From: Syunsuke HAYASHI <syunsuke@jp.fujitsu.com>
To: xen-devel@lists.xensource.com, "George S. Coker,
II" <gscoker@alpha.ncsc.mil>
Subject: Re: [Xen-users] Re: Loading ACM policy in XSM
Date: Wed, 12 Sep 2007 16:23:18 +0900 [thread overview]
Message-ID: <46E793E6.2040605@jp.fujitsu.com> (raw)
In-Reply-To: <1189548345.7258.34.camel@moss-walleye.epoch.ncsc.mil>
Hi, George.
I triedd it as George said.
#ls /etc/xen/acm-security/policies/
client_v1-security_policy.xml
default-ul-security_policy.xml
managed_policies
security_policy.xsd
default-security_policy.xml
example
resource_labels
test-security_policy.xml
#xm list --label
Name ID Mem VCPUs State
Time(s) Label
Domain-0 0 1024 2 r-----
86.1 ACM:example.client_v1:dom_SystemManagement
#xm create vm1.conf
Using config file "./vm1.conf".
Started domain vm1
#xm list --label
Name ID Mem VCPUs State Time(s) Label
vm1 1 128 1 r----- 4.7 ACM:example.client_v1:dom_HomeBanking
Domain-0 0 1024 2 r----- 94.6 ACM:example.client_v1:dom_SystemManagement
It looks good.
Thank you for your help.
Syunsuke HAYASHI
> You need to make sure that xm and xend are setup for xen-api. On my
> system I had to use the -xenapi config files in /etc/xen.
>
> You could also create a managed_policies file by hand. The format of
> the file is:
>
> managed_policies = {
> '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb35': (u'example.client_v1',
> 'ACM'),
> '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb36': (u'example.test', 'ACM'),
> }
>
> On Tue, 2007-09-11 at 19:28 +0900, Syunsuke HAYASHI wrote:
>> Hi
>> Thank you for the help.
>>
>> I have a question about how to make 'managed_policies'.
>> I understood that 'managed_policies was made from "xm setpolicy" command.
>> But I don't know how to call "xm setpolicy" from 'Xen-api'.
>>
>> How should I call it ?
>>
>> --------------------------------xm setpolicy----------------------------
>> #xm setpolicy ACM example.client_v1 --boot
>>
>> Error: xm needs to be configured to use the xen-api.
>> Usage: xm setpolicy <policytype> <policyfile> [options]
>> Set the policy of the system.
>> Usage: xm setpolicy <policytype> <policy> [options]
>>
>> Set the policy managed by xend.
>>
>> The only policytype that is currently supported is 'ACM'.
>>
>> The following options are defined
>> --load Load the policy immediately
>> --boot Have the system load the policy during boot
>> --update Automatically adapt the policy so that it will be
>> treated as an update to the current policy
>> --------------------------------------------------------------------------
>>
>> Thanks,
>>
>> Syunsuke HAYASHI
>>> I believe that your 'managed_policies' file is missing or empty. Please
>>> look at /etc/xen/acm-security/policies/managed_policies. If this is a
>>> new installation, I do not believe that ACM will create the
>>> 'managed_policies' file.
>>>
>>> George
>>>
>>> On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
>>>> Hi,Stefan
>>>> Thank you for the help.
>>>>
>>>> I was not describing an ssidref=... in grub.conf.
>>>> I show grub.conf and dmesg when I execute "xm chgpolicy
>>>> example.client_v1" command and reboot.
>>>>
>>>> ----------------------------grub.conf--------------------------------------
>>>> # grub.conf generated by anaconda
>>>> #
>>>> # Note that you do not have to rerun grub after making changes to this file
>>>> # NOTICE: You have a /boot partition. This means that
>>>> # all kernel and initrd paths are relative to /boot/, eg.
>>>> # root (hd0,0)
>>>> # kernel /vmlinuz-version ro root=/dev/sda3
>>>> # initrd /initrd-version.img
>>>> #boot=/dev/sda
>>>> default=0
>>>> timeout=5
>>>> splashimage=(hd0,0)/grub/splash.xpm.gz
>>>> hiddenmenu
>>>> title xen-unstable0827
>>>> root (hd0,0)
>>>> kernel /xen.gz dom0_mem=1024M
>>>> module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
>>>> module /initrd-2.6.18-xen.img
>>>> module /example.client_v1.bin
>>>>
>>>>
>>>> -----------------------------dmesg----------------------------------------
>>>> __ __ _____ ___ _ _ _
>>>> \ \/ /___ _ __ |___ / / _ \ _ _ _ __ ___| |_ __ _| |__ | | ___
>>>> \ // _ \ '_ \ |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
>>>> / \ __/ | | | ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | | __/
>>>> /_/\_\___|_| |_| |____(_)___/ \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>>>>
>>>> http://www.cl.cam.ac.uk/netos/xen
>>>> University of Cambridge Computer Laboratory
>>>>
>>>> Xen version 3.0-unstable (root@sky.yk.fujitsu.co.jp) (gcc version
>>>> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
>>>> Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>>>>
>>>> (XEN) Command line: /xen.gz dom0_mem=1024M
>>>> (XEN) Video information:
>>>> (XEN) VGA is text mode 80x25, font 8x16
>>>> (XEN) VBE/DDC methods: V2; EDID transfer time: 2 seconds
>>>> (XEN) Disc information:
>>>> (XEN) Found 1 MBR signatures
>>>> (XEN) Found 1 EDD information structures
>>>> (XEN) Xen-e820 RAM map:
>>>> (XEN) 0000000000000000 - 000000000009f000 (usable)
>>>> (XEN) 000000000009f000 - 00000000000a0000 (reserved)
>>>> (XEN) 00000000000d6000 - 00000000000d8000 (reserved)
>>>> (XEN) 00000000000e0000 - 0000000000100000 (reserved)
>>>> (XEN) 0000000000100000 - 000000007fff0000 (usable)
>>>> (XEN) 000000007fff0000 - 000000007ffff000 (ACPI data)
>>>> (XEN) 000000007ffff000 - 0000000080000000 (ACPI NVS)
>>>> (XEN) 00000000fec00000 - 00000000fec10000 (reserved)
>>>> (XEN) 00000000fee00000 - 00000000fee01000 (reserved)
>>>> (XEN) 00000000fff80000 - 0000000100000000 (reserved)
>>>> (XEN) System RAM: 2047MB (2096700kB)
>>>> (XEN) Xen heap: 9MB (10168kB)
>>>> (XEN) Domain heap initialised: DMA width 32 bits
>>>> (XEN) PAE enabled, limit: 16 GB
>>>> (XEN) Processor #0 15:2 APIC version 20
>>>> (XEN) Processor #1 15:2 APIC version 20
>>>> (XEN) Processor #6 15:2 APIC version 20
>>>> (XEN) Processor #7 15:2 APIC version 20
>>>> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
>>>> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
>>>> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
>>>> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
>>>> (XEN) Enabling APIC mode: Flat. Using 4 I/O APICs
>>>> (XEN) Using scheduler: SMP Credit Scheduler (credit)
>>>> (XEN) Detected 3189.437 MHz processor.
>>>> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 1/1 eip 90000
>>>> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 2/6 eip 90000
>>>> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 3/7 eip 90000
>>>> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Total of 4 processors activated.
>>>> (XEN) ENABLING IO-APIC IRQs
>>>> (XEN) -> Using new ACK method
>>>> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
>>>> (XEN) Platform timer overflows in 234 jiffies.
>>>> (XEN) Platform timer is 3.579MHz ACPI PM Timer
>>>> (XEN) Brought up 4 CPUs
>>>> (XEN) Policy len 0x168, start at 3ffff000 - module 2.
>>>> (XEN) acm_set_policy_reference: Activating policy example.client_v1
>>>> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot
>>>> policy.
>>>> (XEN) *** LOADING DOMAIN 0 ***
>>>> (XEN) Xen kernel: 32-bit, PAE, lsb
>>>> (XEN) Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
>>>> (XEN) PHYSICAL MEMORY ARRANGEMENT:
>>>> (XEN) Dom0 alloc.: 000000003e000000->000000003f000000 (258048 pages
>>>> to be allocated)
>>>> (XEN) VIRTUAL MEMORY ARRANGEMENT:
>>>> (XEN) Loaded kernel: c0100000->c044fb7c
>>>> (XEN) Init. ramdisk: c0450000->c0bba600
>>>> (XEN) Phys-Mach map: c0bbb000->c0cbb000
>>>> (XEN) Start info: c0cbb000->c0cbb46c
>>>> (XEN) Page tables: c0cbc000->c0cc9000
>>>> (XEN) Boot stack: c0cc9000->c0cca000
>>>> (XEN) TOTAL: c0000000->c1000000
>>>> (XEN) ENTRY ADDRESS: c0100000
>>>> (XEN) Dom0 has maximum 4 VCPUs
>>>> (XEN) Initrd len 0x76a600, start at 0xc0450000
>>>> (XEN) Scrubbing Free RAM: .........done.
>>>> (XEN) Xen trace buffers: disabled
>>>> (XEN) Std. Loglevel: Errors and warnings
>>>> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
>>>> (XEN) Xen is relinquishing VGA console.
>>>> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch
>>>> input to Xen).
>>>> (XEN) Freed 88kB init memory.
>>>> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
>>>> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
>>>> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
>>>> -------------------------------------------------------------------------
>>>> Is it good in this ?
>>>>
>>>> Syunsuke HAYASHI
>>>> >
>>>> > xen-devel-bounces@lists.xensource.com wrote on 08/27/2007 04:00:14 AM:
>>>> >
>>>> > > Hi,
>>>> > > I have a problem about ACM module(hg.15730)
>>>> > > I want to label Domain-0.
>>>> > > I read xen user's manual v3.0 and "man xm" information.
>>>> > > ACM document mentions how to label Domain-0.
>>>> > > But I couldn't add the label when I tried the following steps.
>>>> > >
>>>> > > (test1)
>>>> > > #xm makepolicy example.client_v1
>>>> > > #xm cfgbootpolicy example.client_v1
>>>> > > #reboot
>>>> > >
>>>> > > (test2)
>>>> > > #xm setpolicy ACM example.client_v1
>>>> > > #xm activatepolicy --boot
>>>> > >
>>>> > > (result)
>>>> > > [root@bx607 ~]# xm list --label
>>>> > > Name ID Mem VCPUs State Time(s) Label
>>>> > > Domain-0 0 1024 4 r----- 105.1 unlabeled
>>>> > >
>>>> > > So,I tried to use "xm addlabel" command.
>>>> > >
>>>> > > #xm makepolicy example.client_v1
>>>> > > #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>>>> > >
>>>> > > But I couldn't again.
>>>> > >
>>>> > > Is there any good idea ?
>>>> >
>>>> > Is there an ssidref=... in the 'kernel' line in the grub title you
>>>> are booting? Can you send this line and remove the ssidref=... and try
>>>> again?
>>>> > Otherwise if this is not the case, can you send the content of 'xm
>>>> dmesg'?
>>>> >
>>>> > Stefan
>>>> > >
>>>> > > Thanks,
>>>> > >
>>>> > > Syunsuke HAYASHI
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > _______________________________________________
>>>> > > Xen-devel mailing list
>>>> > > Xen-devel@lists.xensource.com
>>>> > > http://lists.xensource.com/xen-devel
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@lists.xensource.com
>>>> http://lists.xensource.com/xen-devel
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
prev parent reply other threads:[~2007-09-12 7:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-27 8:00 Loading ACM policy in XSM Syunsuke HAYASHI
2007-08-28 17:17 ` [Xen-devel] " Stefan Berger
[not found] ` <46D4F586.1090007@jp.fujitsu.com>
2007-08-29 13:50 ` George S. Coker, II
2007-08-30 5:16 ` Syunsuke HAYASHI
2007-09-11 10:28 ` [Xen-users] " Syunsuke HAYASHI
2007-09-11 22:05 ` George S. Coker, II
2007-09-12 7:23 ` Syunsuke HAYASHI [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46E793E6.2040605@jp.fujitsu.com \
--to=syunsuke@jp.fujitsu.com \
--cc=gscoker@alpha.ncsc.mil \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.