Re: [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands

[Daniel De Graaf <dgdegra@tycho.nsa.gov>]

On 12/15/2011 03:56 PM, Konrad Rzeszutek Wilk wrote:
>> There is already an example policy file in tools/flask/policy/policy/modules/xen/xen.te
>> although it will likely require additional rules to be run in enforcing mode.
>> The policy is not built as part of the normal build process, but it can be
>> built by running "make -C tools/flask/policy". If using Fedora 16 (or systems
>> with a checkpolicy version >24) the Makefile will need to be adjusted to
>> produce policy version 24 which is the latest version supported by Xen.
> 
> Is there a howto on how to use it for newbies? Or how to apply policies
> against a domain? Would it make sense to have that as part of the 'man
> xl' ?
> 

I just sent an updated example policy that demonstrates most of the features
that can be used without dom0 disaggregation. It has two main types for domU:

domU_t is a domain that can communicate with any other domU_t
isolated_domU_t can only communicate with dom0

There is also a resource type for device passthrough, configured for domU_t.
To label the PCI device 3:2.0 for passthrough, run:

./tools/flask/utils/flask-label-pci 0000:03:02.0 system_u:object_r:nic_dev_t

I'm not sure this belongs in "man xl" except for a mention of how to set the
security label of a newly created domain. There is already a docs/misc/xsm-flask.txt
that explains a bit about the policy creation; this may need to be updated
to better explain how to use FLASK.

-- 
Daniel De Graaf
National Security Agency