>>> On 04.05.16 at 15:52, <car...@cardoe.com> wrote:
> Hi all,
>
> Sometime after d4cd5a205973171475b8c63bc250c2803e0f51fa, I get the
> following denials for any domU that attempts to run "xl". In my
> situation my domU needs to run "xl devd" because its a driver domain.
>
> (XEN) avc: denied { xen_extraversion } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
> (XEN) avc: denied { xen_extraversion } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
> (XEN) avc: denied { xen_compile_info } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
> (XEN) avc: denied { xen_capabilities } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
> (XEN) avc: denied { xen_changeset } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
> (XEN) avc: denied { xen_pagesize } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
> (XEN) avc: denied { xen_commandline } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
> (XEN) avc: denied { xen_build_id } for domid=1
> scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> tclass=version
>
> I'm guessing a changed happened to xl so that it queries the version
> info everytime it is run.
Perhaps it did that always, and it has become a problem only
because of the XSM check which the version hypercall obtained
recently?
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
