> FFFFFFFF81CA73E0
>
>
> If you need any further information, please feel free to ask. Any
> suggestions will be appreciated.
>
> 2016-05-15 22:36 GMT+08:00 Andrew Cooper <andrew.coop...@citrix.com>:
>
>> On 15/05/16 15:25, Big Strong wrote:
>>
>> Hi,
>>
>> I've configured xen 4.6.0 with xsm enabled and use the default flask
>> policy to boot the dom0.
>>
>>
>> For issues like this, please always use the latest stable branch, in this
>> case making that Xen 4.6.1+. It is entirely possible that bugfixes have
>> been backported.
>>
>> In this case, can you try current master (or 4.7.0-rc2)? Some of these
>> errors have definitely been fixed in the 4.7 dev period.
>>
>> ~Andrew
>>
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
