how to label a pci device step by step?

how to label a pci device step by step?

[Allan Chen]

[-- Attachment #1.1: Type: text/plain, Size: 332 bytes --]

hi,all
   i follow the instruction in file xsm-flask.txt(in xen-4.1.2/docs/misc)
to  label a NIC,
if i uncomment policy in file xen.te
     pirqcon 33 system_u:object_r:nicP_t
then:
make polily

I got an error: pirqcon not supported for target

where do i find a tutorial about labelling a NIC in XEN  flask?

thank you very mouch!

[-- Attachment #1.2: Type: text/html, Size: 475 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how to label a pci device step by step?

[Daniel De Graaf]

On 07/09/2012 02:01 AM, Allan Chen wrote:
> hi,all
>    i follow the instruction in file xsm-flask.txt(in xen-4.1.2/docs/misc)
> to  label a NIC,
> if i uncomment policy in file xen.te
>      pirqcon 33 system_u:object_r:nicP_t
> then:
> make polily
> 
> I got an error: pirqcon not supported for target
> 
> where do i find a tutorial about labelling a NIC in XEN  flask?
> 
> thank you very mouch!
> 
> 

In order to use pirqcon or other static device labeling directives in the
security policy, you need to tell checkpolicy (the compiler) to enable
Xen policy features by adding "-t Xen" in tools/flask/policy/Makefile. The
docs file mentions this under "Device Policy"; you may also want to look
at 4.2's docs as they better explain the origin of pcidevicecon.

If you are planning to switch to Xen 4.2 in the future, you may want to
look at the flask-label-pci tool which will handle dynamic addresses/IRQs.

-- 
Daniel De Graaf
National Security Agency