From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: XSM/FLASK questions
Date: Wed, 13 Mar 2013 12:55:57 -0400
Message-ID: <5140AF9D.8010304@tycho.nsa.gov>
References: <33800.124.16.141.1.1363182758.squirrel@nfs.iscas.ac.cn>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <33800.124.16.141.1.1363182758.squirrel@nfs.iscas.ac.cn>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: baozeng@nfs.iscas.ac.cn
Cc: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 03/13/2013 09:52 AM, baozeng@nfs.iscas.ac.cn wrote:
> Hello all,
>      I played with Xen 4.1.0, XSM/FLASK module to see whether it works well or not. I
> changed the policy file to make dom0 cannot create a domU labeled with domHU_t
> type.  The policy.conf generated using "make policy" command is as the
> following:
>      type domHU_t, domain_type;
>      allow dom0_t domHU_t:domain {max_vcpus setdomainmaxmem
>
>                                  setaddrsize getdomaininfo hypercall
>
>                                  setvcpucontext scheduler unpause
>
>                                  getvcpuinfo getaddrsize getvcpuaffinity}; //I
> removed "create"
>
>     Then I added the label domHU_t for a domU in its configure file as the following:
>
>     access_control = ['policy=,label=system_u:system_r:domHU_t']
>
> After that I made install the FLASK policy using "make install" and rebooted with
> flask_enforcing = 1. But when I started the domU using "xm create domU.cfg", it can
> still create it successfully.
>     Since I removed the "create" operation in the policy, why dom0 can still create a
> domU labeled with domHU_t? any idea? thanks.
>
>
>        Best Regards,
>                 Baozeng Ding
>

You may want to ensure that the policy is being loaded - you need to
reference it in your grub menu.lst as another module to xen. You can
verify this using xl dmesg or "xl list -Z" - with no policy loaded, dom0
is labeled "dom0" instead of the "system_u:system_r:dom0_t" as defined in
the policy. I am not familiar labeling in xm's config file, so I assume
that your syntax works in 4.1; in xl, it would need to be written as:

seclabel='system_u:system_r:domHU_t'

You may also want to check that there isn't another allow rule that you
didn't remove by running:

sesearch -A -s dom0_t -t domHU_t -c domain -p create /boot/xenpolicy.24

This will return empty output if there is no allow rule.

-- 
Daniel De Graaf
National Security Agency