[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [XSM] Setting of ACM Policy



Hi Kuniyasu,

What is your default boot entry in grub menu?
XSM seems to set the policy ref (e.g. ssidref=0x00010001:ACM:mytest:SystemManagement)
and the 'module /<policy_name>.bin' in default entry.

But I recommend Stefan's advice and try to move to 3.3.0.

I am also having some local time issues when I tried to create HVM guests and it seems to be known bug, which has been fixed in 3.3.0.

I am planning to build 3.3.0 soon.

Regards,
Dilshan

Please CC to me if you're replying since I am only getting the digest


Date: Tue, 02 Sep 2008 18:03:32 +0900 (JST)
From: Kuniyasu Suzaki <k.suzaki@xxxxxxxxxx>
Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
To: xen-devel@xxxxxxxxxxxxxxxxxxx
Message-ID: <20080902.180332.193697797.k.suzaki@xxxxxxxxxx>
Content-Type: Text/Plain; charset=us-ascii


Stefan,

 >>From: Stefan Berger <stefanb@xxxxxxxxxx>
 >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>
 >>> Unforunately the setting is re-written by "DEFAULT policy" when xend
 >>> is started.
 >>> Can't we fix the policy at the boot time?
 >>
 >>I am not sure what you mean by 'fix the policy at the boot time?'.

When I set up a policy at GRUB menu, the policy becomes immutably till shutdown.
I don't want the policy to be changed by any commands.

However "xend" and "xm" command change the policy easily on the current implementation. Should I use the Mandatory Access Control of SE-Linux on Dom0 to keep the policy?

>>You seem to be using an older version of Xen. Is there any possibility to >>move to 3.3.0?

When I tried xsm, Xen3.2.1 was the latest stable version. I will move to 3.3.0.

-----
suzaki

 >>>  >>
 >>>  >>Cheers,
 >>>  >>Dilshan
 >>>  >>
 >>>  >>> ------
 >>>  >>> suzaki
 >>>  >>>
 >>>  >>>  >>From: Dilshan Jayarathna <dilshan.jayarathna@xxxxxxxxx>
 >>>  >>>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>>  >>>  >>
 >>>  >>>  >>Hi Suzaki,
 >>>  >>>  >>
 >>>  >>>  >>It looks like a faulty build. (I could be wrong)
>>> >>> >>If you've set ACM_SECURITY ?= y in Config.mk when you >>> building xen, you >>> >>> >>must get ACM as the supported security subsystem when you run >>'xm >>> >>> >>getpolicy'.
 >>>  >>>  >>
>>> >>> >>If you just run 'xm setpolicy', you should get error but it >>> also tells >>> >>> >>you the supported policy type
 >>>  >>>  >>(...The only policytype that is currently supported is 'ACM'...)
 >>>  >>>  >>
>>> >>> >>You can use xensec_ezpolicy to create a policy in xml >>> format. Then 'xm >>> >>> >>setpolicy...' to covert xml to binary format and to activate
 >>> the policy.
 >>>  >>>  >>
>>> >>> >>But if the XSM is not build properly, none of the above will >>work.
 >>>  >>>  >>
 >>>  >>>  >>Hope this helps.
 >>>  >>>  >>
 >>>  >>>  >>Cheers,
 >>>  >>>  >>Dilshan
 >>>  >>>  >>
 >>>  >>>  >>Kuniyasu Suzaki wrote:
 >>>  >>>  >>> Hello,
 >>>  >>>  >>>
 >>>  >>>  >>> Please tell me how to setup ACM of XSM.
 >>>  >>>  >>> I could build a XSM but it doesn't work well.
 >>>  >>>  >>>   # xm getpolicy
 >>>  >>>  >>>   Supported security subsystems: None
 >>>  >>>  >>>
 >>>  >>>  >>> I guess it is caused by the lack of a policy file.
>>> >>> >>> I referred the following manual and tried to create poly file. >> >>> >>> >>> >>http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
 >>>  >>>  >>>
>>> >>> >>> The manual tells that the following command create a policy >>file
 >>>  >>>  >>> "mytest.bin".
 >>>  >>>  >>>   # xm setpolicy ACM mytest
 >>>  >>>  >>>
>>> >>> >>> However the command doesn't work well. Please tell me >>> create a policy file. >>> >>> >>> I tried on Xen 3.2.1. Is the step obsolete?
 >>>  >>>  >>>
 >>>  >>>  >>> ------
 >>>  >>>  >>> suzaki
 >>>  >>>  >>>
 >>>  >>>  >>> _______________________________________________
 >>>  >>>  >>> Xen-devel mailing list
 >>>  >>>  >>> Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>>  >>>  >>> http://lists.xensource.com/xen-devel
>>> >>> >>> >>> >>>
 >>>  >>> _______________________________________________
 >>>  >>> Xen-devel mailing list
 >>>  >>> Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>>  >>> http://lists.xensource.com/xen-devel
>>> >>> >>> >>
 >>>  >>_______________________________________________
 >>>  >>Xen-devel mailing list
 >>>  >>Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>>  >>http://lists.xensource.com/xen-devel
 >>>  >>
>>> >>> _______________________________________________
 >>> Xen-devel mailing list
 >>> Xen-devel@xxxxxxxxxxxxxxxxxxx
 >>> http://lists.xensource.com/xen-devel



------------------------------

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


End of Xen-devel Digest, Vol 43, Issue 10
*****************************************

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.