* Loading ACM policy in XSM
@ 2007-08-27 8:00 Syunsuke HAYASHI
2007-08-28 17:17 ` [Xen-devel] " Stefan Berger
0 siblings, 1 reply; 7+ messages in thread
From: Syunsuke HAYASHI @ 2007-08-27 8:00 UTC (permalink / raw)
To: xen-users, xen-devel
Hi,
I have a problem about ACM module(hg.15730)
I want to label Domain-0.
I read xen user's manual v3.0 and "man xm" information.
ACM document mentions how to label Domain-0.
But I couldn't add the label when I tried the following steps.
(test1)
#xm makepolicy example.client_v1
#xm cfgbootpolicy example.client_v1
#reboot
(test2)
#xm setpolicy ACM example.client_v1
#xm activatepolicy --boot
(result)
[root@bx607 ~]# xm list --label
Name ID Mem VCPUs State Time(s) Label
Domain-0 0 1024 4 r----- 105.1 unlabeled
So,I tried to use "xm addlabel" command.
#xm makepolicy example.client_v1
#xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
But I couldn't again.
Is there any good idea ?
Thanks,
Syunsuke HAYASHI
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Xen-devel] Loading ACM policy in XSM
2007-08-27 8:00 Loading ACM policy in XSM Syunsuke HAYASHI
@ 2007-08-28 17:17 ` Stefan Berger
[not found] ` <46D4F586.1090007@jp.fujitsu.com>
0 siblings, 1 reply; 7+ messages in thread
From: Stefan Berger @ 2007-08-28 17:17 UTC (permalink / raw)
To: Syunsuke HAYASHI; +Cc: xen-devel, xen-users, Reiner Sailer
[-- Attachment #1.1: Type: text/plain, Size: 1328 bytes --]
xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
> Hi,
> I have a problem about ACM module(hg.15730)
> I want to label Domain-0.
> I read xen user's manual v3.0 and "man xm" information.
> ACM document mentions how to label Domain-0.
> But I couldn't add the label when I tried the following steps.
>
> (test1)
> #xm makepolicy example.client_v1
> #xm cfgbootpolicy example.client_v1
> #reboot
>
> (test2)
> #xm setpolicy ACM example.client_v1
> #xm activatepolicy --boot
>
> (result)
> [root@bx607 ~]# xm list --label
> Name ID Mem VCPUs State Time(s) Label
> Domain-0 0 1024 4 r----- 105.1 unlabeled
>
> So,I tried to use "xm addlabel" command.
>
> #xm makepolicy example.client_v1
> #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>
> But I couldn't again.
>
> Is there any good idea ?
Is there an ssidref=... in the 'kernel' line in the grub title you are
booting? Can you send this line and remove the ssidref=... and try again?
Otherwise if this is not the case, can you send the content of 'xm dmesg'?
Stefan
>
> Thanks,
>
> Syunsuke HAYASHI
>
>
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
[-- Attachment #1.2: Type: text/html, Size: 2003 bytes --]
[-- Attachment #2: Type: text/plain, Size: 137 bytes --]
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Loading ACM policy in XSM
[not found] ` <46D4F586.1090007@jp.fujitsu.com>
@ 2007-08-29 13:50 ` George S. Coker, II
2007-08-30 5:16 ` Syunsuke HAYASHI
2007-09-11 10:28 ` [Xen-users] " Syunsuke HAYASHI
0 siblings, 2 replies; 7+ messages in thread
From: George S. Coker, II @ 2007-08-29 13:50 UTC (permalink / raw)
To: Syunsuke HAYASHI; +Cc: xen-devel, xen-users
I believe that your 'managed_policies' file is missing or empty. Please
look at /etc/xen/acm-security/policies/managed_policies. If this is a
new installation, I do not believe that ACM will create the
'managed_policies' file.
George
On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
> Hi,Stefan
> Thank you for the help.
>
> I was not describing an ssidref=... in grub.conf.
> I show grub.conf and dmesg when I execute "xm chgpolicy
> example.client_v1" command and reboot.
>
> ----------------------------grub.conf--------------------------------------
> # grub.conf generated by anaconda
> #
> # Note that you do not have to rerun grub after making changes to this file
> # NOTICE: You have a /boot partition. This means that
> # all kernel and initrd paths are relative to /boot/, eg.
> # root (hd0,0)
> # kernel /vmlinuz-version ro root=/dev/sda3
> # initrd /initrd-version.img
> #boot=/dev/sda
> default=0
> timeout=5
> splashimage=(hd0,0)/grub/splash.xpm.gz
> hiddenmenu
> title xen-unstable0827
> root (hd0,0)
> kernel /xen.gz dom0_mem=1024M
> module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
> module /initrd-2.6.18-xen.img
> module /example.client_v1.bin
>
>
> -----------------------------dmesg----------------------------------------
> __ __ _____ ___ _ _ _
> \ \/ /___ _ __ |___ / / _ \ _ _ _ __ ___| |_ __ _| |__ | | ___
> \ // _ \ '_ \ |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
> / \ __/ | | | ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | | __/
> /_/\_\___|_| |_| |____(_)___/ \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>
> http://www.cl.cam.ac.uk/netos/xen
> University of Cambridge Computer Laboratory
>
> Xen version 3.0-unstable (root@sky.yk.fujitsu.co.jp) (gcc version
> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
> Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>
> (XEN) Command line: /xen.gz dom0_mem=1024M
> (XEN) Video information:
> (XEN) VGA is text mode 80x25, font 8x16
> (XEN) VBE/DDC methods: V2; EDID transfer time: 2 seconds
> (XEN) Disc information:
> (XEN) Found 1 MBR signatures
> (XEN) Found 1 EDD information structures
> (XEN) Xen-e820 RAM map:
> (XEN) 0000000000000000 - 000000000009f000 (usable)
> (XEN) 000000000009f000 - 00000000000a0000 (reserved)
> (XEN) 00000000000d6000 - 00000000000d8000 (reserved)
> (XEN) 00000000000e0000 - 0000000000100000 (reserved)
> (XEN) 0000000000100000 - 000000007fff0000 (usable)
> (XEN) 000000007fff0000 - 000000007ffff000 (ACPI data)
> (XEN) 000000007ffff000 - 0000000080000000 (ACPI NVS)
> (XEN) 00000000fec00000 - 00000000fec10000 (reserved)
> (XEN) 00000000fee00000 - 00000000fee01000 (reserved)
> (XEN) 00000000fff80000 - 0000000100000000 (reserved)
> (XEN) System RAM: 2047MB (2096700kB)
> (XEN) Xen heap: 9MB (10168kB)
> (XEN) Domain heap initialised: DMA width 32 bits
> (XEN) PAE enabled, limit: 16 GB
> (XEN) Processor #0 15:2 APIC version 20
> (XEN) Processor #1 15:2 APIC version 20
> (XEN) Processor #6 15:2 APIC version 20
> (XEN) Processor #7 15:2 APIC version 20
> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
> (XEN) Enabling APIC mode: Flat. Using 4 I/O APICs
> (XEN) Using scheduler: SMP Credit Scheduler (credit)
> (XEN) Detected 3189.437 MHz processor.
> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> (XEN) Booting processor 1/1 eip 90000
> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> (XEN) Booting processor 2/6 eip 90000
> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> (XEN) Booting processor 3/7 eip 90000
> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> (XEN) Total of 4 processors activated.
> (XEN) ENABLING IO-APIC IRQs
> (XEN) -> Using new ACK method
> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
> (XEN) Platform timer overflows in 234 jiffies.
> (XEN) Platform timer is 3.579MHz ACPI PM Timer
> (XEN) Brought up 4 CPUs
> (XEN) Policy len 0x168, start at 3ffff000 - module 2.
> (XEN) acm_set_policy_reference: Activating policy example.client_v1
> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot
> policy.
> (XEN) *** LOADING DOMAIN 0 ***
> (XEN) Xen kernel: 32-bit, PAE, lsb
> (XEN) Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
> (XEN) PHYSICAL MEMORY ARRANGEMENT:
> (XEN) Dom0 alloc.: 000000003e000000->000000003f000000 (258048 pages
> to be allocated)
> (XEN) VIRTUAL MEMORY ARRANGEMENT:
> (XEN) Loaded kernel: c0100000->c044fb7c
> (XEN) Init. ramdisk: c0450000->c0bba600
> (XEN) Phys-Mach map: c0bbb000->c0cbb000
> (XEN) Start info: c0cbb000->c0cbb46c
> (XEN) Page tables: c0cbc000->c0cc9000
> (XEN) Boot stack: c0cc9000->c0cca000
> (XEN) TOTAL: c0000000->c1000000
> (XEN) ENTRY ADDRESS: c0100000
> (XEN) Dom0 has maximum 4 VCPUs
> (XEN) Initrd len 0x76a600, start at 0xc0450000
> (XEN) Scrubbing Free RAM: .........done.
> (XEN) Xen trace buffers: disabled
> (XEN) Std. Loglevel: Errors and warnings
> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
> (XEN) Xen is relinquishing VGA console.
> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
> input to Xen).
> (XEN) Freed 88kB init memory.
> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
> -------------------------------------------------------------------------
> Is it good in this ?
>
> Syunsuke HAYASHI
> >
> > xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
> >
> > > Hi,
> > > I have a problem about ACM module(hg.15730)
> > > I want to label Domain-0.
> > > I read xen user's manual v3.0 and "man xm" information.
> > > ACM document mentions how to label Domain-0.
> > > But I couldn't add the label when I tried the following steps.
> > >
> > > (test1)
> > > #xm makepolicy example.client_v1
> > > #xm cfgbootpolicy example.client_v1
> > > #reboot
> > >
> > > (test2)
> > > #xm setpolicy ACM example.client_v1
> > > #xm activatepolicy --boot
> > >
> > > (result)
> > > [root@bx607 ~]# xm list --label
> > > Name ID Mem VCPUs State Time(s) Label
> > > Domain-0 0 1024 4 r----- 105.1 unlabeled
> > >
> > > So,I tried to use "xm addlabel" command.
> > >
> > > #xm makepolicy example.client_v1
> > > #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
> > >
> > > But I couldn't again.
> > >
> > > Is there any good idea ?
> >
> > Is there an ssidref=... in the 'kernel' line in the grub title you
> are booting? Can you send this line and remove the ssidref=... and try
> again?
> > Otherwise if this is not the case, can you send the content of 'xm
> dmesg'?
> >
> > Stefan
> > >
> > > Thanks,
> > >
> > > Syunsuke HAYASHI
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@lists.xensource.com
> > > http://lists.xensource.com/xen-devel
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Loading ACM policy in XSM
2007-08-29 13:50 ` George S. Coker, II
@ 2007-08-30 5:16 ` Syunsuke HAYASHI
2007-09-11 10:28 ` [Xen-users] " Syunsuke HAYASHI
1 sibling, 0 replies; 7+ messages in thread
From: Syunsuke HAYASHI @ 2007-08-30 5:16 UTC (permalink / raw)
To: xen-devel
Hi, George.
I checked it as George said.
"Managed-policy" file is put on/etc/xen/acm-security/policies/example/ .
It shows following steps.
--1--
#pwd
/etc/xen/acm-security/policies/example
#ls
client_v1-security_policy.xml client_v1.bin client_v1.map
test-security_policy.xml
--2--
#xm makepolicy example.client_v1 <---- looks good
#xm cfgbootpolicy example.client_v1 <---- looks good
Boot entry 'xen-unstable0827' extended and 'example.client_v1.bin'
copied to /boot
--3--
#cat /etc/grub.conf
title xen-unstable0827
root (hd0,0)
kernel /xen.gz dom0_mem=1024M
module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
module /initrd-2.6.18-xen.img
module /example.client_v1.bin
#cd /boot
#ls
System.map-2.6.18-xen initrd-2.6.18-xen.img
vmlinuz-2.6.21-1.3194.fc7
System.map-2.6.21-1.3194.fc7 initrd-2.6.18-xenU.img
xen-3.0-unstable.gz
client_v1.bin initrd-2.6.21-1.3194.fc7.img xen-3.0.gz
config-2.6.18-xen lost+found xen-3.gz
config-2.6.21-1.3194.fc7 vmlinux-syms-2.6.18-xen
xen-syms-3.0-unstable
example.test.bin vmlinuz-2.6-xen xen.gz
grub vmlinuz-2.6.18-xen
example.client_v1.bin
--4--
#xm list --label <-- I think the failure.
Name ID Mem VCPUs State Time(s) Label
Domain-0 0 1024 4 r----- 98.4 unlabeled
Is there any good idea ?
Thanks,
Syunsuke HAYASHI
> I believe that your 'managed_policies' file is missing or empty. Please
> look at /etc/xen/acm-security/policies/managed_policies. If this is a
> new installation, I do not believe that ACM will create the
> 'managed_policies' file.
>
> George
>
> On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
>> Hi,Stefan
>> Thank you for the help.
>>
>> I was not describing an ssidref=... in grub.conf.
>> I show grub.conf and dmesg when I execute "xm chgpolicy
>> example.client_v1" command and reboot.
>>
>> ----------------------------grub.conf--------------------------------------
>> # grub.conf generated by anaconda
>> #
>> # Note that you do not have to rerun grub after making changes to this file
>> # NOTICE: You have a /boot partition. This means that
>> # all kernel and initrd paths are relative to /boot/, eg.
>> # root (hd0,0)
>> # kernel /vmlinuz-version ro root=/dev/sda3
>> # initrd /initrd-version.img
>> #boot=/dev/sda
>> default=0
>> timeout=5
>> splashimage=(hd0,0)/grub/splash.xpm.gz
>> hiddenmenu
>> title xen-unstable0827
>> root (hd0,0)
>> kernel /xen.gz dom0_mem=1024M
>> module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
>> module /initrd-2.6.18-xen.img
>> module /example.client_v1.bin
>>
>>
>> -----------------------------dmesg----------------------------------------
>> __ __ _____ ___ _ _ _
>> \ \/ /___ _ __ |___ / / _ \ _ _ _ __ ___| |_ __ _| |__ | | ___
>> \ // _ \ '_ \ |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
>> / \ __/ | | | ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | | __/
>> /_/\_\___|_| |_| |____(_)___/ \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>>
>> http://www.cl.cam.ac.uk/netos/xen
>> University of Cambridge Computer Laboratory
>>
>> Xen version 3.0-unstable (root@sky.yk.fujitsu.co.jp) (gcc version
>> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
>> Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>>
>> (XEN) Command line: /xen.gz dom0_mem=1024M
>> (XEN) Video information:
>> (XEN) VGA is text mode 80x25, font 8x16
>> (XEN) VBE/DDC methods: V2; EDID transfer time: 2 seconds
>> (XEN) Disc information:
>> (XEN) Found 1 MBR signatures
>> (XEN) Found 1 EDD information structures
>> (XEN) Xen-e820 RAM map:
>> (XEN) 0000000000000000 - 000000000009f000 (usable)
>> (XEN) 000000000009f000 - 00000000000a0000 (reserved)
>> (XEN) 00000000000d6000 - 00000000000d8000 (reserved)
>> (XEN) 00000000000e0000 - 0000000000100000 (reserved)
>> (XEN) 0000000000100000 - 000000007fff0000 (usable)
>> (XEN) 000000007fff0000 - 000000007ffff000 (ACPI data)
>> (XEN) 000000007ffff000 - 0000000080000000 (ACPI NVS)
>> (XEN) 00000000fec00000 - 00000000fec10000 (reserved)
>> (XEN) 00000000fee00000 - 00000000fee01000 (reserved)
>> (XEN) 00000000fff80000 - 0000000100000000 (reserved)
>> (XEN) System RAM: 2047MB (2096700kB)
>> (XEN) Xen heap: 9MB (10168kB)
>> (XEN) Domain heap initialised: DMA width 32 bits
>> (XEN) PAE enabled, limit: 16 GB
>> (XEN) Processor #0 15:2 APIC version 20
>> (XEN) Processor #1 15:2 APIC version 20
>> (XEN) Processor #6 15:2 APIC version 20
>> (XEN) Processor #7 15:2 APIC version 20
>> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
>> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
>> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
>> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
>> (XEN) Enabling APIC mode: Flat. Using 4 I/O APICs
>> (XEN) Using scheduler: SMP Credit Scheduler (credit)
>> (XEN) Detected 3189.437 MHz processor.
>> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 1/1 eip 90000
>> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 2/6 eip 90000
>> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 3/7 eip 90000
>> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Total of 4 processors activated.
>> (XEN) ENABLING IO-APIC IRQs
>> (XEN) -> Using new ACK method
>> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
>> (XEN) Platform timer overflows in 234 jiffies.
>> (XEN) Platform timer is 3.579MHz ACPI PM Timer
>> (XEN) Brought up 4 CPUs
>> (XEN) Policy len 0x168, start at 3ffff000 - module 2.
>> (XEN) acm_set_policy_reference: Activating policy example.client_v1
>> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot
>> policy.
>> (XEN) *** LOADING DOMAIN 0 ***
>> (XEN) Xen kernel: 32-bit, PAE, lsb
>> (XEN) Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
>> (XEN) PHYSICAL MEMORY ARRANGEMENT:
>> (XEN) Dom0 alloc.: 000000003e000000->000000003f000000 (258048 pages
>> to be allocated)
>> (XEN) VIRTUAL MEMORY ARRANGEMENT:
>> (XEN) Loaded kernel: c0100000->c044fb7c
>> (XEN) Init. ramdisk: c0450000->c0bba600
>> (XEN) Phys-Mach map: c0bbb000->c0cbb000
>> (XEN) Start info: c0cbb000->c0cbb46c
>> (XEN) Page tables: c0cbc000->c0cc9000
>> (XEN) Boot stack: c0cc9000->c0cca000
>> (XEN) TOTAL: c0000000->c1000000
>> (XEN) ENTRY ADDRESS: c0100000
>> (XEN) Dom0 has maximum 4 VCPUs
>> (XEN) Initrd len 0x76a600, start at 0xc0450000
>> (XEN) Scrubbing Free RAM: .........done.
>> (XEN) Xen trace buffers: disabled
>> (XEN) Std. Loglevel: Errors and warnings
>> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
>> (XEN) Xen is relinquishing VGA console.
>> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
>> input to Xen).
>> (XEN) Freed 88kB init memory.
>> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
>> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
>> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
>> -------------------------------------------------------------------------
>> Is it good in this ?
>>
>> Syunsuke HAYASHI
>> >
>> > xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
>> >
>> > > Hi,
>> > > I have a problem about ACM module(hg.15730)
>> > > I want to label Domain-0.
>> > > I read xen user's manual v3.0 and "man xm" information.
>> > > ACM document mentions how to label Domain-0.
>> > > But I couldn't add the label when I tried the following steps.
>> > >
>> > > (test1)
>> > > #xm makepolicy example.client_v1
>> > > #xm cfgbootpolicy example.client_v1
>> > > #reboot
>> > >
>> > > (test2)
>> > > #xm setpolicy ACM example.client_v1
>> > > #xm activatepolicy --boot
>> > >
>> > > (result)
>> > > [root@bx607 ~]# xm list --label
>> > > Name ID Mem VCPUs State Time(s) Label
>> > > Domain-0 0 1024 4 r----- 105.1 unlabeled
>> > >
>> > > So,I tried to use "xm addlabel" command.
>> > >
>> > > #xm makepolicy example.client_v1
>> > > #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>> > >
>> > > But I couldn't again.
>> > >
>> > > Is there any good idea ?
>> >
>> > Is there an ssidref=... in the 'kernel' line in the grub title you
>> are booting? Can you send this line and remove the ssidref=... and try
>> again?
>> > Otherwise if this is not the case, can you send the content of 'xm
>> dmesg'?
>> >
>> > Stefan
>> > >
>> > > Thanks,
>> > >
>> > > Syunsuke HAYASHI
>> > >
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > Xen-devel mailing list
>> > > Xen-devel@lists.xensource.com
>> > > http://lists.xensource.com/xen-devel
>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Xen-users] Re: Loading ACM policy in XSM
2007-08-29 13:50 ` George S. Coker, II
2007-08-30 5:16 ` Syunsuke HAYASHI
@ 2007-09-11 10:28 ` Syunsuke HAYASHI
2007-09-11 22:05 ` George S. Coker, II
1 sibling, 1 reply; 7+ messages in thread
From: Syunsuke HAYASHI @ 2007-09-11 10:28 UTC (permalink / raw)
To: xen-devel, George S. Coker, II
Hi
Thank you for the help.
I have a question about how to make 'managed_policies'.
I understood that 'managed_policies was made from "xm setpolicy" command.
But I don't know how to call "xm setpolicy" from 'Xen-api'.
How should I call it ?
--------------------------------xm setpolicy----------------------------
#xm setpolicy ACM example.client_v1 --boot
Error: xm needs to be configured to use the xen-api.
Usage: xm setpolicy <policytype> <policyfile> [options]
Set the policy of the system.
Usage: xm setpolicy <policytype> <policy> [options]
Set the policy managed by xend.
The only policytype that is currently supported is 'ACM'.
The following options are defined
--load Load the policy immediately
--boot Have the system load the policy during boot
--update Automatically adapt the policy so that it will be
treated as an update to the current policy
--------------------------------------------------------------------------
Thanks,
Syunsuke HAYASHI
> I believe that your 'managed_policies' file is missing or empty. Please
> look at /etc/xen/acm-security/policies/managed_policies. If this is a
> new installation, I do not believe that ACM will create the
> 'managed_policies' file.
>
> George
>
> On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
>> Hi,Stefan
>> Thank you for the help.
>>
>> I was not describing an ssidref=... in grub.conf.
>> I show grub.conf and dmesg when I execute "xm chgpolicy
>> example.client_v1" command and reboot.
>>
>> ----------------------------grub.conf--------------------------------------
>> # grub.conf generated by anaconda
>> #
>> # Note that you do not have to rerun grub after making changes to this file
>> # NOTICE: You have a /boot partition. This means that
>> # all kernel and initrd paths are relative to /boot/, eg.
>> # root (hd0,0)
>> # kernel /vmlinuz-version ro root=/dev/sda3
>> # initrd /initrd-version.img
>> #boot=/dev/sda
>> default=0
>> timeout=5
>> splashimage=(hd0,0)/grub/splash.xpm.gz
>> hiddenmenu
>> title xen-unstable0827
>> root (hd0,0)
>> kernel /xen.gz dom0_mem=1024M
>> module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
>> module /initrd-2.6.18-xen.img
>> module /example.client_v1.bin
>>
>>
>> -----------------------------dmesg----------------------------------------
>> __ __ _____ ___ _ _ _
>> \ \/ /___ _ __ |___ / / _ \ _ _ _ __ ___| |_ __ _| |__ | | ___
>> \ // _ \ '_ \ |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
>> / \ __/ | | | ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | | __/
>> /_/\_\___|_| |_| |____(_)___/ \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>>
>> http://www.cl.cam.ac.uk/netos/xen
>> University of Cambridge Computer Laboratory
>>
>> Xen version 3.0-unstable (root@sky.yk.fujitsu.co.jp) (gcc version
>> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
>> Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>>
>> (XEN) Command line: /xen.gz dom0_mem=1024M
>> (XEN) Video information:
>> (XEN) VGA is text mode 80x25, font 8x16
>> (XEN) VBE/DDC methods: V2; EDID transfer time: 2 seconds
>> (XEN) Disc information:
>> (XEN) Found 1 MBR signatures
>> (XEN) Found 1 EDD information structures
>> (XEN) Xen-e820 RAM map:
>> (XEN) 0000000000000000 - 000000000009f000 (usable)
>> (XEN) 000000000009f000 - 00000000000a0000 (reserved)
>> (XEN) 00000000000d6000 - 00000000000d8000 (reserved)
>> (XEN) 00000000000e0000 - 0000000000100000 (reserved)
>> (XEN) 0000000000100000 - 000000007fff0000 (usable)
>> (XEN) 000000007fff0000 - 000000007ffff000 (ACPI data)
>> (XEN) 000000007ffff000 - 0000000080000000 (ACPI NVS)
>> (XEN) 00000000fec00000 - 00000000fec10000 (reserved)
>> (XEN) 00000000fee00000 - 00000000fee01000 (reserved)
>> (XEN) 00000000fff80000 - 0000000100000000 (reserved)
>> (XEN) System RAM: 2047MB (2096700kB)
>> (XEN) Xen heap: 9MB (10168kB)
>> (XEN) Domain heap initialised: DMA width 32 bits
>> (XEN) PAE enabled, limit: 16 GB
>> (XEN) Processor #0 15:2 APIC version 20
>> (XEN) Processor #1 15:2 APIC version 20
>> (XEN) Processor #6 15:2 APIC version 20
>> (XEN) Processor #7 15:2 APIC version 20
>> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
>> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
>> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
>> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
>> (XEN) Enabling APIC mode: Flat. Using 4 I/O APICs
>> (XEN) Using scheduler: SMP Credit Scheduler (credit)
>> (XEN) Detected 3189.437 MHz processor.
>> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 1/1 eip 90000
>> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 2/6 eip 90000
>> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Booting processor 3/7 eip 90000
>> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>> (XEN) Total of 4 processors activated.
>> (XEN) ENABLING IO-APIC IRQs
>> (XEN) -> Using new ACK method
>> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
>> (XEN) Platform timer overflows in 234 jiffies.
>> (XEN) Platform timer is 3.579MHz ACPI PM Timer
>> (XEN) Brought up 4 CPUs
>> (XEN) Policy len 0x168, start at 3ffff000 - module 2.
>> (XEN) acm_set_policy_reference: Activating policy example.client_v1
>> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot
>> policy.
>> (XEN) *** LOADING DOMAIN 0 ***
>> (XEN) Xen kernel: 32-bit, PAE, lsb
>> (XEN) Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
>> (XEN) PHYSICAL MEMORY ARRANGEMENT:
>> (XEN) Dom0 alloc.: 000000003e000000->000000003f000000 (258048 pages
>> to be allocated)
>> (XEN) VIRTUAL MEMORY ARRANGEMENT:
>> (XEN) Loaded kernel: c0100000->c044fb7c
>> (XEN) Init. ramdisk: c0450000->c0bba600
>> (XEN) Phys-Mach map: c0bbb000->c0cbb000
>> (XEN) Start info: c0cbb000->c0cbb46c
>> (XEN) Page tables: c0cbc000->c0cc9000
>> (XEN) Boot stack: c0cc9000->c0cca000
>> (XEN) TOTAL: c0000000->c1000000
>> (XEN) ENTRY ADDRESS: c0100000
>> (XEN) Dom0 has maximum 4 VCPUs
>> (XEN) Initrd len 0x76a600, start at 0xc0450000
>> (XEN) Scrubbing Free RAM: .........done.
>> (XEN) Xen trace buffers: disabled
>> (XEN) Std. Loglevel: Errors and warnings
>> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
>> (XEN) Xen is relinquishing VGA console.
>> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
>> input to Xen).
>> (XEN) Freed 88kB init memory.
>> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
>> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
>> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
>> -------------------------------------------------------------------------
>> Is it good in this ?
>>
>> Syunsuke HAYASHI
>> >
>> > xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
>> >
>> > > Hi,
>> > > I have a problem about ACM module(hg.15730)
>> > > I want to label Domain-0.
>> > > I read xen user's manual v3.0 and "man xm" information.
>> > > ACM document mentions how to label Domain-0.
>> > > But I couldn't add the label when I tried the following steps.
>> > >
>> > > (test1)
>> > > #xm makepolicy example.client_v1
>> > > #xm cfgbootpolicy example.client_v1
>> > > #reboot
>> > >
>> > > (test2)
>> > > #xm setpolicy ACM example.client_v1
>> > > #xm activatepolicy --boot
>> > >
>> > > (result)
>> > > [root@bx607 ~]# xm list --label
>> > > Name ID Mem VCPUs State Time(s) Label
>> > > Domain-0 0 1024 4 r----- 105.1 unlabeled
>> > >
>> > > So,I tried to use "xm addlabel" command.
>> > >
>> > > #xm makepolicy example.client_v1
>> > > #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>> > >
>> > > But I couldn't again.
>> > >
>> > > Is there any good idea ?
>> >
>> > Is there an ssidref=... in the 'kernel' line in the grub title you
>> are booting? Can you send this line and remove the ssidref=... and try
>> again?
>> > Otherwise if this is not the case, can you send the content of 'xm
>> dmesg'?
>> >
>> > Stefan
>> > >
>> > > Thanks,
>> > >
>> > > Syunsuke HAYASHI
>> > >
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > Xen-devel mailing list
>> > > Xen-devel@lists.xensource.com
>> > > http://lists.xensource.com/xen-devel
>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Xen-users] Re: Loading ACM policy in XSM
2007-09-11 10:28 ` [Xen-users] " Syunsuke HAYASHI
@ 2007-09-11 22:05 ` George S. Coker, II
2007-09-12 7:23 ` Syunsuke HAYASHI
0 siblings, 1 reply; 7+ messages in thread
From: George S. Coker, II @ 2007-09-11 22:05 UTC (permalink / raw)
To: Syunsuke HAYASHI; +Cc: xen-devel
You need to make sure that xm and xend are setup for xen-api. On my
system I had to use the -xenapi config files in /etc/xen.
You could also create a managed_policies file by hand. The format of
the file is:
managed_policies = {
'7bd38df8-3f0c-a97d-cf54-fcbd98f7cb35': (u'example.client_v1',
'ACM'),
'7bd38df8-3f0c-a97d-cf54-fcbd98f7cb36': (u'example.test', 'ACM'),
}
On Tue, 2007-09-11 at 19:28 +0900, Syunsuke HAYASHI wrote:
> Hi
> Thank you for the help.
>
> I have a question about how to make 'managed_policies'.
> I understood that 'managed_policies was made from "xm setpolicy" command.
> But I don't know how to call "xm setpolicy" from 'Xen-api'.
>
> How should I call it ?
>
> --------------------------------xm setpolicy----------------------------
> #xm setpolicy ACM example.client_v1 --boot
>
> Error: xm needs to be configured to use the xen-api.
> Usage: xm setpolicy <policytype> <policyfile> [options]
> Set the policy of the system.
> Usage: xm setpolicy <policytype> <policy> [options]
>
> Set the policy managed by xend.
>
> The only policytype that is currently supported is 'ACM'.
>
> The following options are defined
> --load Load the policy immediately
> --boot Have the system load the policy during boot
> --update Automatically adapt the policy so that it will be
> treated as an update to the current policy
> --------------------------------------------------------------------------
>
> Thanks,
>
> Syunsuke HAYASHI
> > I believe that your 'managed_policies' file is missing or empty. Please
> > look at /etc/xen/acm-security/policies/managed_policies. If this is a
> > new installation, I do not believe that ACM will create the
> > 'managed_policies' file.
> >
> > George
> >
> > On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
> >> Hi,Stefan
> >> Thank you for the help.
> >>
> >> I was not describing an ssidref=... in grub.conf.
> >> I show grub.conf and dmesg when I execute "xm chgpolicy
> >> example.client_v1" command and reboot.
> >>
> >> ----------------------------grub.conf--------------------------------------
> >> # grub.conf generated by anaconda
> >> #
> >> # Note that you do not have to rerun grub after making changes to this file
> >> # NOTICE: You have a /boot partition. This means that
> >> # all kernel and initrd paths are relative to /boot/, eg.
> >> # root (hd0,0)
> >> # kernel /vmlinuz-version ro root=/dev/sda3
> >> # initrd /initrd-version.img
> >> #boot=/dev/sda
> >> default=0
> >> timeout=5
> >> splashimage=(hd0,0)/grub/splash.xpm.gz
> >> hiddenmenu
> >> title xen-unstable0827
> >> root (hd0,0)
> >> kernel /xen.gz dom0_mem=1024M
> >> module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
> >> module /initrd-2.6.18-xen.img
> >> module /example.client_v1.bin
> >>
> >>
> >> -----------------------------dmesg----------------------------------------
> >> __ __ _____ ___ _ _ _
> >> \ \/ /___ _ __ |___ / / _ \ _ _ _ __ ___| |_ __ _| |__ | | ___
> >> \ // _ \ '_ \ |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
> >> / \ __/ | | | ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | | __/
> >> /_/\_\___|_| |_| |____(_)___/ \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
> >>
> >> http://www.cl.cam.ac.uk/netos/xen
> >> University of Cambridge Computer Laboratory
> >>
> >> Xen version 3.0-unstable (root@sky.yk.fujitsu.co.jp) (gcc version
> >> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
> >> Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
> >>
> >> (XEN) Command line: /xen.gz dom0_mem=1024M
> >> (XEN) Video information:
> >> (XEN) VGA is text mode 80x25, font 8x16
> >> (XEN) VBE/DDC methods: V2; EDID transfer time: 2 seconds
> >> (XEN) Disc information:
> >> (XEN) Found 1 MBR signatures
> >> (XEN) Found 1 EDD information structures
> >> (XEN) Xen-e820 RAM map:
> >> (XEN) 0000000000000000 - 000000000009f000 (usable)
> >> (XEN) 000000000009f000 - 00000000000a0000 (reserved)
> >> (XEN) 00000000000d6000 - 00000000000d8000 (reserved)
> >> (XEN) 00000000000e0000 - 0000000000100000 (reserved)
> >> (XEN) 0000000000100000 - 000000007fff0000 (usable)
> >> (XEN) 000000007fff0000 - 000000007ffff000 (ACPI data)
> >> (XEN) 000000007ffff000 - 0000000080000000 (ACPI NVS)
> >> (XEN) 00000000fec00000 - 00000000fec10000 (reserved)
> >> (XEN) 00000000fee00000 - 00000000fee01000 (reserved)
> >> (XEN) 00000000fff80000 - 0000000100000000 (reserved)
> >> (XEN) System RAM: 2047MB (2096700kB)
> >> (XEN) Xen heap: 9MB (10168kB)
> >> (XEN) Domain heap initialised: DMA width 32 bits
> >> (XEN) PAE enabled, limit: 16 GB
> >> (XEN) Processor #0 15:2 APIC version 20
> >> (XEN) Processor #1 15:2 APIC version 20
> >> (XEN) Processor #6 15:2 APIC version 20
> >> (XEN) Processor #7 15:2 APIC version 20
> >> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
> >> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
> >> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
> >> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
> >> (XEN) Enabling APIC mode: Flat. Using 4 I/O APICs
> >> (XEN) Using scheduler: SMP Credit Scheduler (credit)
> >> (XEN) Detected 3189.437 MHz processor.
> >> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> >> (XEN) Booting processor 1/1 eip 90000
> >> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> >> (XEN) Booting processor 2/6 eip 90000
> >> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> >> (XEN) Booting processor 3/7 eip 90000
> >> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
> >> (XEN) Total of 4 processors activated.
> >> (XEN) ENABLING IO-APIC IRQs
> >> (XEN) -> Using new ACK method
> >> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
> >> (XEN) Platform timer overflows in 234 jiffies.
> >> (XEN) Platform timer is 3.579MHz ACPI PM Timer
> >> (XEN) Brought up 4 CPUs
> >> (XEN) Policy len 0x168, start at 3ffff000 - module 2.
> >> (XEN) acm_set_policy_reference: Activating policy example.client_v1
> >> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot
> >> policy.
> >> (XEN) *** LOADING DOMAIN 0 ***
> >> (XEN) Xen kernel: 32-bit, PAE, lsb
> >> (XEN) Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
> >> (XEN) PHYSICAL MEMORY ARRANGEMENT:
> >> (XEN) Dom0 alloc.: 000000003e000000->000000003f000000 (258048 pages
> >> to be allocated)
> >> (XEN) VIRTUAL MEMORY ARRANGEMENT:
> >> (XEN) Loaded kernel: c0100000->c044fb7c
> >> (XEN) Init. ramdisk: c0450000->c0bba600
> >> (XEN) Phys-Mach map: c0bbb000->c0cbb000
> >> (XEN) Start info: c0cbb000->c0cbb46c
> >> (XEN) Page tables: c0cbc000->c0cc9000
> >> (XEN) Boot stack: c0cc9000->c0cca000
> >> (XEN) TOTAL: c0000000->c1000000
> >> (XEN) ENTRY ADDRESS: c0100000
> >> (XEN) Dom0 has maximum 4 VCPUs
> >> (XEN) Initrd len 0x76a600, start at 0xc0450000
> >> (XEN) Scrubbing Free RAM: .........done.
> >> (XEN) Xen trace buffers: disabled
> >> (XEN) Std. Loglevel: Errors and warnings
> >> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
> >> (XEN) Xen is relinquishing VGA console.
> >> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
> >> input to Xen).
> >> (XEN) Freed 88kB init memory.
> >> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
> >> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
> >> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
> >> -------------------------------------------------------------------------
> >> Is it good in this ?
> >>
> >> Syunsuke HAYASHI
> >> >
> >> > xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
> >> >
> >> > > Hi,
> >> > > I have a problem about ACM module(hg.15730)
> >> > > I want to label Domain-0.
> >> > > I read xen user's manual v3.0 and "man xm" information.
> >> > > ACM document mentions how to label Domain-0.
> >> > > But I couldn't add the label when I tried the following steps.
> >> > >
> >> > > (test1)
> >> > > #xm makepolicy example.client_v1
> >> > > #xm cfgbootpolicy example.client_v1
> >> > > #reboot
> >> > >
> >> > > (test2)
> >> > > #xm setpolicy ACM example.client_v1
> >> > > #xm activatepolicy --boot
> >> > >
> >> > > (result)
> >> > > [root@bx607 ~]# xm list --label
> >> > > Name ID Mem VCPUs State Time(s) Label
> >> > > Domain-0 0 1024 4 r----- 105.1 unlabeled
> >> > >
> >> > > So,I tried to use "xm addlabel" command.
> >> > >
> >> > > #xm makepolicy example.client_v1
> >> > > #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
> >> > >
> >> > > But I couldn't again.
> >> > >
> >> > > Is there any good idea ?
> >> >
> >> > Is there an ssidref=... in the 'kernel' line in the grub title you
> >> are booting? Can you send this line and remove the ssidref=... and try
> >> again?
> >> > Otherwise if this is not the case, can you send the content of 'xm
> >> dmesg'?
> >> >
> >> > Stefan
> >> > >
> >> > > Thanks,
> >> > >
> >> > > Syunsuke HAYASHI
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > _______________________________________________
> >> > > Xen-devel mailing list
> >> > > Xen-devel@lists.xensource.com
> >> > > http://lists.xensource.com/xen-devel
> >>
> >>
> >> _______________________________________________
> >> Xen-devel mailing list
> >> Xen-devel@lists.xensource.com
> >> http://lists.xensource.com/xen-devel
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
>
--
George S. Coker, II <gscoker@alpha.ncsc.mil> 443-479-6944
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Xen-users] Re: Loading ACM policy in XSM
2007-09-11 22:05 ` George S. Coker, II
@ 2007-09-12 7:23 ` Syunsuke HAYASHI
0 siblings, 0 replies; 7+ messages in thread
From: Syunsuke HAYASHI @ 2007-09-12 7:23 UTC (permalink / raw)
To: xen-devel, George S. Coker, II
Hi, George.
I triedd it as George said.
#ls /etc/xen/acm-security/policies/
client_v1-security_policy.xml
default-ul-security_policy.xml
managed_policies
security_policy.xsd
default-security_policy.xml
example
resource_labels
test-security_policy.xml
#xm list --label
Name ID Mem VCPUs State
Time(s) Label
Domain-0 0 1024 2 r-----
86.1 ACM:example.client_v1:dom_SystemManagement
#xm create vm1.conf
Using config file "./vm1.conf".
Started domain vm1
#xm list --label
Name ID Mem VCPUs State Time(s) Label
vm1 1 128 1 r----- 4.7 ACM:example.client_v1:dom_HomeBanking
Domain-0 0 1024 2 r----- 94.6 ACM:example.client_v1:dom_SystemManagement
It looks good.
Thank you for your help.
Syunsuke HAYASHI
> You need to make sure that xm and xend are setup for xen-api. On my
> system I had to use the -xenapi config files in /etc/xen.
>
> You could also create a managed_policies file by hand. The format of
> the file is:
>
> managed_policies = {
> '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb35': (u'example.client_v1',
> 'ACM'),
> '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb36': (u'example.test', 'ACM'),
> }
>
> On Tue, 2007-09-11 at 19:28 +0900, Syunsuke HAYASHI wrote:
>> Hi
>> Thank you for the help.
>>
>> I have a question about how to make 'managed_policies'.
>> I understood that 'managed_policies was made from "xm setpolicy" command.
>> But I don't know how to call "xm setpolicy" from 'Xen-api'.
>>
>> How should I call it ?
>>
>> --------------------------------xm setpolicy----------------------------
>> #xm setpolicy ACM example.client_v1 --boot
>>
>> Error: xm needs to be configured to use the xen-api.
>> Usage: xm setpolicy <policytype> <policyfile> [options]
>> Set the policy of the system.
>> Usage: xm setpolicy <policytype> <policy> [options]
>>
>> Set the policy managed by xend.
>>
>> The only policytype that is currently supported is 'ACM'.
>>
>> The following options are defined
>> --load Load the policy immediately
>> --boot Have the system load the policy during boot
>> --update Automatically adapt the policy so that it will be
>> treated as an update to the current policy
>> --------------------------------------------------------------------------
>>
>> Thanks,
>>
>> Syunsuke HAYASHI
>>> I believe that your 'managed_policies' file is missing or empty. Please
>>> look at /etc/xen/acm-security/policies/managed_policies. If this is a
>>> new installation, I do not believe that ACM will create the
>>> 'managed_policies' file.
>>>
>>> George
>>>
>>> On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
>>>> Hi,Stefan
>>>> Thank you for the help.
>>>>
>>>> I was not describing an ssidref=... in grub.conf.
>>>> I show grub.conf and dmesg when I execute "xm chgpolicy
>>>> example.client_v1" command and reboot.
>>>>
>>>> ----------------------------grub.conf--------------------------------------
>>>> # grub.conf generated by anaconda
>>>> #
>>>> # Note that you do not have to rerun grub after making changes to this file
>>>> # NOTICE: You have a /boot partition. This means that
>>>> # all kernel and initrd paths are relative to /boot/, eg.
>>>> # root (hd0,0)
>>>> # kernel /vmlinuz-version ro root=/dev/sda3
>>>> # initrd /initrd-version.img
>>>> #boot=/dev/sda
>>>> default=0
>>>> timeout=5
>>>> splashimage=(hd0,0)/grub/splash.xpm.gz
>>>> hiddenmenu
>>>> title xen-unstable0827
>>>> root (hd0,0)
>>>> kernel /xen.gz dom0_mem=1024M
>>>> module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
>>>> module /initrd-2.6.18-xen.img
>>>> module /example.client_v1.bin
>>>>
>>>>
>>>> -----------------------------dmesg----------------------------------------
>>>> __ __ _____ ___ _ _ _
>>>> \ \/ /___ _ __ |___ / / _ \ _ _ _ __ ___| |_ __ _| |__ | | ___
>>>> \ // _ \ '_ \ |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
>>>> / \ __/ | | | ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | | __/
>>>> /_/\_\___|_| |_| |____(_)___/ \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>>>>
>>>> http://www.cl.cam.ac.uk/netos/xen
>>>> University of Cambridge Computer Laboratory
>>>>
>>>> Xen version 3.0-unstable (root@sky.yk.fujitsu.co.jp) (gcc version
>>>> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
>>>> Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>>>>
>>>> (XEN) Command line: /xen.gz dom0_mem=1024M
>>>> (XEN) Video information:
>>>> (XEN) VGA is text mode 80x25, font 8x16
>>>> (XEN) VBE/DDC methods: V2; EDID transfer time: 2 seconds
>>>> (XEN) Disc information:
>>>> (XEN) Found 1 MBR signatures
>>>> (XEN) Found 1 EDD information structures
>>>> (XEN) Xen-e820 RAM map:
>>>> (XEN) 0000000000000000 - 000000000009f000 (usable)
>>>> (XEN) 000000000009f000 - 00000000000a0000 (reserved)
>>>> (XEN) 00000000000d6000 - 00000000000d8000 (reserved)
>>>> (XEN) 00000000000e0000 - 0000000000100000 (reserved)
>>>> (XEN) 0000000000100000 - 000000007fff0000 (usable)
>>>> (XEN) 000000007fff0000 - 000000007ffff000 (ACPI data)
>>>> (XEN) 000000007ffff000 - 0000000080000000 (ACPI NVS)
>>>> (XEN) 00000000fec00000 - 00000000fec10000 (reserved)
>>>> (XEN) 00000000fee00000 - 00000000fee01000 (reserved)
>>>> (XEN) 00000000fff80000 - 0000000100000000 (reserved)
>>>> (XEN) System RAM: 2047MB (2096700kB)
>>>> (XEN) Xen heap: 9MB (10168kB)
>>>> (XEN) Domain heap initialised: DMA width 32 bits
>>>> (XEN) PAE enabled, limit: 16 GB
>>>> (XEN) Processor #0 15:2 APIC version 20
>>>> (XEN) Processor #1 15:2 APIC version 20
>>>> (XEN) Processor #6 15:2 APIC version 20
>>>> (XEN) Processor #7 15:2 APIC version 20
>>>> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
>>>> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
>>>> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
>>>> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
>>>> (XEN) Enabling APIC mode: Flat. Using 4 I/O APICs
>>>> (XEN) Using scheduler: SMP Credit Scheduler (credit)
>>>> (XEN) Detected 3189.437 MHz processor.
>>>> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 1/1 eip 90000
>>>> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 2/6 eip 90000
>>>> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 3/7 eip 90000
>>>> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Total of 4 processors activated.
>>>> (XEN) ENABLING IO-APIC IRQs
>>>> (XEN) -> Using new ACK method
>>>> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
>>>> (XEN) Platform timer overflows in 234 jiffies.
>>>> (XEN) Platform timer is 3.579MHz ACPI PM Timer
>>>> (XEN) Brought up 4 CPUs
>>>> (XEN) Policy len 0x168, start at 3ffff000 - module 2.
>>>> (XEN) acm_set_policy_reference: Activating policy example.client_v1
>>>> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot
>>>> policy.
>>>> (XEN) *** LOADING DOMAIN 0 ***
>>>> (XEN) Xen kernel: 32-bit, PAE, lsb
>>>> (XEN) Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
>>>> (XEN) PHYSICAL MEMORY ARRANGEMENT:
>>>> (XEN) Dom0 alloc.: 000000003e000000->000000003f000000 (258048 pages
>>>> to be allocated)
>>>> (XEN) VIRTUAL MEMORY ARRANGEMENT:
>>>> (XEN) Loaded kernel: c0100000->c044fb7c
>>>> (XEN) Init. ramdisk: c0450000->c0bba600
>>>> (XEN) Phys-Mach map: c0bbb000->c0cbb000
>>>> (XEN) Start info: c0cbb000->c0cbb46c
>>>> (XEN) Page tables: c0cbc000->c0cc9000
>>>> (XEN) Boot stack: c0cc9000->c0cca000
>>>> (XEN) TOTAL: c0000000->c1000000
>>>> (XEN) ENTRY ADDRESS: c0100000
>>>> (XEN) Dom0 has maximum 4 VCPUs
>>>> (XEN) Initrd len 0x76a600, start at 0xc0450000
>>>> (XEN) Scrubbing Free RAM: .........done.
>>>> (XEN) Xen trace buffers: disabled
>>>> (XEN) Std. Loglevel: Errors and warnings
>>>> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
>>>> (XEN) Xen is relinquishing VGA console.
>>>> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
>>>> input to Xen).
>>>> (XEN) Freed 88kB init memory.
>>>> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
>>>> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
>>>> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
>>>> -------------------------------------------------------------------------
>>>> Is it good in this ?
>>>>
>>>> Syunsuke HAYASHI
>>>> >
>>>> > xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
>>>> >
>>>> > > Hi,
>>>> > > I have a problem about ACM module(hg.15730)
>>>> > > I want to label Domain-0.
>>>> > > I read xen user's manual v3.0 and "man xm" information.
>>>> > > ACM document mentions how to label Domain-0.
>>>> > > But I couldn't add the label when I tried the following steps.
>>>> > >
>>>> > > (test1)
>>>> > > #xm makepolicy example.client_v1
>>>> > > #xm cfgbootpolicy example.client_v1
>>>> > > #reboot
>>>> > >
>>>> > > (test2)
>>>> > > #xm setpolicy ACM example.client_v1
>>>> > > #xm activatepolicy --boot
>>>> > >
>>>> > > (result)
>>>> > > [root@bx607 ~]# xm list --label
>>>> > > Name ID Mem VCPUs State Time(s) Label
>>>> > > Domain-0 0 1024 4 r----- 105.1 unlabeled
>>>> > >
>>>> > > So,I tried to use "xm addlabel" command.
>>>> > >
>>>> > > #xm makepolicy example.client_v1
>>>> > > #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>>>> > >
>>>> > > But I couldn't again.
>>>> > >
>>>> > > Is there any good idea ?
>>>> >
>>>> > Is there an ssidref=... in the 'kernel' line in the grub title you
>>>> are booting? Can you send this line and remove the ssidref=... and try
>>>> again?
>>>> > Otherwise if this is not the case, can you send the content of 'xm
>>>> dmesg'?
>>>> >
>>>> > Stefan
>>>> > >
>>>> > > Thanks,
>>>> > >
>>>> > > Syunsuke HAYASHI
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > _______________________________________________
>>>> > > Xen-devel mailing list
>>>> > > Xen-devel@lists.xensource.com
>>>> > > http://lists.xensource.com/xen-devel
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@lists.xensource.com
>>>> http://lists.xensource.com/xen-devel
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-09-12 7:23 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-27 8:00 Loading ACM policy in XSM Syunsuke HAYASHI
2007-08-28 17:17 ` [Xen-devel] " Stefan Berger
[not found] ` <46D4F586.1090007@jp.fujitsu.com>
2007-08-29 13:50 ` George S. Coker, II
2007-08-30 5:16 ` Syunsuke HAYASHI
2007-09-11 10:28 ` [Xen-users] " Syunsuke HAYASHI
2007-09-11 22:05 ` George S. Coker, II
2007-09-12 7:23 ` Syunsuke HAYASHI
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.