As you suggested, I used xen 4.7.0-rc2 to test it again and the problem
still exists.
$ sudo xl create xen-config/win7
> Parsing config from xen-config/win7
> libxl: error: libxl_device.c:1033:device_backend_callback: unable to add
> device with path /local/domain/0/backend/vbd/1/51712
> libxl: error: libxl_create.c:1252:domcreate_launch_dm: unable to add disk
> devices
> libxl: error: libxl_device.c:1033:device_backend_callback: unable to
> remove device with path /local/domain/0/backend/vbd/1/51712
> libxl: error: libxl.c:1636:devices_destroy_cb: libxl__devices_destroy
> failed for 1
> libxl: error: libxl.c:1564:libxl__destroy_domid: non-existant domain 1
> libxl: error: libxl.c:1523:domain_destroy_callback: unable to destroy
> guest with domid 1
> libxl: error: libxl.c:1452:domain_destroy_cb: destruction of domain 1
> failed
Denied behaviors:
~$ sudo xl dmesg | grep avc
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
> (XEN) avc: denied { send } for domid=0 scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:dom0_t tclass=event
Corresponding rules:
~$ sudo xl dmesg | grep avc | audit2allow
> #============= dom0_t ==============
> allow dom0_t self:event send;
When I tried to add this rule to xen.te, it says
libsepol.check_assertion_helper: neverallow on line 2023 violated by allow
> dom0_t dom0_t:event { send };
>
So I comment the following restriction in policy.conf and recompile flask
policy with the new rule added.
neverallow * ~event_type:event { create send status };
This time no rule violations are generated by checking 'xl dmesg| grep
avc', but the errors in the very first place when creating domU (both hvm
and pv, with or without seclabel) still exist.
Basic info of xen configuration:
$ sudo xl info
> host : storage
> release : 3.19.0
> version : #1 SMP Tue Dec 8 09:27:36 CST 2015
> machine : x86_64
> nr_cpus : 6
> max_cpu_id : 143
> nr_nodes : 1
> cores_per_socket : 6
> threads_per_core : 1
> cpu_mhz : 1600
> hw_caps :
> b7ebfbff:77fef3ff:2c100800:00000021:00000001:000037ab:
>
> 00000000:00000100
> virt_caps : hvm hvm_directio
> total_memory : 32667
> free_memory : 24046
> sharing_freed_memory : 0
> sharing_used_memory : 0
> outstanding_claims : 0
> free_cpus : 0
> xen_major : 4
> xen_minor : 7
> xen_extra : .0-rc
> xen_version : 4.7.0-rc
> xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32
> hvm-3.0-
> x86_32p
> hvm-3.0-x86_64
> xen_scheduler : credit
> xen_pagesize : 4096
> platform_params : virt_start=0xffff800000000000
> xen_changeset : Fri May 13 18:15:34 2016 +0100 git:4f6aea0-dirty
> xen_commandline : loglvl=all guest_loglvl=all com2=115200,8n1
> console=co
> m2,vga
> dom0_mem=8g,max:8g dom0_max_vcpus=1 dom0_vcpus_pin=true hap_1gb=false ha
>
> p_2mb=false altp2m=1 debug
> gdb=com2 flask=late
> cc_compiler : gcc (Ubuntu/Linaro 4.7.3-12ubuntu1) 4.7.3
> cc_compile_by : john
> cc_compile_domain :
> cc_compile_date : Mon May 16 09:31:31 CST 2016
> build_id : a24e288d6620ab380b91abf6e93917c0b0e26651
> xend_config_format : 4
BTW, I load flask policy after dom0 boots by using 'xl loadpolicy'
Xenstore logs:
>
> [20160516T02:48:50.847Z] A12 newconn
> [20160516T02:48:50.860Z] A12.1 rm /local/domain/1
> [20160516T02:48:50.860Z] A12.1 write /local/domain/1
> [20160516T02:48:50.860Z] A12.1 setperms /local/domain/1 n0 r1
> [20160516T02:48:50.860Z] A12.1 rm
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.861Z] A12.1 write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.861Z] A12.1 setperms
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac n0 r1
> [20160516T02:48:50.861Z] A12.1 rm /libxl/1
> [20160516T02:48:50.861Z] A12.1 write /libxl/1
> [20160516T02:48:50.862Z] A12.1 setperms /libxl/1 n0
> [20160516T02:48:50.862Z] A12.1 write /local/domain/1/vm
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.864Z] A12.1 write /local/domain/1/name win7
> [20160516T02:48:50.864Z] A12.1 write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
> [20160516T02:48:50.864Z] A12.1 write /local/domain/1/cpu
> [20160516T02:48:50.865Z] A12.1 setperms /local/domain/1/cpu n0 r1
> [20160516T02:48:50.865Z] A12.1 write /local/domain/1/memory
> [20160516T02:48:50.865Z] A12.1 setperms /local/domain/1/memory n0
> r1
> [20160516T02:48:50.865Z] A12.1 write /local/domain/1/device
> [20160516T02:48:50.866Z] A12.1 setperms /local/domain/1/device n0
> r1
> [20160516T02:48:50.866Z] A12.1 write /local/domain/1/control
> [20160516T02:48:50.866Z] A12.1 setperms /local/domain/1/control
> n0 r1
> [20160516T02:48:50.866Z] A12.1 write /local/domain/1/hvmloader
> [20160516T02:48:50.866Z] A12.1 setperms /local/domain/1/hvmloader
> n0 r1
> [20160516T02:48:50.867Z] A12.1 write
> /local/domain/1/control/shutdown
> [20160516T02:48:50.867Z] A12.1 setperms
> /local/domain/1/control/shutdown n1
> [20160516T02:48:50.867Z] A12.1 write
> /local/domain/1/device/suspend/event-channel
> [20160516T02:48:50.868Z] A12.1 setperms
> /local/domain/1/device/suspend/event-channel n1
> [20160516T02:48:50.868Z] A12.1 write /local/domain/1/data
> [20160516T02:48:50.869Z] A12.1 setperms /local/domain/1/data n1
> [20160516T02:48:50.869Z] A12.1 write /local/domain/1/drivers
> [20160516T02:48:50.869Z] A12.1 setperms /local/domain/1/drivers n1
> [20160516T02:48:50.869Z] A12.1 write /local/domain/1/feature
> [20160516T02:48:50.869Z] A12.1 setperms /local/domain/1/feature n1
> [20160516T02:48:50.870Z] A12.1 write /local/domain/1/attr
> [20160516T02:48:50.870Z] A12.1 setperms /local/domain/1/attr n1
> [20160516T02:48:50.871Z] A12.1 write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/uuid
> b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:48:50.871Z] A12.1 write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/name win7
> [20160516T02:48:50.872Z] A12.1 write
> /local/domain/1/control/platform-feature-multiprocessor-suspend 1
> [20160516T02:48:50.872Z] A12.1 write
> /local/domain/1/control/platform-feature-xs_reset_watches 1
> [20160516T02:48:50.872Z] A12.1 commit
> [20160516T02:48:50.872Z] A12 write /libxl/1/dm-version
> qemu_xen
> [20160516T02:48:51.561Z] A12.2 write
> /local/domain/1/memory/static-max 1048576
> [20160516T02:48:51.561Z] A12.2 write
> /local/domain/1/memory/target 1040384
> [20160516T02:48:51.561Z] A12.2 write
> /local/domain/1/memory/videoram 8192
> [20160516T02:48:51.561Z] A12.2 write /local/domain/1/domid 1
> [20160516T02:48:51.561Z] A12.2 write
> /local/domain/1/store/port 1
> [20160516T02:48:51.562Z] A12.2 write
> /local/domain/1/store/ring-ref 1044476
> [20160516T02:48:51.562Z] A12.2 write
> /local/domain/1/cpu/0/availability online
> [20160516T02:48:51.562Z] A12.2 write
> /local/domain/1/platform/acpi 1
> [20160516T02:48:51.562Z] A12.2 write
> /local/domain/1/platform/acpi_s3 1
> [20160516T02:48:51.563Z] A12.2 write
> /local/domain/1/platform/acpi_s4 1
> [20160516T02:48:51.563Z] A12.2 write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/rtc/timeoffset
> [20160516T02:48:51.563Z] A12.2 write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/image/ostype hvm
> [20160516T02:48:51.563Z] A12.2 write
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac/start_time 1463366930.87
> [20160516T02:48:51.563Z] A12.2 commit
> [20160516T02:48:51.564Z] D1 newconn
> [20160516T02:48:51.564Z] A4 w event @introduceDomain domlist
> [20160516T02:48:51.564Z] A4 watch /local/domain/1/console
> dom1
> [20160516T02:48:51.565Z] A4 w event /local/domain/1/console
> dom1
> [20160516T02:48:51.565Z] A12 write /libxl/1/dm-version
> qemu_xen
> [20160516T02:48:51.566Z] A12.3 rm
> /local/domain/1/device/vbd/51712
> [20160516T02:48:51.566Z] A12.3 mkdir
> /local/domain/1/device/vbd/51712
> [20160516T02:48:51.566Z] A12.3 setperms
> /local/domain/1/device/vbd/51712 n1 r0
> [20160516T02:48:51.567Z] A12.3 write
> /local/domain/1/device/vbd/51712/backend /local/domain/0/backend/vbd/1/51712
> [20160516T02:48:51.567Z] A12.3 write
> /local/domain/1/device/vbd/51712/backend-id 0
> [20160516T02:48:51.567Z] A12.3 setperms
> /local/domain/1/device/vbd/51712/backend-id n1 r0
> [20160516T02:48:51.567Z] A12.3 write
> /local/domain/1/device/vbd/51712/state 1
> [20160516T02:48:51.567Z] A12.3 setperms
> /local/domain/1/device/vbd/51712/state n1 r0
> [20160516T02:48:51.568Z] A12.3 write
> /local/domain/1/device/vbd/51712/virtual-device 51712
> [20160516T02:48:51.568Z] A12.3 setperms
> /local/domain/1/device/vbd/51712/virtual-device n1 r0
> [20160516T02:48:51.568Z] A12.3 write
> /local/domain/1/device/vbd/51712/device-type disk
> [20160516T02:48:51.568Z] A12.3 setperms
> /local/domain/1/device/vbd/51712/device-type n1 r0
> [20160516T02:48:51.568Z] A12.3 rm
> /local/domain/0/backend/vbd/1/51712
> [20160516T02:48:51.568Z] A12.3 mkdir
> /local/domain/0/backend/vbd/1/51712
> [20160516T02:48:51.569Z] A12.3 setperms
> /local/domain/0/backend/vbd/1/51712 n0 r1
> [20160516T02:48:51.569Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/frontend
> /local/domain/1/device/vbd/51712
> [20160516T02:48:51.569Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/params /dev/storage-vg/win7
> [20160516T02:48:51.569Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/script /etc/xen/scripts/block
> [20160516T02:48:51.569Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/frontend-id 1
> [20160516T02:48:51.570Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/online 1
> [20160516T02:48:51.570Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/removable 0
> [20160516T02:48:51.570Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/bootable 1
> [20160516T02:48:51.570Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/state 1
> [20160516T02:48:51.570Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/dev xvda
> [20160516T02:48:51.571Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/type phy
> [20160516T02:48:51.571Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/mode w
> [20160516T02:48:51.571Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/device-type disk
> [20160516T02:48:51.571Z] A12.3 write
> /local/domain/0/backend/vbd/1/51712/discard-enable 1
> [20160516T02:48:51.571Z] A12.3 commit
> [20160516T02:48:51.572Z] D0 w event backend/vbd/1/51712
> FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z] D0 w event backend/vbd/1/51712
> FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z] D0 w event
> backend/vbd/1/51712/frontend FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z] D0 w event
> backend/vbd/1/51712/params FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z] D0 w event
> backend/vbd/1/51712/script FFFFFFFF81CA73E0
> [20160516T02:48:51.572Z] A12 watch
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:48:51.572Z] D0 w event
> backend/vbd/1/51712/frontend-id FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event
> backend/vbd/1/51712/online FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] A12 w event
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:48:51.573Z] D0 w event
> backend/vbd/1/51712/removable FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event
> backend/vbd/1/51712/bootable FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event backend/vbd/1/51712/state
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event backend/vbd/1/51712/dev
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event backend/vbd/1/51712/type
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event backend/vbd/1/51712/mode
> FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event
> backend/vbd/1/51712/device-type FFFFFFFF81CA73E0
> [20160516T02:48:51.573Z] D0 w event
> backend/vbd/1/51712/discard-enable FFFFFFFF81CA73E0
> [20160516T02:49:01.581Z] A12 unwatch
> /local/domain/0/backend/vbd/1/51712/state 3/0
> [20160516T02:49:01.585Z] A12.4 rm
> /local/domain/1/device/vbd/51712
> [20160516T02:49:01.585Z] A12.4 rm /local/domain/1/device/vbd
> [20160516T02:49:01.586Z] A12.4 write
> /local/domain/0/backend/vbd/1/51712/online 0
> [20160516T02:49:01.586Z] A12.4 write
> /local/domain/0/backend/vbd/1/51712/state 5
> [20160516T02:49:01.586Z] A12.4 commit
> [20160516T02:49:01.586Z] D0 w event
> backend/vbd/1/51712/online FFFFFFFF81CA73E0
> [20160516T02:49:01.586Z] D0 w event backend/vbd/1/51712/state
> FFFFFFFF81CA73E0
> [20160516T02:49:01.587Z] A12 watch
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:01.587Z] A12 w event
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:11.596Z] A12 unwatch
> /local/domain/0/backend/vbd/1/51712/state 3/1
> [20160516T02:49:11.598Z] A12.5 rm
> /local/domain/1/device/vbd/51712
> [20160516T02:49:11.598Z] A12.5 rm
> /local/domain/0/backend/vbd/1/51712
> [20160516T02:49:11.599Z] A12.5 rm
> /local/domain/0/backend/vbd/1
> [20160516T02:49:11.599Z] A12.5 rm
> /local/domain/0/backend/vbd
> [20160516T02:49:11.600Z] A12.5 rm /local/domain/0/backend
> [20160516T02:49:11.600Z] A12.5 commit
> [20160516T02:49:11.600Z] A5 w event backend/qnic/0
> be:0x7fea03f3bc24:0:0x7fea04383ba0
> [20160516T02:49:11.600Z] D0 w event backend/vbd/1/51712
> FFFFFFFF81CA73E0
> [20160516T02:49:11.600Z] A5 w event backend/qdisk/0
> be:0x7fea03f3bc1e:0:0x7fea04377780
> [20160516T02:49:11.601Z] A5 w event backend/vfb/0
> be:0x7fea03f3bc1a:0:0x7fea0437bb20
> [20160516T02:49:11.601Z] A5 w event backend/vkbd/0
> be:0x7fea03f3bc15:0:0x7fea0437bac0
> [20160516T02:49:11.601Z] A5 w event backend/console/0
> be:0x7fea03f3bc0d:0:0x7fea0437a580
> [20160516T02:49:11.602Z] A12 rm
> /vm/b3084abf-0b69-45cb-9128-ad3ea4ff00ac
> [20160516T02:49:11.602Z] A12 rm /local/domain/1
> [20160516T02:49:11.602Z] A4 w event /local/domain/1/console
> dom1
> [20160516T02:49:11.603Z] A12 rm /libxl/1
> [20160516T02:49:11.603Z] A12 rm /local/domain/1/hvmloader
> [20160516T02:49:11.992Z] D1 endconn
> [20160516T02:49:11.992Z] A4 w event @releaseDomain domlist
> [20160516T02:49:11.992Z] A4 unwatch /local/domain/1/console
> dom1
> [20160516T02:49:11.995Z] A12 endconn
> [20160516T02:49:28.875Z] A13 newconn
> [20160516T02:49:28.880Z] A13 endconn
> [20160516T02:49:43.894Z] D0 w event backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:50:13.918Z] D0 w event backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:50:43.942Z] D0 w event backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:51:13.967Z] D0 w event backend/vbd/1
> FFFFFFFF81CA73E0
> [20160516T02:51:43.992Z] D0 w event backend/vbd/1
> FFFFFFFF81CA73E0
If you need any further information, please feel free to ask. Any
suggestions will be appreciated.
2016-05-15 22:36 GMT+08:00 Andrew Cooper <andrew.coop...@citrix.com>:
> On 15/05/16 15:25, Big Strong wrote:
>
> Hi,
>
> I've configured xen 4.6.0 with xsm enabled and use the default flask
> policy to boot the dom0.
>
>
> For issues like this, please always use the latest stable branch, in this
> case making that Xen 4.6.1+. It is entirely possible that bugfixes have
> been backported.
>
> In this case, can you try current master (or 4.7.0-rc2)? Some of these
> errors have definitely been fixed in the 4.7 dev period.
>
> ~Andrew
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
