[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSM/FLASK questions

On 03/13/2013 09:52 AM, baozeng@xxxxxxxxxxxxxxx wrote:
Hello all,
     I played with Xen 4.1.0, XSM/FLASK module to see whether it works well or 
not. I
changed the policy file to make dom0 cannot create a domU labeled with domHU_t
type.  The policy.conf generated using "make policy" command is as the
     type domHU_t, domain_type;
     allow dom0_t domHU_t:domain {max_vcpus setdomainmaxmem

                                 setaddrsize getdomaininfo hypercall

                                 setvcpucontext scheduler unpause

                                 getvcpuinfo getaddrsize getvcpuaffinity}; //I
removed "create"

    Then I added the label domHU_t for a domU in its configure file as the 

    access_control = ['policy=,label=system_u:system_r:domHU_t']

After that I made install the FLASK policy using "make install" and rebooted 
flask_enforcing = 1. But when I started the domU using "xm create domU.cfg", it 
still create it successfully.
    Since I removed the "create" operation in the policy, why dom0 can still 
create a
domU labeled with domHU_t? any idea? thanks.

       Best Regards,
                Baozeng Ding

You may want to ensure that the policy is being loaded - you need to
reference it in your grub menu.lst as another module to xen. You can
verify this using xl dmesg or "xl list -Z" - with no policy loaded, dom0
is labeled "dom0" instead of the "system_u:system_r:dom0_t" as defined in
the policy. I am not familiar labeling in xm's config file, so I assume
that your syntax works in 4.1; in xl, it would need to be written as:


You may also want to check that there isn't another allow rule that you
didn't remove by running:

sesearch -A -s dom0_t -t domHU_t -c domain -p create /boot/xenpolicy.24

This will return empty output if there is no allow rule.

Daniel De Graaf
National Security Agency

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.