From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dilshan Jayarathna Subject: Re: [XSM] Setting of ACM Policy Date: Wed, 03 Sep 2008 10:43:38 +1000 Message-ID: <48BDDDBA.4020103@mq.edu.au> References: <200809021900.m82J0FC2012318@baldrick.ocs.mq.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200809021900.m82J0FC2012318@baldrick.ocs.mq.edu.au> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org Hi Kuniyasu, What is your default boot entry in grub menu? XSM seems to set the policy ref (e.g. ssidref=0x00010001:ACM:mytest:SystemManagement) and the 'module /.bin' in default entry. But I recommend Stefan's advice and try to move to 3.3.0. I am also having some local time issues when I tried to create HVM guests and it seems to be known bug, which has been fixed in 3.3.0. I am planning to build 3.3.0 soon. Regards, Dilshan Please CC to me if you're replying since I am only getting the digest > Date: Tue, 02 Sep 2008 18:03:32 +0900 (JST) > From: Kuniyasu Suzaki > Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy > To: xen-devel@lists.xensource.com > Message-ID: <20080902.180332.193697797.k.suzaki@aist.go.jp> > Content-Type: Text/Plain; charset=us-ascii > > > Stefan, > > >>From: Stefan Berger > >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy > >> > >>> Unforunately the setting is re-written by "DEFAULT policy" when xend > >>> is started. > >>> Can't we fix the policy at the boot time? > >> > >>I am not sure what you mean by 'fix the policy at the boot time?'. > > When I set up a policy at GRUB menu, the policy becomes immutably till shutdown. > I don't want the policy to be changed by any commands. > > However "xend" and "xm" command change the policy easily on the current implementation. > Should I use the Mandatory Access Control of SE-Linux on Dom0 to keep the policy? > > >>You seem to be using an older version of Xen. Is there any possibility to > >>move to 3.3.0? > > When I tried xsm, Xen3.2.1 was the latest stable version. > I will move to 3.3.0. > > ----- > suzaki > > >>> >> > >>> >>Cheers, > >>> >>Dilshan > >>> >> > >>> >>> ------ > >>> >>> suzaki > >>> >>> > >>> >>> >>From: Dilshan Jayarathna > >>> >>> >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy > >>> >>> >> > >>> >>> >>Hi Suzaki, > >>> >>> >> > >>> >>> >>It looks like a faulty build. (I could be wrong) > >>> >>> >>If you've set ACM_SECURITY ?= y in Config.mk when you > >>> building xen, you > >>> >>> >>must get ACM as the supported security subsystem when you run > >>'xm > >>> >>> >>getpolicy'. > >>> >>> >> > >>> >>> >>If you just run 'xm setpolicy', you should get error but it > >>> also tells > >>> >>> >>you the supported policy type > >>> >>> >>(...The only policytype that is currently supported is 'ACM'...) > >>> >>> >> > >>> >>> >>You can use xensec_ezpolicy to create a policy in xml > >>> format. Then 'xm > >>> >>> >>setpolicy...' to covert xml to binary format and to activate > >>> the policy. > >>> >>> >> > >>> >>> >>But if the XSM is not build properly, none of the above will > >>work. > >>> >>> >> > >>> >>> >>Hope this helps. > >>> >>> >> > >>> >>> >>Cheers, > >>> >>> >>Dilshan > >>> >>> >> > >>> >>> >>Kuniyasu Suzaki wrote: > >>> >>> >>> Hello, > >>> >>> >>> > >>> >>> >>> Please tell me how to setup ACM of XSM. > >>> >>> >>> I could build a XSM but it doesn't work well. > >>> >>> >>> # xm getpolicy > >>> >>> >>> Supported security subsystems: None > >>> >>> >>> > >>> >>> >>> I guess it is caused by the lack of a policy file. > >>> >>> >>> I referred the following manual and tried to create poly file. > >> > >>> >>> >>> > >>http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf > >>> >>> >>> > >>> >>> >>> The manual tells that the following command create a policy > >>file > >>> >>> >>> "mytest.bin". > >>> >>> >>> # xm setpolicy ACM mytest > >>> >>> >>> > >>> >>> >>> However the command doesn't work well. Please tell me > >>> create a policy file. > >>> >>> >>> I tried on Xen 3.2.1. Is the step obsolete? > >>> >>> >>> > >>> >>> >>> ------ > >>> >>> >>> suzaki > >>> >>> >>> > >>> >>> >>> _______________________________________________ > >>> >>> >>> Xen-devel mailing list > >>> >>> >>> Xen-devel@lists.xensource.com > >>> >>> >>> http://lists.xensource.com/xen-devel > >>> >>> >>> > >>> >>> > >>> >>> _______________________________________________ > >>> >>> Xen-devel mailing list > >>> >>> Xen-devel@lists.xensource.com > >>> >>> http://lists.xensource.com/xen-devel > >>> >>> > >>> >> > >>> >>_______________________________________________ > >>> >>Xen-devel mailing list > >>> >>Xen-devel@lists.xensource.com > >>> >>http://lists.xensource.com/xen-devel > >>> >> > >>> > >>> _______________________________________________ > >>> Xen-devel mailing list > >>> Xen-devel@lists.xensource.com > >>> http://lists.xensource.com/xen-devel > > > > ------------------------------ > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel > > > End of Xen-devel Digest, Vol 43, Issue 10 > ***************************************** >