WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - impl

To: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
Subject: Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Mon, 6 Oct 2008 17:55:13 -0400
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 06 Oct 2008 14:56:02 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <C50FE0E9.214B4%gscoker@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OFAAA7BF12.F524767B-ON852574DA.005939EC-852574DA.0059CD5A@xxxxxxxxxx> <C50FE0E9.214B4%gscoker@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

"George S. Coker, II" <gscoker@xxxxxxxxxxxxxx> wrote on 10/06/2008 03:36:09 PM:

> "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>

> 10/06/2008 03:36 PM
>
> To

>
> Stefan Berger/Watson/IBM@IBMUS

>
> cc

>
> xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>

>
> Subject

>
> Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module -
> implement missing stub

>
>
> Although XSM/Flask does not yet support labeling of VIFs, It should
> work with an attached VIF.  I think we have not been very careful in
> the handling of labels on VIFs, and your patch looks like it
> addresses that issue.  The default policy will allow both cases.


With a domU that has no VIF, I see this here:

(XEN) avc:  denied  { adjust } for domid=4
(XEN) scontext=system_u:object_r:domU_t tcontext=system_u:object_r:domU_t

The VM also disappears.

   Stefan


>
> Yes, your access_control setting is correct.
>
> On 10/6/08 12:21 PM, "Stefan Berger" <stefanb@xxxxxxxxxx> wrote:

>
> George,
>
>   is XSM/Flask known to work with a domU with an attached VIF? I
> find that this patch here seems necessary, but want to confirm...
>
> diff -r 782599274bf9 tools/python/xen/util/xsm/flask/flask.py
> --- a/tools/python/xen/util/xsm/flask/flask.py                Tue
> Sep 30 10:14:54 2008 +0100
> +++ b/tools/python/xen/util/xsm/flask/flask.py                Mon
> Oct 06 12:10:31 2008 -0400
> @@ -35,7 +35,10 @@
>      return ssidref
>  
>  def set_security_label(policy, label):
> -    return label
> +    if label:
> +        return label
> +    else:
> +        return ""
>  
>  def ssidref2security_label(ssidref):
>      label = ssidref2label(ssidref)
>
> Is the default policy you have provided allowing a DomU in the cases
> with a VIF or without a VIF to start?
>
> Also, is the following line from the VM configuration file correct
> to start a VM while the default policy is enforced?
>
> access_control=['policy=,label=system_u:object_r:domU_t']
>
> Thanks.
>    Stefan
>
>
>
> xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/12/2008 04:48:58 PM:
>
> > "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
> > Sent by: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
> >
> > 09/12/2008 04:48 PM
> >
> > To
> >
> > xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
> >
> > cc
> >
> > Subject
> >
> > [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module -
> > implement missing stub
> >
> >
> > - This minor patch implements the missing stub function
> > security_label_to_details in the dummy module.  This stub function is
> > necessary to create domains with network interfaces for modules that do not
> > implement the security_label_to_details function.
> >
> > Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>
> >
> > [attachment "xsm-tools-dummy-update-091208.diff" deleted by Stefan
> > Berger/Watson/IBM] _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxxxxxxxx
> >
http://lists.xensource.com/xen-devel <http://lists.xensource.com/xen-devel>

>
> --
> George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>