[XSM] Setting of ACM Policy

[XSM] Setting of ACM Policy

[Kuniyasu Suzaki]

Hello,

Please tell me how to setup ACM of XSM.
I could build a XSM but it doesn't work well.
  # xm getpolicy
  Supported security subsystems: None

I guess it is caused by the lack of a policy file.
I referred the following manual and tried to create poly file. 
  http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf

The manual tells that the following command create a policy file
"mytest.bin".
  # xm setpolicy ACM mytest

However the command doesn't work well. Please tell me create a policy file. 
I tried on Xen 3.2.1. Is the step obsolete?

------
suzaki

Re: [XSM] Setting of ACM Policy

[Dilshan Jayarathna]

[-- Attachment #1.1: Type: text/plain, Size: 1418 bytes --]

Hi Suzaki,

It looks like a faulty build. (I could be wrong)
If you've set ACM_SECURITY ?= y in Config.mk when you building xen, you 
must get ACM as the supported security subsystem when you run 'xm 
getpolicy'.

If you just run 'xm setpolicy', you should get error but it also tells 
you the supported policy type
(...The only policytype that is currently supported is 'ACM'...)

You can use xensec_ezpolicy to create a policy in xml format. Then 'xm 
setpolicy...' to covert xml to binary format and to activate the policy.

But if the XSM is not build properly, none of the above will work.

Hope this helps.

Cheers,
Dilshan

Kuniyasu Suzaki wrote:
> Hello,
>
> Please tell me how to setup ACM of XSM.
> I could build a XSM but it doesn't work well.
>   # xm getpolicy
>   Supported security subsystems: None
>
> I guess it is caused by the lack of a policy file.
> I referred the following manual and tried to create poly file. 
>   http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
>
> The manual tells that the following command create a policy file
> "mytest.bin".
>   # xm setpolicy ACM mytest
>
> However the command doesn't work well. Please tell me create a policy file. 
> I tried on Xen 3.2.1. Is the step obsolete?
>
> ------
> suzaki
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>   

[-- Attachment #1.2: Type: text/html, Size: 2440 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: [XSM] Setting of ACM Policy

[Kuniyasu Suzaki]

Dilshan,

Thank you for your advice. I failed to build a xsm.
I rebuild and succeed.

=============================================================
# /etc/init.d/xend start
# xm getpolicy
Supported security subsystems   : ACM 

Policy name           : DEFAULT
Policy type           : ACM
Version of XML policy : 1.0
Policy configuration  : loaded, activated for boot
# xm list --label
Name                                        ID   Mem VCPUs      State   Time(s) Label     
Domain-0                                     0   464     1     r-----    244.2 ACM:DEFAULT:SystemManagement
=============================================================

I tried the policy file "/etc/xen/acm-security/policies/DEFAULT-UL-security_policy.xml".
=============================================================
# xm setpolicy ACM DEFAULT-UL
Successfully set the new policy.
Supported security subsystems   : ACM

Policy name           : DEFAULT-UL
Policy type           : ACM
Version of XML policy : 1.0
Policy configuration  : loaded, activated for boot

# xm list --label
Name                                        ID   Mem VCPUs      State   Time(s) Label
Domain-0                                     0  1887     2     r-----    226.7 ACM:DEFAULT-UL:SystemManagement
# xm resetpolicy
Successfully reset the system's policy.
=============================================================

By the way I cannot make the "DEFAULT-UL.bin" file.
Can't I set the .bin file at GRUB Menu?

------
suzaki

 >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
 >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>
 >>Hi Suzaki,
 >>
 >>It looks like a faulty build. (I could be wrong)
 >>If you've set ACM_SECURITY ?= y in Config.mk when you building xen, you 
 >>must get ACM as the supported security subsystem when you run 'xm 
 >>getpolicy'.
 >>
 >>If you just run 'xm setpolicy', you should get error but it also tells 
 >>you the supported policy type
 >>(...The only policytype that is currently supported is 'ACM'...)
 >>
 >>You can use xensec_ezpolicy to create a policy in xml format. Then 'xm 
 >>setpolicy...' to covert xml to binary format and to activate the policy.
 >>
 >>But if the XSM is not build properly, none of the above will work.
 >>
 >>Hope this helps.
 >>
 >>Cheers,
 >>Dilshan
 >>
 >>Kuniyasu Suzaki wrote:
 >>> Hello,
 >>>
 >>> Please tell me how to setup ACM of XSM.
 >>> I could build a XSM but it doesn't work well.
 >>>   # xm getpolicy
 >>>   Supported security subsystems: None
 >>>
 >>> I guess it is caused by the lack of a policy file.
 >>> I referred the following manual and tried to create poly file. 
 >>>   http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
 >>>
 >>> The manual tells that the following command create a policy file
 >>> "mytest.bin".
 >>>   # xm setpolicy ACM mytest
 >>>
 >>> However the command doesn't work well. Please tell me create a policy file. 
 >>> I tried on Xen 3.2.1. Is the step obsolete?
 >>>
 >>> ------
 >>> suzaki
 >>>
 >>> _______________________________________________
 >>> Xen-devel mailing list
 >>> Xen-devel@lists.xensource.com
 >>> http://lists.xensource.com/xen-devel
 >>>   

Re: [XSM] Setting of ACM Policy

[Dilshan Jayarathna]

Suzaki,

Kuniyasu Suzaki wrote:
> # xm setpolicy ACM DEFAULT-UL
> Successfully set the new policy.
> Supported security subsystems   : ACM
>
> Policy name           : DEFAULT-UL
> Policy type           : ACM
> Version of XML policy : 1.0
> Policy configuration  : loaded, activated for boot
>
> # xm list --label
> Name                                        ID   Mem VCPUs      State   Time(s) Label
> Domain-0                                     0  1887     2     r-----    226.7 ACM:DEFAULT-UL:SystemManagement
> # xm resetpolicy
> Successfully reset the system's policy.
> =============================================================
>
> By the way I cannot make the "DEFAULT-UL.bin" file.
> Can't I set the .bin file at GRUB Menu?
>
>   
It look like you already have DEFAULT-UL.bin file. Check /boot.
You can manually set it in grub.conf as below:
module /DEFAULT-UL.bin

Cheers,
Dilshan

> ------
> suzaki
>
>  >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
>  >>
>  >>Hi Suzaki,
>  >>
>  >>It looks like a faulty build. (I could be wrong)
>  >>If you've set ACM_SECURITY ?= y in Config.mk when you building xen, you 
>  >>must get ACM as the supported security subsystem when you run 'xm 
>  >>getpolicy'.
>  >>
>  >>If you just run 'xm setpolicy', you should get error but it also tells 
>  >>you the supported policy type
>  >>(...The only policytype that is currently supported is 'ACM'...)
>  >>
>  >>You can use xensec_ezpolicy to create a policy in xml format. Then 'xm 
>  >>setpolicy...' to covert xml to binary format and to activate the policy.
>  >>
>  >>But if the XSM is not build properly, none of the above will work.
>  >>
>  >>Hope this helps.
>  >>
>  >>Cheers,
>  >>Dilshan
>  >>
>  >>Kuniyasu Suzaki wrote:
>  >>> Hello,
>  >>>
>  >>> Please tell me how to setup ACM of XSM.
>  >>> I could build a XSM but it doesn't work well.
>  >>>   # xm getpolicy
>  >>>   Supported security subsystems: None
>  >>>
>  >>> I guess it is caused by the lack of a policy file.
>  >>> I referred the following manual and tried to create poly file. 
>  >>>   http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
>  >>>
>  >>> The manual tells that the following command create a policy file
>  >>> "mytest.bin".
>  >>>   # xm setpolicy ACM mytest
>  >>>
>  >>> However the command doesn't work well. Please tell me create a policy file. 
>  >>> I tried on Xen 3.2.1. Is the step obsolete?
>  >>>
>  >>> ------
>  >>> suzaki
>  >>>
>  >>> _______________________________________________
>  >>> Xen-devel mailing list
>  >>> Xen-devel@lists.xensource.com
>  >>> http://lists.xensource.com/xen-devel
>  >>>   
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>   

Re: [XSM] Setting of ACM Policy

[Kuniyasu Suzaki]

Dilshan,

 >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
 >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>
 >>Suzaki,
 >>
 >>Kuniyasu Suzaki wrote:
 >>> # xm setpolicy ACM DEFAULT-UL
 >>> Successfully set the new policy.
 >>> Supported security subsystems   : ACM
 >>>
 >>> Policy name           : DEFAULT-UL
 >>> Policy type           : ACM
 >>> Version of XML policy : 1.0
 >>> Policy configuration  : loaded, activated for boot
 >>>
 >>> # xm list --label
 >>> Name                                        ID   Mem VCPUs      State   Time(s) Label
 >>> Domain-0                                     0  1887     2     r-----    226.7 ACM:DEFAULT-UL:SystemManagement
 >>> # xm resetpolicy
 >>> Successfully reset the system's policy.
 >>> =============================================================
 >>>
 >>> By the way I cannot make the "DEFAULT-UL.bin" file.
 >>> Can't I set the .bin file at GRUB Menu?
 >>>
 >>>   
 >>It look like you already have DEFAULT-UL.bin file. Check /boot.
 >>You can manually set it in grub.conf as below:
 >>module /DEFAULT-UL.bin

Thank you. I found a .bin file. The .bin file is also created at "/var/lib/xend/security/policies/" .
I could set up it the GRUB Menu.

Unforunately the setting is re-written by "DEFAULT policy" when xend is started.
Can't we fix the policy at the boot time?

------
suzaki

 >>
 >>Cheers,
 >>Dilshan
 >>
 >>> ------
 >>> suzaki
 >>>
 >>>  >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
 >>>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>>  >>
 >>>  >>Hi Suzaki,
 >>>  >>
 >>>  >>It looks like a faulty build. (I could be wrong)
 >>>  >>If you've set ACM_SECURITY ?= y in Config.mk when you building xen, you 
 >>>  >>must get ACM as the supported security subsystem when you run 'xm 
 >>>  >>getpolicy'.
 >>>  >>
 >>>  >>If you just run 'xm setpolicy', you should get error but it also tells 
 >>>  >>you the supported policy type
 >>>  >>(...The only policytype that is currently supported is 'ACM'...)
 >>>  >>
 >>>  >>You can use xensec_ezpolicy to create a policy in xml format. Then 'xm 
 >>>  >>setpolicy...' to covert xml to binary format and to activate the policy.
 >>>  >>
 >>>  >>But if the XSM is not build properly, none of the above will work.
 >>>  >>
 >>>  >>Hope this helps.
 >>>  >>
 >>>  >>Cheers,
 >>>  >>Dilshan
 >>>  >>
 >>>  >>Kuniyasu Suzaki wrote:
 >>>  >>> Hello,
 >>>  >>>
 >>>  >>> Please tell me how to setup ACM of XSM.
 >>>  >>> I could build a XSM but it doesn't work well.
 >>>  >>>   # xm getpolicy
 >>>  >>>   Supported security subsystems: None
 >>>  >>>
 >>>  >>> I guess it is caused by the lack of a policy file.
 >>>  >>> I referred the following manual and tried to create poly file. 
 >>>  >>>   http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
 >>>  >>>
 >>>  >>> The manual tells that the following command create a policy file
 >>>  >>> "mytest.bin".
 >>>  >>>   # xm setpolicy ACM mytest
 >>>  >>>
 >>>  >>> However the command doesn't work well. Please tell me create a policy file. 
 >>>  >>> I tried on Xen 3.2.1. Is the step obsolete?
 >>>  >>>
 >>>  >>> ------
 >>>  >>> suzaki
 >>>  >>>
 >>>  >>> _______________________________________________
 >>>  >>> Xen-devel mailing list
 >>>  >>> Xen-devel@lists.xensource.com
 >>>  >>> http://lists.xensource.com/xen-devel
 >>>  >>>   
 >>>
 >>> _______________________________________________
 >>> Xen-devel mailing list
 >>> Xen-devel@lists.xensource.com
 >>> http://lists.xensource.com/xen-devel
 >>>   
 >>
 >>_______________________________________________
 >>Xen-devel mailing list
 >>Xen-devel@lists.xensource.com
 >>http://lists.xensource.com/xen-devel
 >>

Re: [XSM] Setting of ACM Policy

[Stefan Berger]

[-- Attachment #1.1: Type: text/plain, Size: 4609 bytes --]

xen-devel-bounces@lists.xensource.com wrote on 08/29/2008 06:17:12 AM:

> Kuniyasu Suzaki <k.suzaki@aist.go.jp> 
> Sent by: xen-devel-bounces@lists.xensource.com
> 
> 08/29/2008 06:17 AM
> 
> To
> 
> xen-devel@lists.xensource.com
> 
> cc
> 
> Subject
> 
> Re: [Xen-devel] [XSM] Setting of ACM Policy
> 
> 
> Dilshan,
> 
>  >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
>  >>
>  >>Suzaki,
>  >>
>  >>Kuniyasu Suzaki wrote:
>  >>> # xm setpolicy ACM DEFAULT-UL
>  >>> Successfully set the new policy.
>  >>> Supported security subsystems   : ACM
>  >>>
>  >>> Policy name           : DEFAULT-UL
>  >>> Policy type           : ACM
>  >>> Version of XML policy : 1.0
>  >>> Policy configuration  : loaded, activated for boot
>  >>>
>  >>> # xm list --label
>  >>> Name                                        ID   Mem VCPUs 
> State   Time(s) Label
>  >>> Domain-0                                     0  1887     2 
> r-----    226.7 ACM:DEFAULT-UL:SystemManagement
>  >>> # xm resetpolicy
>  >>> Successfully reset the system's policy.
>  >>> =============================================================
>  >>>
>  >>> By the way I cannot make the "DEFAULT-UL.bin" file.
>  >>> Can't I set the .bin file at GRUB Menu?
>  >>>
>  >>> 
>  >>It look like you already have DEFAULT-UL.bin file. Check /boot.
>  >>You can manually set it in grub.conf as below:
>  >>module /DEFAULT-UL.bin
> 
> Thank you. I found a .bin file. The .bin file is also created at "/
> var/lib/xend/security/policies/" .
> I could set up it the GRUB Menu.

You made a copy of the DEFAULT.bin file into /boot I hope.

> 
> Unforunately the setting is re-written by "DEFAULT policy" when xend
> is started.
> Can't we fix the policy at the boot time?

I am not sure what you mean by 'fix the policy at the boot time?'.

You seem to be using an older version of Xen. Is there any possibility to 
move to 3.3.0?

  Stefan


> 
> ------
> suzaki
> 
>  >>
>  >>Cheers,
>  >>Dilshan
>  >>
>  >>> ------
>  >>> suzaki
>  >>>
>  >>>  >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
>  >>>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
>  >>>  >>
>  >>>  >>Hi Suzaki,
>  >>>  >>
>  >>>  >>It looks like a faulty build. (I could be wrong)
>  >>>  >>If you've set ACM_SECURITY ?= y in Config.mk when you 
> building xen, you 
>  >>>  >>must get ACM as the supported security subsystem when you run 
'xm 
>  >>>  >>getpolicy'.
>  >>>  >>
>  >>>  >>If you just run 'xm setpolicy', you should get error but it 
> also tells 
>  >>>  >>you the supported policy type
>  >>>  >>(...The only policytype that is currently supported is 'ACM'...)
>  >>>  >>
>  >>>  >>You can use xensec_ezpolicy to create a policy in xml 
> format. Then 'xm 
>  >>>  >>setpolicy...' to covert xml to binary format and to activate
> the policy.
>  >>>  >>
>  >>>  >>But if the XSM is not build properly, none of the above will 
work.
>  >>>  >>
>  >>>  >>Hope this helps.
>  >>>  >>
>  >>>  >>Cheers,
>  >>>  >>Dilshan
>  >>>  >>
>  >>>  >>Kuniyasu Suzaki wrote:
>  >>>  >>> Hello,
>  >>>  >>>
>  >>>  >>> Please tell me how to setup ACM of XSM.
>  >>>  >>> I could build a XSM but it doesn't work well.
>  >>>  >>>   # xm getpolicy
>  >>>  >>>   Supported security subsystems: None
>  >>>  >>>
>  >>>  >>> I guess it is caused by the lack of a policy file.
>  >>>  >>> I referred the following manual and tried to create poly file. 

>  >>>  >>>   
http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
>  >>>  >>>
>  >>>  >>> The manual tells that the following command create a policy 
file
>  >>>  >>> "mytest.bin".
>  >>>  >>>   # xm setpolicy ACM mytest
>  >>>  >>>
>  >>>  >>> However the command doesn't work well. Please tell me 
> create a policy file. 
>  >>>  >>> I tried on Xen 3.2.1. Is the step obsolete?
>  >>>  >>>
>  >>>  >>> ------
>  >>>  >>> suzaki
>  >>>  >>>
>  >>>  >>> _______________________________________________
>  >>>  >>> Xen-devel mailing list
>  >>>  >>> Xen-devel@lists.xensource.com
>  >>>  >>> http://lists.xensource.com/xen-devel
>  >>>  >>> 
>  >>>
>  >>> _______________________________________________
>  >>> Xen-devel mailing list
>  >>> Xen-devel@lists.xensource.com
>  >>> http://lists.xensource.com/xen-devel
>  >>> 
>  >>
>  >>_______________________________________________
>  >>Xen-devel mailing list
>  >>Xen-devel@lists.xensource.com
>  >>http://lists.xensource.com/xen-devel
>  >>
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel

[-- Attachment #1.2: Type: text/html, Size: 9066 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: [XSM] Setting of ACM Policy

[Kuniyasu Suzaki]

Stefan,

 >>From: Stefan Berger <stefanb@us.ibm.com>
 >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>
 >>> Unforunately the setting is re-written by "DEFAULT policy" when xend
 >>> is started.
 >>> Can't we fix the policy at the boot time?
 >>
 >>I am not sure what you mean by 'fix the policy at the boot time?'.

When I set up a policy at GRUB menu, the policy becomes immutably till shutdown.
I don't want the policy to be changed by any commands.

However "xend" and "xm" command change the policy easily on the current implementation. 
Should I use the Mandatory Access Control of SE-Linux on Dom0 to keep the policy?

 >>You seem to be using an older version of Xen. Is there any possibility to 
 >>move to 3.3.0?

When I tried xsm, Xen3.2.1 was the latest stable version. 
I will move to 3.3.0.

-----
suzaki

 >>>  >>
 >>>  >>Cheers,
 >>>  >>Dilshan
 >>>  >>
 >>>  >>> ------
 >>>  >>> suzaki
 >>>  >>>
 >>>  >>>  >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
 >>>  >>>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
 >>>  >>>  >>
 >>>  >>>  >>Hi Suzaki,
 >>>  >>>  >>
 >>>  >>>  >>It looks like a faulty build. (I could be wrong)
 >>>  >>>  >>If you've set ACM_SECURITY ?= y in Config.mk when you 
 >>> building xen, you 
 >>>  >>>  >>must get ACM as the supported security subsystem when you run 
 >>'xm 
 >>>  >>>  >>getpolicy'.
 >>>  >>>  >>
 >>>  >>>  >>If you just run 'xm setpolicy', you should get error but it 
 >>> also tells 
 >>>  >>>  >>you the supported policy type
 >>>  >>>  >>(...The only policytype that is currently supported is 'ACM'...)
 >>>  >>>  >>
 >>>  >>>  >>You can use xensec_ezpolicy to create a policy in xml 
 >>> format. Then 'xm 
 >>>  >>>  >>setpolicy...' to covert xml to binary format and to activate
 >>> the policy.
 >>>  >>>  >>
 >>>  >>>  >>But if the XSM is not build properly, none of the above will 
 >>work.
 >>>  >>>  >>
 >>>  >>>  >>Hope this helps.
 >>>  >>>  >>
 >>>  >>>  >>Cheers,
 >>>  >>>  >>Dilshan
 >>>  >>>  >>
 >>>  >>>  >>Kuniyasu Suzaki wrote:
 >>>  >>>  >>> Hello,
 >>>  >>>  >>>
 >>>  >>>  >>> Please tell me how to setup ACM of XSM.
 >>>  >>>  >>> I could build a XSM but it doesn't work well.
 >>>  >>>  >>>   # xm getpolicy
 >>>  >>>  >>>   Supported security subsystems: None
 >>>  >>>  >>>
 >>>  >>>  >>> I guess it is caused by the lack of a policy file.
 >>>  >>>  >>> I referred the following manual and tried to create poly file. 
 >>
 >>>  >>>  >>>   
 >>http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
 >>>  >>>  >>>
 >>>  >>>  >>> The manual tells that the following command create a policy 
 >>file
 >>>  >>>  >>> "mytest.bin".
 >>>  >>>  >>>   # xm setpolicy ACM mytest
 >>>  >>>  >>>
 >>>  >>>  >>> However the command doesn't work well. Please tell me 
 >>> create a policy file. 
 >>>  >>>  >>> I tried on Xen 3.2.1. Is the step obsolete?
 >>>  >>>  >>>
 >>>  >>>  >>> ------
 >>>  >>>  >>> suzaki
 >>>  >>>  >>>
 >>>  >>>  >>> _______________________________________________
 >>>  >>>  >>> Xen-devel mailing list
 >>>  >>>  >>> Xen-devel@lists.xensource.com
 >>>  >>>  >>> http://lists.xensource.com/xen-devel
 >>>  >>>  >>> 
 >>>  >>>
 >>>  >>> _______________________________________________
 >>>  >>> Xen-devel mailing list
 >>>  >>> Xen-devel@lists.xensource.com
 >>>  >>> http://lists.xensource.com/xen-devel
 >>>  >>> 
 >>>  >>
 >>>  >>_______________________________________________
 >>>  >>Xen-devel mailing list
 >>>  >>Xen-devel@lists.xensource.com
 >>>  >>http://lists.xensource.com/xen-devel
 >>>  >>
 >>> 
 >>> _______________________________________________
 >>> Xen-devel mailing list
 >>> Xen-devel@lists.xensource.com
 >>> http://lists.xensource.com/xen-devel

Re: [XSM] Setting of ACM Policy

[Dilshan Jayarathna]

Hi Kuniyasu,

What is your default boot entry in grub menu?
XSM seems to set the policy ref (e.g. 
ssidref=0x00010001:ACM:mytest:SystemManagement)
and the 'module /<policy_name>.bin' in default entry.

But I recommend Stefan's advice and try to move to 3.3.0.

I am also having some local time issues when I tried to create HVM 
guests and it seems to be known bug, which has been fixed in 3.3.0.

I am planning to build 3.3.0 soon.

Regards,
Dilshan

Please CC to me if you're replying since I am only getting the digest


> Date: Tue, 02 Sep 2008 18:03:32 +0900 (JST)
> From: Kuniyasu Suzaki <k.suzaki@aist.go.jp>
> Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
> To: xen-devel@lists.xensource.com
> Message-ID: <20080902.180332.193697797.k.suzaki@aist.go.jp>
> Content-Type: Text/Plain; charset=us-ascii
>
>
> Stefan,
>
>  >>From: Stefan Berger <stefanb@us.ibm.com>
>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
>  >>
>  >>> Unforunately the setting is re-written by "DEFAULT policy" when xend
>  >>> is started.
>  >>> Can't we fix the policy at the boot time?
>  >>
>  >>I am not sure what you mean by 'fix the policy at the boot time?'.
>
> When I set up a policy at GRUB menu, the policy becomes immutably till shutdown.
> I don't want the policy to be changed by any commands.
>
> However "xend" and "xm" command change the policy easily on the current implementation. 
> Should I use the Mandatory Access Control of SE-Linux on Dom0 to keep the policy?
>
>  >>You seem to be using an older version of Xen. Is there any possibility to 
>  >>move to 3.3.0?
>
> When I tried xsm, Xen3.2.1 was the latest stable version. 
> I will move to 3.3.0.
>
> -----
> suzaki
>
>  >>>  >>
>  >>>  >>Cheers,
>  >>>  >>Dilshan
>  >>>  >>
>  >>>  >>> ------
>  >>>  >>> suzaki
>  >>>  >>>
>  >>>  >>>  >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
>  >>>  >>>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
>  >>>  >>>  >>
>  >>>  >>>  >>Hi Suzaki,
>  >>>  >>>  >>
>  >>>  >>>  >>It looks like a faulty build. (I could be wrong)
>  >>>  >>>  >>If you've set ACM_SECURITY ?= y in Config.mk when you 
>  >>> building xen, you 
>  >>>  >>>  >>must get ACM as the supported security subsystem when you run 
>  >>'xm 
>  >>>  >>>  >>getpolicy'.
>  >>>  >>>  >>
>  >>>  >>>  >>If you just run 'xm setpolicy', you should get error but it 
>  >>> also tells 
>  >>>  >>>  >>you the supported policy type
>  >>>  >>>  >>(...The only policytype that is currently supported is 'ACM'...)
>  >>>  >>>  >>
>  >>>  >>>  >>You can use xensec_ezpolicy to create a policy in xml 
>  >>> format. Then 'xm 
>  >>>  >>>  >>setpolicy...' to covert xml to binary format and to activate
>  >>> the policy.
>  >>>  >>>  >>
>  >>>  >>>  >>But if the XSM is not build properly, none of the above will 
>  >>work.
>  >>>  >>>  >>
>  >>>  >>>  >>Hope this helps.
>  >>>  >>>  >>
>  >>>  >>>  >>Cheers,
>  >>>  >>>  >>Dilshan
>  >>>  >>>  >>
>  >>>  >>>  >>Kuniyasu Suzaki wrote:
>  >>>  >>>  >>> Hello,
>  >>>  >>>  >>>
>  >>>  >>>  >>> Please tell me how to setup ACM of XSM.
>  >>>  >>>  >>> I could build a XSM but it doesn't work well.
>  >>>  >>>  >>>   # xm getpolicy
>  >>>  >>>  >>>   Supported security subsystems: None
>  >>>  >>>  >>>
>  >>>  >>>  >>> I guess it is caused by the lack of a policy file.
>  >>>  >>>  >>> I referred the following manual and tried to create poly file. 
>  >>
>  >>>  >>>  >>>   
>  >>http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
>  >>>  >>>  >>>
>  >>>  >>>  >>> The manual tells that the following command create a policy 
>  >>file
>  >>>  >>>  >>> "mytest.bin".
>  >>>  >>>  >>>   # xm setpolicy ACM mytest
>  >>>  >>>  >>>
>  >>>  >>>  >>> However the command doesn't work well. Please tell me 
>  >>> create a policy file. 
>  >>>  >>>  >>> I tried on Xen 3.2.1. Is the step obsolete?
>  >>>  >>>  >>>
>  >>>  >>>  >>> ------
>  >>>  >>>  >>> suzaki
>  >>>  >>>  >>>
>  >>>  >>>  >>> _______________________________________________
>  >>>  >>>  >>> Xen-devel mailing list
>  >>>  >>>  >>> Xen-devel@lists.xensource.com
>  >>>  >>>  >>> http://lists.xensource.com/xen-devel
>  >>>  >>>  >>> 
>  >>>  >>>
>  >>>  >>> _______________________________________________
>  >>>  >>> Xen-devel mailing list
>  >>>  >>> Xen-devel@lists.xensource.com
>  >>>  >>> http://lists.xensource.com/xen-devel
>  >>>  >>> 
>  >>>  >>
>  >>>  >>_______________________________________________
>  >>>  >>Xen-devel mailing list
>  >>>  >>Xen-devel@lists.xensource.com
>  >>>  >>http://lists.xensource.com/xen-devel
>  >>>  >>
>  >>> 
>  >>> _______________________________________________
>  >>> Xen-devel mailing list
>  >>> Xen-devel@lists.xensource.com
>  >>> http://lists.xensource.com/xen-devel
>
>
>
> ------------------------------
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
>
> End of Xen-devel Digest, Vol 43, Issue 10
> *****************************************
>