[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: [Xen-devel] Loading ACM policy in XSM

Hi, George.

I triedd it as George said.

#ls /etc/xen/acm-security/policies/
client_v1-security_policy.xml
default-ul-security_policy.xml
managed_policies
security_policy.xsd
default-security_policy.xml
example
resource_labels
test-security_policy.xml

#xm list --label
Name                                      ID   Mem VCPUs      State
Time(s) Label
Domain-0                                   0  1024     2     r-----
86.1 ACM:example.client_v1:dom_SystemManagement

#xm create vm1.conf
Using config file "./vm1.conf".
Started domain vm1

#xm list --label
Name    ID Mem VCPUs State Time(s) Label
vm1      1 128  1 r----- 4.7  ACM:example.client_v1:dom_HomeBanking
Domain-0 0 1024 2 r----- 94.6 ACM:example.client_v1:dom_SystemManagement

It looks good.
Thank you for your help.


Syunsuke HAYASHI
> You need to make sure that xm and xend are setup for xen-api.  On my
> system I had to use the -xenapi config files in /etc/xen.
> 
> You could also create a managed_policies file by hand.  The format of
> the file is:
> 
> managed_policies = {
>     '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb35': (u'example.client_v1',
> 'ACM'),
>     '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb36': (u'example.test', 'ACM'),
> }
> 
> On Tue, 2007-09-11 at 19:28 +0900, Syunsuke HAYASHI wrote: 
>> Hi
>> Thank you for the help.
>>
>> I have a question about how to make 'managed_policies'.
>> I understood that 'managed_policies was made from "xm setpolicy" command.
>> But I don't know how to call "xm setpolicy" from 'Xen-api'.
>>
>> How should I call it ?
>>
>> --------------------------------xm setpolicy----------------------------
>> #xm setpolicy ACM example.client_v1 --boot
>>
>> Error: xm needs to be configured to use the xen-api.
>> Usage: xm setpolicy <policytype> <policyfile> [options]
>> Set the policy of the system.
>>     Usage: xm setpolicy <policytype> <policy> [options]
>>
>>     Set the policy managed by xend.
>>
>>     The only policytype that is currently supported is 'ACM'.
>>
>>     The following options are defined
>>       --load     Load the policy immediately
>>       --boot     Have the system load the policy during boot
>>       --update   Automatically adapt the policy so that it will be
>>                  treated as an update to the current policy
>> --------------------------------------------------------------------------
>>
>> Thanks,
>>
>> Syunsuke HAYASHI
>>> I believe that your 'managed_policies' file is missing or empty.  Please
>>> look at /etc/xen/acm-security/policies/managed_policies.  If this is a
>>> new installation, I do not believe that ACM will create the
>>> 'managed_policies' file.
>>>
>>> George
>>>
>>> On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
>>>> Hi,Stefan
>>>> Thank you for the help.
>>>>
>>>> I was not describing an ssidref=... in grub.conf.
>>>> I show grub.conf and dmesg when I execute "xm chgpolicy 
>>>> example.client_v1" command and reboot.
>>>>
>>>> ----------------------------grub.conf--------------------------------------
>>>> # grub.conf generated by anaconda
>>>> #
>>>> # Note that you do not have to rerun grub after making changes to this file
>>>> # NOTICE:  You have a /boot partition.  This means that
>>>> #          all kernel and initrd paths are relative to /boot/, eg.
>>>> #          root (hd0,0)
>>>> #          kernel /vmlinuz-version ro root=/dev/sda3
>>>> #          initrd /initrd-version.img
>>>> #boot=/dev/sda
>>>> default=0
>>>> timeout=5
>>>> splashimage=(hd0,0)/grub/splash.xpm.gz
>>>> hiddenmenu
>>>> title xen-unstable0827
>>>>      root (hd0,0)
>>>>      kernel /xen.gz dom0_mem=1024M
>>>>      module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
>>>>      module /initrd-2.6.18-xen.img
>>>>      module /example.client_v1.bin
>>>>
>>>>
>>>> -----------------------------dmesg----------------------------------------
>>>>   __  __            _____  ___                     _        _     _
>>>>   \ \/ /___ _ __   |___ / / _ \    _   _ _ __  ___| |_ __ _| |__ | | ___
>>>>    \  // _ \ '_ \    |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
>>>>    /  \  __/ | | |  ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | |  __/
>>>>   /_/\_\___|_| |_| |____(_)___/    \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>>>>
>>>>   http://www.cl.cam.ac.uk/netos/xen
>>>>   University of Cambridge Computer Laboratory
>>>>
>>>>   Xen version 3.0-unstable (root@xxxxxxxxxxxxxxxxxxxx) (gcc version 
>>>> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
>>>>   Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>>>>
>>>> (XEN) Command line: /xen.gz dom0_mem=1024M
>>>> (XEN) Video information:
>>>> (XEN)  VGA is text mode 80x25, font 8x16
>>>> (XEN)  VBE/DDC methods: V2; EDID transfer time: 2 seconds
>>>> (XEN) Disc information:
>>>> (XEN)  Found 1 MBR signatures
>>>> (XEN)  Found 1 EDD information structures
>>>> (XEN) Xen-e820 RAM map:
>>>> (XEN)  0000000000000000 - 000000000009f000 (usable)
>>>> (XEN)  000000000009f000 - 00000000000a0000 (reserved)
>>>> (XEN)  00000000000d6000 - 00000000000d8000 (reserved)
>>>> (XEN)  00000000000e0000 - 0000000000100000 (reserved)
>>>> (XEN)  0000000000100000 - 000000007fff0000 (usable)
>>>> (XEN)  000000007fff0000 - 000000007ffff000 (ACPI data)
>>>> (XEN)  000000007ffff000 - 0000000080000000 (ACPI NVS)
>>>> (XEN)  00000000fec00000 - 00000000fec10000 (reserved)
>>>> (XEN)  00000000fee00000 - 00000000fee01000 (reserved)
>>>> (XEN)  00000000fff80000 - 0000000100000000 (reserved)
>>>> (XEN) System RAM: 2047MB (2096700kB)
>>>> (XEN) Xen heap: 9MB (10168kB)
>>>> (XEN) Domain heap initialised: DMA width 32 bits
>>>> (XEN) PAE enabled, limit: 16 GB
>>>> (XEN) Processor #0 15:2 APIC version 20
>>>> (XEN) Processor #1 15:2 APIC version 20
>>>> (XEN) Processor #6 15:2 APIC version 20
>>>> (XEN) Processor #7 15:2 APIC version 20
>>>> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
>>>> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
>>>> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
>>>> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
>>>> (XEN) Enabling APIC mode:  Flat.  Using 4 I/O APICs
>>>> (XEN) Using scheduler: SMP Credit Scheduler (credit)
>>>> (XEN) Detected 3189.437 MHz processor.
>>>> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 1/1 eip 90000
>>>> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 2/6 eip 90000
>>>> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 3/7 eip 90000
>>>> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Total of 4 processors activated.
>>>> (XEN) ENABLING IO-APIC IRQs
>>>> (XEN)  -> Using new ACK method
>>>> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
>>>> (XEN) Platform timer overflows in 234 jiffies.
>>>> (XEN) Platform timer is 3.579MHz ACPI PM Timer
>>>> (XEN) Brought up 4 CPUs
>>>> (XEN) Policy len  0x168, start at 3ffff000 - module 2.
>>>> (XEN) acm_set_policy_reference: Activating policy example.client_v1
>>>> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot 
>>>> policy.
>>>> (XEN) *** LOADING DOMAIN 0 ***
>>>> (XEN)  Xen  kernel: 32-bit, PAE, lsb
>>>> (XEN)  Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
>>>> (XEN) PHYSICAL MEMORY ARRANGEMENT:
>>>> (XEN)  Dom0 alloc.:   000000003e000000->000000003f000000 (258048 pages 
>>>> to be allocated)
>>>> (XEN) VIRTUAL MEMORY ARRANGEMENT:
>>>> (XEN)  Loaded kernel: c0100000->c044fb7c
>>>> (XEN)  Init. ramdisk: c0450000->c0bba600
>>>> (XEN)  Phys-Mach map: c0bbb000->c0cbb000
>>>> (XEN)  Start info:    c0cbb000->c0cbb46c
>>>> (XEN)  Page tables:   c0cbc000->c0cc9000
>>>> (XEN)  Boot stack:    c0cc9000->c0cca000
>>>> (XEN)  TOTAL:         c0000000->c1000000
>>>> (XEN)  ENTRY ADDRESS: c0100000
>>>> (XEN) Dom0 has maximum 4 VCPUs
>>>> (XEN) Initrd len 0x76a600, start at 0xc0450000
>>>> (XEN) Scrubbing Free RAM: .........done.
>>>> (XEN) Xen trace buffers: disabled
>>>> (XEN) Std. Loglevel: Errors and warnings
>>>> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
>>>> (XEN) Xen is relinquishing VGA console.
>>>> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch 
>>>> input to Xen).
>>>> (XEN) Freed 88kB init memory.
>>>> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
>>>> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
>>>> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
>>>> -------------------------------------------------------------------------
>>>> Is it good in this ?
>>>>
>>>> Syunsuke HAYASHI
>>>>  >
>>>>  > xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 08/27/2007 04:00:14 AM:
>>>>  >
>>>>  >  > Hi,
>>>>  >  > I have a problem about ACM module(hg.15730)
>>>>  >  > I want to label Domain-0.
>>>>  >  > I read xen user's manual v3.0 and "man xm" information.
>>>>  >  > ACM document mentions how to label Domain-0.
>>>>  >  > But I couldn't add the label when I tried the following steps.
>>>>  >  >
>>>>  >  >    (test1)
>>>>  >  >    #xm makepolicy example.client_v1
>>>>  >  >    #xm cfgbootpolicy example.client_v1
>>>>  >  >    #reboot
>>>>  >  >
>>>>  >  >    (test2)
>>>>  >  >    #xm setpolicy ACM example.client_v1
>>>>  >  >    #xm activatepolicy --boot
>>>>  >  >
>>>>  >  >    (result)
>>>>  >  >    [root@bx607 ~]# xm list --label
>>>>  >  >    Name     ID  Mem    VCPUs    State   Time(s) Label
>>>>  >  >    Domain-0  0  1024     4     r-----    105.1 unlabeled
>>>>  >  >
>>>>  >  > So,I tried to use "xm addlabel" command.
>>>>  >  >
>>>>  >  >    #xm makepolicy example.client_v1
>>>>  >  >    #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>>>>  >  >
>>>>  >  > But I couldn't again.
>>>>  >  >
>>>>  >  > Is there any good idea ?
>>>>  >
>>>>  > Is there an ssidref=... in the 'kernel' line in the grub title you 
>>>> are booting? Can you send this line and remove the ssidref=... and try 
>>>> again?
>>>>  > Otherwise if this is not the case, can you send the content of 'xm 
>>>> dmesg'?
>>>>  >
>>>>  >    Stefan
>>>>  >  >
>>>>  >  > Thanks,
>>>>  >  >
>>>>  >  > Syunsuke HAYASHI
>>>>  >  >
>>>>  >  >
>>>>  >  >
>>>>  >  >
>>>>  >  > _______________________________________________
>>>>  >  > Xen-devel mailing list
>>>>  >  > Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>>  >  > http://lists.xensource.com/xen-devel
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>> http://lists.xensource.com/xen-devel
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@xxxxxxxxxxxxxxxxxxx
>>> http://lists.xensource.com/xen-users


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.