[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xense-devel] How to get XSM/Flask working


  • To: Hayawardh V <hayawardh@xxxxxxxxx>, xense-devel <xense-devel@xxxxxxxxxxxxxxxxxxx>
  • From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
  • Date: Thu, 22 May 2008 09:50:18 -0400
  • Delivery-date: Thu, 22 May 2008 06:51:01 -0700
  • List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
  • Thread-index: Aci8EsT2A0ltwigGEd2m5gAWy5GONg==
  • Thread-topic: [Xense-devel] How to get XSM/Flask working

It looks like you are doing everything right, but you need to label the domU
that you are trying to create.  You need to add the access_control attribute
to your domU config file.  An example access_control attribute,

    access_control = [³policy=,label=system_u:object_r:domU_t²]

Sorry that the error is ambiguous.  Flask does not presently use the policy
field.  Values for the label field follow the same conventions and policy
behavior as SELinux.  See the current policy examples for adding new
types/labels to the policy.

The policy that you are using is incomplete in that it does not contain
enough policy statements to support the dom0/domU default usage of Xen.  If
you put the system into enforcing with the policy posted in
http://lists.xensource.com/archives/html/xense-devel/2007-03/msg00005.html
the system will boot for a little and either appear to be locked or crash
depending on what access was not allowed by the policy.  An example issue is
Xen expects to start a domain on boot, e.g. dom0, since the policy is
incomplete wrt this behavior, Xen appears to crash/lock.  This can be
overcome by adding the necessary statements to the policy that you are
using.  Most other tools are still under development, but the SELinux policy
development and analysis tools should mostly work but simply require
pointing the tools to the Xen Flask policy instead of the SELinux policy.

I am currently updating a patch set that has a good default policy for Xen
and should be relatively safe to put into enforcing mode.  I'll post this
patch shortly.  The only policy management tools available for xen is the
tool flask_loadpolicy which is used to reload policy from a domain.  The
ability to perform policy reload is controlled by the policy, and the sample
policy posted to Xen-devel permits this and other security operations to
dom0.

To put Xen into enforcing with the Flask module, add the option
flask_enforcing=1 to boot arguments for xen.

George

On 5/21/08 6:46 PM, "Hayawardh V" <hayawardh@xxxxxxxxx> wrote:

> Hi all, 
> 
> I compiled xen-3.2-testing with linux-2.6.18-xen after modifying Config.mk to
> enable XSM/Flask:
> 
> XSM_ENABLE ?= y
> FLASK_ENABLE ?= y
> ACM_SECURITY ?= n
> 
> I downloaded a test Flask policy from
> http://lists.xensource.com/archives/html/xense-devel/2007-03/msg00005.html
> and ran 'make' on it.
> 
> I copied the policy.20 file to /boot and modified the grub entry as follows:
> 
> title Xen 3 with Fedora 8 2.6.18.8 <http://2.6.18.8>
>        root (hd0,5)
>        kernel /boot/xen-3.2.gz console=vga
>        module /boot/vmlinuz-2.6.18.8-xen root=LABEL=/1 ro console=tty0
>        module /boot/initrd-2.6.18.8-xen.img
>        module /boot/policy.20
> 
> and booted into the same.
> 
> When I do an xm create of a domU, I get:
> 
> [root@XXX xenimg]# xm create -c fedora.fc8.xen3.cfg
> Using config file "./fedora.fc8.xen3.cfg".
> Error: 'module' object has no attribute 'get_active_policy_name'
> 
> (Note: The same domU boots as expected in a Xen without XSM/Flask enabled, on
> the same machine)
> 
> 1. What causes the above problem? How do I get XSM/Flask to work?
> 
> 2. Is the above policy the latest or is there a more recent version?
> 
> 3. The above post says "This policy is incomplete and cannot be used with the
> Flask module in enforcing mode." How do I enable enforcing mode? Where are the
> equivalent SELinux tools like sestatus etc? Are they still under development?
> 
> Thanks, 
> Hayawardh
> 
> 
> 
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel


-- 
George S. Coker, II <gscoker@xxxxxxxxxxxxxx>



_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.