From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH 8/8] xl.pod.1: improve documentation of
 FLASK commands
Date: Thu, 15 Dec 2011 16:57:36 -0500
Message-ID: <4EEA6D50.80902@tycho.nsa.gov>
References: <1323808737-29125-1-git-send-email-dgdegra@tycho.nsa.gov>
	<1323808737-29125-9-git-send-email-dgdegra@tycho.nsa.gov>
	<alpine.DEB.2.00.1112151639190.3517@kaball-desktop>
	<4EEA4624.3080308@tycho.nsa.gov>
	<20111215205654.GA11829@andromeda.dapyr.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <20111215205654.GA11829@andromeda.dapyr.net>
List-Unsubscribe: <http://lists.xensource.com/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Konrad Rzeszutek Wilk <konrad@darnok.org>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>, Keir Fraser <keir@xen.org>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

On 12/15/2011 03:56 PM, Konrad Rzeszutek Wilk wrote:
>> There is already an example policy file in tools/flask/policy/policy/modules/xen/xen.te
>> although it will likely require additional rules to be run in enforcing mode.
>> The policy is not built as part of the normal build process, but it can be
>> built by running "make -C tools/flask/policy". If using Fedora 16 (or systems
>> with a checkpolicy version >24) the Makefile will need to be adjusted to
>> produce policy version 24 which is the latest version supported by Xen.
> 
> Is there a howto on how to use it for newbies? Or how to apply policies
> against a domain? Would it make sense to have that as part of the 'man
> xl' ?
> 

I just sent an updated example policy that demonstrates most of the features
that can be used without dom0 disaggregation. It has two main types for domU:

domU_t is a domain that can communicate with any other domU_t
isolated_domU_t can only communicate with dom0

There is also a resource type for device passthrough, configured for domU_t.
To label the PCI device 3:2.0 for passthrough, run:

./tools/flask/utils/flask-label-pci 0000:03:02.0 system_u:object_r:nic_dev_t

I'm not sure this belongs in "man xl" except for a mention of how to set the
security label of a newly created domain. There is already a docs/misc/xsm-flask.txt
that explains a bit about the policy creation; this may need to be updated
to better explain how to use FLASK.

-- 
Daniel De Graaf
National Security Agency