Hello,I am a student, and did only know little about xen. These days I was learning something about ACM module. When I do a experiment,I come across a problem.
In the experiment, I have three security labels A-Bank, B-Bank and __UNLABELED__.At first, I only create an unlabeled domianU, so it have the default security label——__UNLABELED__. Then I want to add A-Bank to it, but at that time I have the error "VM's access to block device 'file:/home/qiu/...'denied" . Later,I found the domainU that labeled with A-Bank cannot access the resources labeled with __UNLABELED__, because the domainU labeled with A-Bank only have a A-Bank type of STE, so when I relabeled the domainU to A-Bank, the hypervisor find that if the aciton success, the domainU cannot access the resources (these labeled by __UNLABELED__)that it can before, so it denied such operations.
Now,I want to know that if I want to success relabeling the unlabeled domainU to A-Bank, should I add a STE type ——__UNLABELED__, to the STE type of the A-Bank workload. If so, the domainU labeled with A-Bank can access any resources labeled with __UNLABELED__, and I don't think that was security. what do you think about the question? Thank you!
网易邮箱用户购物独享现金返还
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|