Re: Loading ACM policy in XSM

[Syunsuke HAYASHI <syunsuke@jp.fujitsu.com>]

Hi, George.

I checked it as George said.
"Managed-policy" file is put on/etc/xen/acm-security/policies/example/ .

It shows following steps.

--1--
#pwd
/etc/xen/acm-security/policies/example
#ls
client_v1-security_policy.xml  client_v1.bin  client_v1.map
test-security_policy.xml

--2--
#xm makepolicy example.client_v1 <---- looks good
#xm cfgbootpolicy example.client_v1 <---- looks good
Boot entry 'xen-unstable0827' extended and 'example.client_v1.bin'
copied to /boot

--3--
#cat /etc/grub.conf
title xen-unstable0827
        root (hd0,0)
        kernel /xen.gz dom0_mem=1024M
        module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
        module /initrd-2.6.18-xen.img
        module /example.client_v1.bin
#cd /boot
#ls
System.map-2.6.18-xen         initrd-2.6.18-xen.img
vmlinuz-2.6.21-1.3194.fc7
System.map-2.6.21-1.3194.fc7  initrd-2.6.18-xenU.img
xen-3.0-unstable.gz
client_v1.bin                 initrd-2.6.21-1.3194.fc7.img  xen-3.0.gz
config-2.6.18-xen             lost+found                    xen-3.gz
config-2.6.21-1.3194.fc7      vmlinux-syms-2.6.18-xen
xen-syms-3.0-unstable
example.test.bin              vmlinuz-2.6-xen               xen.gz
grub                          vmlinuz-2.6.18-xen
example.client_v1.bin

--4--
#xm list --label  <-- I think the failure.
Name       ID   Mem  VCPUs   State   Time(s)  Label
Domain-0    0  1024   4     r-----     98.4  unlabeled

Is there any good idea ?

Thanks,

Syunsuke HAYASHI

> I believe that your 'managed_policies' file is missing or empty.  Please
> look at /etc/xen/acm-security/policies/managed_policies.  If this is a
> new installation, I do not believe that ACM will create the
> 'managed_policies' file.
> 
> George
> 
> On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
>> Hi,Stefan
>> Thank you for the help.
>>
>> I was not describing an ssidref=... in grub.conf.
>> I show grub.conf and dmesg when I execute "xm chgpolicy 
>> example.client_v1" command and reboot.
>>
>> ----------------------------grub.conf--------------------------------------
>> # grub.conf generated by anaconda
>> #
>> # Note that you do not have to rerun grub after making changes to this file
>> # NOTICE:  You have a /boot partition.  This means that
>> #          all kernel and initrd paths are relative to /boot/, eg.
>> #          root (hd0,0)
>> #          kernel /vmlinuz-version ro root=/dev/sda3
>> #          initrd /initrd-version.img
>> #boot=/dev/sda
>> default=0
>> timeout=5
>> splashimage=(hd0,0)/grub/splash.xpm.gz
>> hiddenmenu
>> title xen-unstable0827
>>      root (hd0,0)
>>      kernel /xen.gz dom0_mem=1024M
>>      module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
>>      module /initrd-2.6.18-xen.img
>>      module /example.client_v1.bin
>>
>>
>> -----------------------------dmesg----------------------------------------
>>   __  __            _____  ___                     _        _     _
>>   \ \/ /___ _ __   |___ / / _ \    _   _ _ __  ___| |_ __ _| |__ | | ___
>>    \  // _ \ '_ \    |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
>>    /  \  __/ | | |  ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | |  __/
>>   /_/\_\___|_| |_| |____(_)___/    \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>>
>>   http://www.cl.cam.ac.uk/netos/xen
>>   University of Cambridge Computer Laboratory
>>
>>   Xen version 3.0-unstable (root@sky.yk.fujitsu.co.jp) (gcc version 
>> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
>>   Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>>
>> (XEN) Command line: /xen.gz dom0_mem=1024M
>> (XEN) Video information:
>> (XEN)  VGA is text mode 80x25, font 8x16
>> (XEN)  VBE/DDC methods: V2; EDID transfer time: 2 seconds
>> (XEN) Disc information:
>> (XEN)  Found 1 MBR signatures
>> (XEN)  Found 1 EDD information structures
>> (XEN) Xen-e820 RAM map:
>> (XEN)  0000000000000000 - 000000000009f000 (usable)
>> (XEN)  000000000009f000 - 00000000000a0000 (reserved)
>> (XEN)  00000000000d6000 - 00000000000d8000 (reserved)
>> (XEN)  00000000000e0000 - 0000000000100000 (reserved)
>> (XEN)  0000000000100000 - 000000007fff0000 (usable)
>> (XEN)  000000007fff0000 - 000000007ffff000 (ACPI data)
>> (XEN)  000000007ffff000 - 0000000080000000 (ACPI NVS)
>> (XEN)  00000000fec00000 - 00000000fec10000 (reserved)
>> (XEN)  00000000fee00000 - 00000000fee01000 (reserved)
>> (XEN)  00000000fff80000 - 0000000100000000 (reserved)
>> (XEN) System RAM: 2047MB (2096700kB)
>> (XEN) Xen heap: 9MB (10168kB)
>> (XEN) Domain heap initialised: DMA width 32 bits
>> (XEN) PAE enabled, limit: 16 GB
>> (XEN) Processor #0 15:2 APIC version 20
>> (XEN) Processor #1 15:2 APIC version 20
>> (XEN) Processor #6 15:2 APIC version 20
>> (XEN) Processor #7 15:2 APIC version 20
>> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
>> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
>> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
>> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
>> (XEN) Enabling APIC mode:  Flat.  Using 4 I/O APICs
>> (XEN) Using scheduler: SMP Credit Scheduler (credit)
>> (XEN) Detected 3189.437 MHz processor.
>> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 1/1 eip 90000
>> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 2/6 eip 90000
>> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 3/7 eip 90000
>> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Total of 4 processors activated.
>> (XEN) ENABLING IO-APIC IRQs
>> (XEN)  -> Using new ACK method
>> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
>> (XEN) Platform timer overflows in 234 jiffies.
>> (XEN) Platform timer is 3.579MHz ACPI PM Timer
>> (XEN) Brought up 4 CPUs
>> (XEN) Policy len  0x168, start at 3ffff000 - module 2.
>> (XEN) acm_set_policy_reference: Activating policy example.client_v1
>> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot 
>> policy.
>> (XEN) *** LOADING DOMAIN 0 ***
>> (XEN)  Xen  kernel: 32-bit, PAE, lsb
>> (XEN)  Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
>> (XEN) PHYSICAL MEMORY ARRANGEMENT:
>> (XEN)  Dom0 alloc.:   000000003e000000->000000003f000000 (258048 pages 
>> to be allocated)
>> (XEN) VIRTUAL MEMORY ARRANGEMENT:
>> (XEN)  Loaded kernel: c0100000->c044fb7c
>> (XEN)  Init. ramdisk: c0450000->c0bba600
>> (XEN)  Phys-Mach map: c0bbb000->c0cbb000
>> (XEN)  Start info:    c0cbb000->c0cbb46c
>> (XEN)  Page tables:   c0cbc000->c0cc9000
>> (XEN)  Boot stack:    c0cc9000->c0cca000
>> (XEN)  TOTAL:         c0000000->c1000000
>> (XEN)  ENTRY ADDRESS: c0100000
>> (XEN) Dom0 has maximum 4 VCPUs
>> (XEN) Initrd len 0x76a600, start at 0xc0450000
>> (XEN) Scrubbing Free RAM: .........done.
>> (XEN) Xen trace buffers: disabled
>> (XEN) Std. Loglevel: Errors and warnings
>> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
>> (XEN) Xen is relinquishing VGA console.
>> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch 
>> input to Xen).
>> (XEN) Freed 88kB init memory.
>> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
>> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
>> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
>> -------------------------------------------------------------------------
>> Is it good in this ?
>>
>> Syunsuke HAYASHI
>>  >
>>  > xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
>>  >
>>  >  > Hi,
>>  >  > I have a problem about ACM module(hg.15730)
>>  >  > I want to label Domain-0.
>>  >  > I read xen user's manual v3.0 and "man xm" information.
>>  >  > ACM document mentions how to label Domain-0.
>>  >  > But I couldn't add the label when I tried the following steps.
>>  >  >
>>  >  >    (test1)
>>  >  >    #xm makepolicy example.client_v1
>>  >  >    #xm cfgbootpolicy example.client_v1
>>  >  >    #reboot
>>  >  >
>>  >  >    (test2)
>>  >  >    #xm setpolicy ACM example.client_v1
>>  >  >    #xm activatepolicy --boot
>>  >  >
>>  >  >    (result)
>>  >  >    [root@bx607 ~]# xm list --label
>>  >  >    Name     ID  Mem    VCPUs    State   Time(s) Label
>>  >  >    Domain-0  0  1024     4     r-----    105.1 unlabeled
>>  >  >
>>  >  > So,I tried to use "xm addlabel" command.
>>  >  >
>>  >  >    #xm makepolicy example.client_v1
>>  >  >    #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>>  >  >
>>  >  > But I couldn't again.
>>  >  >
>>  >  > Is there any good idea ?
>>  >
>>  > Is there an ssidref=... in the 'kernel' line in the grub title you 
>> are booting? Can you send this line and remove the ssidref=... and try 
>> again?
>>  > Otherwise if this is not the case, can you send the content of 'xm 
>> dmesg'?
>>  >
>>  >    Stefan
>>  >  >
>>  >  > Thanks,
>>  >  >
>>  >  > Syunsuke HAYASHI
>>  >  >
>>  >  >
>>  >  >
>>  >  >
>>  >  > _______________________________________________
>>  >  > Xen-devel mailing list
>>  >  > Xen-devel@lists.xensource.com
>>  >  > http://lists.xensource.com/xen-devel
>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
> 
>