[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xense-devel] How to get XSM/Flask working
It looks like you are doing everything right, but you need to label the domU that you are trying to create. You need to add the access_control attribute to your domU config file. An example access_control attribute, access_control = [³policy=,label=system_u:object_r:domU_t²] Sorry that the error is ambiguous. Flask does not presently use the policy field. Values for the label field follow the same conventions and policy behavior as SELinux. See the current policy examples for adding new types/labels to the policy. The policy that you are using is incomplete in that it does not contain enough policy statements to support the dom0/domU default usage of Xen. If you put the system into enforcing with the policy posted in http://lists.xensource.com/archives/html/xense-devel/2007-03/msg00005.html the system will boot for a little and either appear to be locked or crash depending on what access was not allowed by the policy. An example issue is Xen expects to start a domain on boot, e.g. dom0, since the policy is incomplete wrt this behavior, Xen appears to crash/lock. This can be overcome by adding the necessary statements to the policy that you are using. Most other tools are still under development, but the SELinux policy development and analysis tools should mostly work but simply require pointing the tools to the Xen Flask policy instead of the SELinux policy. I am currently updating a patch set that has a good default policy for Xen and should be relatively safe to put into enforcing mode. I'll post this patch shortly. The only policy management tools available for xen is the tool flask_loadpolicy which is used to reload policy from a domain. The ability to perform policy reload is controlled by the policy, and the sample policy posted to Xen-devel permits this and other security operations to dom0. To put Xen into enforcing with the Flask module, add the option flask_enforcing=1 to boot arguments for xen. George On 5/21/08 6:46 PM, "Hayawardh V" <hayawardh@xxxxxxxxx> wrote: > Hi all, > > I compiled xen-3.2-testing with linux-2.6.18-xen after modifying Config.mk to > enable XSM/Flask: > > XSM_ENABLE ?= y > FLASK_ENABLE ?= y > ACM_SECURITY ?= n > > I downloaded a test Flask policy from > http://lists.xensource.com/archives/html/xense-devel/2007-03/msg00005.html > and ran 'make' on it. > > I copied the policy.20 file to /boot and modified the grub entry as follows: > > title Xen 3 with Fedora 8 2.6.18.8 <http://2.6.18.8> > root (hd0,5) > kernel /boot/xen-3.2.gz console=vga > module /boot/vmlinuz-2.6.18.8-xen root=LABEL=/1 ro console=tty0 > module /boot/initrd-2.6.18.8-xen.img > module /boot/policy.20 > > and booted into the same. > > When I do an xm create of a domU, I get: > > [root@XXX xenimg]# xm create -c fedora.fc8.xen3.cfg > Using config file "./fedora.fc8.xen3.cfg". > Error: 'module' object has no attribute 'get_active_policy_name' > > (Note: The same domU boots as expected in a Xen without XSM/Flask enabled, on > the same machine) > > 1. What causes the above problem? How do I get XSM/Flask to work? > > 2. Is the above policy the latest or is there a more recent version? > > 3. The above post says "This policy is incomplete and cannot be used with the > Flask module in enforcing mode." How do I enable enforcing mode? Where are the > equivalent SELinux tools like sestatus etc? Are they still under development? > > Thanks, > Hayawardh > > > > _______________________________________________ > Xense-devel mailing list > Xense-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xense-devel -- George S. Coker, II <gscoker@xxxxxxxxxxxxxx> _______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |