From mboxrd@z Thu Jan 1 00:00:00 1970 From: Luke Kenneth Casson Leighton Subject: Re: protecting xen startup Date: Tue, 23 Nov 2004 21:03:19 +0000 Message-ID: <20041123210319.GB5146@lkcl.net> References: <20041123170546.GB6250@lkcl.net> <41A37C60.7000507@hpl.hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <41A37C60.7000507@hpl.hp.com> Sender: xen-devel-admin@lists.sourceforge.net Errors-To: xen-devel-admin@lists.sourceforge.net List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , List-Archive: To: Mike Wray Cc: xen-devel@lists.sourceforge.net List-Id: xen-devel@lists.xenproject.org On Tue, Nov 23, 2004 at 06:07:28PM +0000, Mike Wray wrote: > You should be able to use selinux rules to specify what gets to talk to > xend at port 8000. You'd need to enable LSM and selinux in the domain-0 > kernel, but > otherwise all you should need to do is configure selinux appropriately. yes it does: i was however thinking along the lines of creating selinux security IDs, one for each type of xen command (create, list, shutdown, start, stop etc.) and then writing an selinux policy granting xm the right to perform those commands. ... if the xm and xend programs cannot be merged for some reason, there isn't any point in taking that approach. l. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/