[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub

  • To: Stefan Berger <stefanb@xxxxxxxxxx>
  • From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
  • Date: Mon, 06 Oct 2008 15:36:09 -0400
  • Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 06 Oct 2008 12:37:16 -0700
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: Ackn6sgdq1IORP2kn0aVLJj67OOKTg==
  • Thread-topic: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub

Although XSM/Flask does not yet support labeling of VIFs, It should work with an attached VIF.  I think we have not been very careful in the handling of labels on VIFs, and your patch looks like it addresses that issue.  The default policy will allow both cases.

Yes, your access_control setting is correct.

On 10/6/08 12:21 PM, "Stefan Berger" <stefanb@xxxxxxxxxx> wrote:


George,

  is XSM/Flask known to work with a domU with an attached VIF? I find that this patch here seems necessary, but want to confirm...

diff -r 782599274bf9 tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py                Tue Sep 30 10:14:54 2008 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py                Mon Oct 06 12:10:31 2008 -0400
@@ -35,7 +35,10 @@
     return ssidref
 
 def set_security_label(policy, label):
-    return label
+    if label:
+        return label
+    else:
+        return ""
 
 def ssidref2security_label(ssidref):
     label = ssidref2label(ssidref)

Is the default policy you have provided allowing a DomU in the cases with a VIF or without a VIF to start?

Also, is the following line from the VM configuration file correct to start a VM while the default policy is enforced?

access_control=['policy=,label=system_u:object_r:domU_t']

Thanks.
   Stefan



xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/12/2008 04:48:58 PM:

> "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
> Sent by: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
>
> 09/12/2008 04:48 PM
>
> To
>
> xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
>
> cc
>
> Subject
>
> [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module -
> implement missing stub
>
>
> - This minor patch implements the missing stub function
> security_label_to_details in the dummy module.  This stub function is
> necessary to create domains with network interfaces for modules that do not
> implement the security_label_to_details function.
>
> Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>
>
> [attachment "xsm-tools-dummy-update-091208.diff" deleted by Stefan
> Berger/Watson/IBM] _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel <http://lists.xensource.com/xen-devel>


--
George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
 
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.