[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [XSM] Setting of ACM Policy



Stefan,

 >>From: Stefan Berger <stefanb@xxxxxxxxxx>
 >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>
 >>> Unforunately the setting is re-written by "DEFAULT policy" when xend
 >>> is started.
 >>> Can't we fix the policy at the boot time?
 >>
 >>I am not sure what you mean by 'fix the policy at the boot time?'.

When I set up a policy at GRUB menu, the policy becomes immutably till shutdown.
I don't want the policy to be changed by any commands.

However "xend" and "xm" command change the policy easily on the current 
implementation. 
Should I use the Mandatory Access Control of SE-Linux on Dom0 to keep the 
policy?

 >>You seem to be using an older version of Xen. Is there any possibility to 
 >>move to 3.3.0?

When I tried xsm, Xen3.2.1 was the latest stable version. 
I will move to 3.3.0.

-----
suzaki

 >>>  >>
 >>>  >>Cheers,
 >>>  >>Dilshan
 >>>  >>
 >>>  >>> ------
 >>>  >>> suzaki
 >>>  >>>
 >>>  >>>  >>From: Dilshan Jayarathna <dilshan.jayarathna@xxxxxxxxx>
 >>>  >>>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>>  >>>  >>
 >>>  >>>  >>Hi Suzaki,
 >>>  >>>  >>
 >>>  >>>  >>It looks like a faulty build. (I could be wrong)
 >>>  >>>  >>If you've set ACM_SECURITY ?= y in Config.mk when you 
 >>> building xen, you 
 >>>  >>>  >>must get ACM as the supported security subsystem when you run 
 >>'xm 
 >>>  >>>  >>getpolicy'.
 >>>  >>>  >>
 >>>  >>>  >>If you just run 'xm setpolicy', you should get error but it 
 >>> also tells 
 >>>  >>>  >>you the supported policy type
 >>>  >>>  >>(...The only policytype that is currently supported is 'ACM'...)
 >>>  >>>  >>
 >>>  >>>  >>You can use xensec_ezpolicy to create a policy in xml 
 >>> format. Then 'xm 
 >>>  >>>  >>setpolicy...' to covert xml to binary format and to activate
 >>> the policy.
 >>>  >>>  >>
 >>>  >>>  >>But if the XSM is not build properly, none of the above will 
 >>work.
 >>>  >>>  >>
 >>>  >>>  >>Hope this helps.
 >>>  >>>  >>
 >>>  >>>  >>Cheers,
 >>>  >>>  >>Dilshan
 >>>  >>>  >>
 >>>  >>>  >>Kuniyasu Suzaki wrote:
 >>>  >>>  >>> Hello,
 >>>  >>>  >>>
 >>>  >>>  >>> Please tell me how to setup ACM of XSM.
 >>>  >>>  >>> I could build a XSM but it doesn't work well.
 >>>  >>>  >>>   # xm getpolicy
 >>>  >>>  >>>   Supported security subsystems: None
 >>>  >>>  >>>
 >>>  >>>  >>> I guess it is caused by the lack of a policy file.
 >>>  >>>  >>> I referred the following manual and tried to create poly file. 
 >>
 >>>  >>>  >>>   
 >>http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
 >>>  >>>  >>>
 >>>  >>>  >>> The manual tells that the following command create a policy 
 >>file
 >>>  >>>  >>> "mytest.bin".
 >>>  >>>  >>>   # xm setpolicy ACM mytest
 >>>  >>>  >>>
 >>>  >>>  >>> However the command doesn't work well. Please tell me 
 >>> create a policy file. 
 >>>  >>>  >>> I tried on Xen 3.2.1. Is the step obsolete?
 >>>  >>>  >>>
 >>>  >>>  >>> ------
 >>>  >>>  >>> suzaki
 >>>  >>>  >>>
 >>>  >>>  >>> _______________________________________________
 >>>  >>>  >>> Xen-devel mailing list
 >>>  >>>  >>> Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>>  >>>  >>> http://lists.xensource.com/xen-devel
 >>>  >>>  >>> 
 >>>  >>>
 >>>  >>> _______________________________________________
 >>>  >>> Xen-devel mailing list
 >>>  >>> Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>>  >>> http://lists.xensource.com/xen-devel
 >>>  >>> 
 >>>  >>
 >>>  >>_______________________________________________
 >>>  >>Xen-devel mailing list
 >>>  >>Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>>  >>http://lists.xensource.com/xen-devel
 >>>  >>
 >>> 
 >>> _______________________________________________
 >>> Xen-devel mailing list
 >>> Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>> http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.