Re: XSM/FLASK questions

[Daniel De Graaf <dgdegra@tycho.nsa.gov>]

On 03/13/2013 09:52 AM, baozeng@nfs.iscas.ac.cn wrote:
> Hello all,
>      I played with Xen 4.1.0, XSM/FLASK module to see whether it works well or not. I
> changed the policy file to make dom0 cannot create a domU labeled with domHU_t
> type.  The policy.conf generated using "make policy" command is as the
> following:
>      type domHU_t, domain_type;
>      allow dom0_t domHU_t:domain {max_vcpus setdomainmaxmem
>
>                                  setaddrsize getdomaininfo hypercall
>
>                                  setvcpucontext scheduler unpause
>
>                                  getvcpuinfo getaddrsize getvcpuaffinity}; //I
> removed "create"
>
>     Then I added the label domHU_t for a domU in its configure file as the following:
>
>     access_control = ['policy=,label=system_u:system_r:domHU_t']
>
> After that I made install the FLASK policy using "make install" and rebooted with
> flask_enforcing = 1. But when I started the domU using "xm create domU.cfg", it can
> still create it successfully.
>     Since I removed the "create" operation in the policy, why dom0 can still create a
> domU labeled with domHU_t? any idea? thanks.
>
>
>        Best Regards,
>                 Baozeng Ding
>

You may want to ensure that the policy is being loaded - you need to
reference it in your grub menu.lst as another module to xen. You can
verify this using xl dmesg or "xl list -Z" - with no policy loaded, dom0
is labeled "dom0" instead of the "system_u:system_r:dom0_t" as defined in
the policy. I am not familiar labeling in xm's config file, so I assume
that your syntax works in 4.1; in xl, it would need to be written as:

seclabel='system_u:system_r:domHU_t'

You may also want to check that there isn't another allow rule that you
didn't remove by running:

sesearch -A -s dom0_t -t domHU_t -c domain -p create /boot/xenpolicy.24

This will return empty output if there is no allow rule.

-- 
Daniel De Graaf
National Security Agency