|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
"George S. Coker, II" <gscoker@xxxxxxxxxxxxxx> wrote on 10/06/2008 03:36:09 PM: > "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx> > 10/06/2008 03:36 PM > > To > > Stefan Berger/Watson/IBM@IBMUS > > cc > > xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx> > > Subject > > Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - > implement missing stub > > > Although XSM/Flask does not yet support labeling of VIFs, It should > work with an attached VIF. I think we have not been very careful in > the handling of labels on VIFs, and your patch looks like it > addresses that issue. The default policy will allow both cases. With a domU that has no VIF, I see this here: (XEN) avc: denied { adjust } for domid=4 (XEN) scontext=system_u:object_r:domU_t tcontext=system_u:object_r:domU_t The VM also disappears. Stefan > > Yes, your access_control setting is correct. > > On 10/6/08 12:21 PM, "Stefan Berger" <stefanb@xxxxxxxxxx> wrote: > > George, > > is XSM/Flask known to work with a domU with an attached VIF? I > find that this patch here seems necessary, but want to confirm... > > diff -r 782599274bf9 tools/python/xen/util/xsm/flask/flask.py > --- a/tools/python/xen/util/xsm/flask/flask.py Tue > Sep 30 10:14:54 2008 +0100 > +++ b/tools/python/xen/util/xsm/flask/flask.py Mon > Oct 06 12:10:31 2008 -0400 > @@ -35,7 +35,10 @@ > return ssidref > > def set_security_label(policy, label): > - return label > + if label: > + return label > + else: > + return "" > > def ssidref2security_label(ssidref): > label = ssidref2label(ssidref) > > Is the default policy you have provided allowing a DomU in the cases > with a VIF or without a VIF to start? > > Also, is the following line from the VM configuration file correct > to start a VM while the default policy is enforced? > > access_control=['policy=,label=system_u:object_r:domU_t'] > > Thanks. > Stefan > > > > xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/12/2008 04:48:58 PM: > > > "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx> > > Sent by: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx > > > > 09/12/2008 04:48 PM > > > > To > > > > xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx> > > > > cc > > > > Subject > > > > [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - > > implement missing stub > > > > > > - This minor patch implements the missing stub function > > security_label_to_details in the dummy module. This stub function is > > necessary to create domains with network interfaces for modules that do not > > implement the security_label_to_details function. > > > > Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx> > > > > [attachment "xsm-tools-dummy-update-091208.diff" deleted by Stefan > > Berger/Watson/IBM] _______________________________________________ > > Xen-devel mailing list > > Xen-devel@xxxxxxxxxxxxxxxxxxx > > http://lists.xensource.com/xen-devel <http://lists.xensource.com/xen-devel> > > -- > George S. Coker, II <gscoker@xxxxxxxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |