http://sf.net/projects/xen

http://sf.net/projects/xen

[Luke Kenneth Casson Leighton]

for those people who do a lot of selinux testing, and am fed up
of having stacks of machines, and who also don't want to pay for
vmware, _and_ who also don't want the slowness or features of UML,
there is xen.

xen is NOT full pc emulation (like vmware, which even has its own
phoenix bios), instead you have to compile in half-way-house tty and
network drivers that allow communication between the first hosted guest
OS (which is given control of the hardware) and all other guest OSes
[which are given access to block devices via the first OS].

i look forward to seeing what happens over the next couple of days
in attempting to set up selinux 2.6.9 xen guest OSes
(/etc/motd: "welcome to debian gnu/linux 2.6.9-selinux1-xen1"...)

here goes nothing...

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: http://sf.net/projects/xen

[Luke Kenneth Casson Leighton]

On Sat, Nov 20, 2004 at 08:40:20PM +0000, Luke Kenneth Casson Leighton wrote:

> for those people who do a lot of selinux testing, and am fed up
> of having stacks of machines, and who also don't want to pay for
> vmware, _and_ who also don't want the slowness or features of UML,
> there is xen.

 okay - i am having difficulties with the network bridging and the
 allocation of DHCP addresses: other than that, i have an selinux
 "guest" kernel OS now up and running.

 the ext3 filesystem is in a file (mounted loopback automagically by xen)
 make relabel seems happy...

 [DAMN IT i shut down the master linux os AGAIN by mistake. 
  kids, don't try this at home...]

 in the config file, e.g /etc/xen/xen-selinux-1, you will need
 to place what they call "extra" parameters into the
 config option extra="..."  e.g

 extra="selinux=1 enforcing=1 audit=1"

 that sort of thing...

 oh _great_ i know selinux is working absolutely fine when i
 can't damn well log in to the machine!!!  log in as root, cannot
 execute /bin/bash - greeeaat.

 [oops, pressing ctrl-alt-delete isn't caught / passed over to
  the guest OS - that's _another_ accidental reboot.]

 
 conclusion: it looks hopeful that xen will happily run selinux OSes.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: http://sf.net/projects/xen

[Milan P. Stanic]

On Sat, Nov 20, 2004 at 08:40:20PM +0000, Luke Kenneth Casson Leighton wrote:
> vmware, _and_ who also don't want the slowness or features of UML,

When I backported SELinux from Debian/unstable to woody, I did that
using UML only. I didn't had any problem with UML, only with my own
slowness :-)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: http://sf.net/projects/xen

[Luke Kenneth Casson Leighton]

On Mon, Nov 22, 2004 at 11:31:42AM +0100, Milan P. Stanic wrote:
> On Sat, Nov 20, 2004 at 08:40:20PM +0000, Luke Kenneth Casson Leighton wrote:
> > vmware, _and_ who also don't want the slowness or features of UML,
> 
> When I backported SELinux from Debian/unstable to woody, I did that
> using UML only. I didn't had any problem with UML, only with my own
> slowness :-)
 
 :)

 this page demonstrates it best:

 http://www.cl.cam.ac.uk/Research/SRG/netos/xen/performance.html

 also, UML, unless it is patched (yes someone has provided
 such patches), provides the host running the UML linux apps
 with direct access to their kernel memory - for debugging
 purposes, obviously.

 i'm evaluating xen as a means to run applications like mozilla
 in an isolated selinux machine (!) also to suspend them down
 to disk, and use xen to start an entire virtual machine up
 when a user needs to run the application (!)

 my only concern is how to stop absolutely anyone from running
 a xen guest OS: management of xen is done on port 8000.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.