[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Questions about PVH in Xen 4.3 unstable
Thats good that I understood now everything. So can xenstored/oxenstored stubdoms run on the actual stable trunk? I already talked with Daniel de Graaf from the NSA about this theme in this thread: http://lists.xen.org/archives/html/xen-devel/2013-01/msg00956.html So the main problem is that the FLASK ruleset he posted is incompatible with 4.2.1. I also talked with Steven Maresca on IRC about this and he said that in 4.2.1 only sysctl hypercalls are support more or less by XSM/FLASK and not domctl hypercalls so I think that these lines are a problem:# Xenstore requires the global VIRQ for domain destroy operations allow dom0_t xenstore_t:domain set_virq_handler; # Current xenstore stubdom uses the hypervisor console, not "xl console" allow xenstore_t xen_t:xen writeconsole; # Xenstore queries domaininfo on all domains allow xenstore_t domain_type:domain getdomaininfo; # As a shortcut, the following 3 rules are used instead of adding a domain_comms # rule between xenstore_t and every domain type that talks to xenstore create_channel(xenstore_t, domain_type, xenstore_t_channel) allow event_type xenstore_t: event bind; allow xenstore_t domain_type:grant { map_read map_write unmap }; Aspecially the first two roles I think won't work, in the case of the other lines I am not sure. Can I workaround this and find a FLASK ruleset to use xenstored/oxenstored stubdom on 4.2.1? Best Regards 2013/1/30 Roger Pau Monné <roger.pau@xxxxxxxxxx>
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |