[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands
On 12/15/2011 03:56 PM, Konrad Rzeszutek Wilk wrote: >> There is already an example policy file in >> tools/flask/policy/policy/modules/xen/xen.te >> although it will likely require additional rules to be run in enforcing mode. >> The policy is not built as part of the normal build process, but it can be >> built by running "make -C tools/flask/policy". If using Fedora 16 (or systems >> with a checkpolicy version >24) the Makefile will need to be adjusted to >> produce policy version 24 which is the latest version supported by Xen. > > Is there a howto on how to use it for newbies? Or how to apply policies > against a domain? Would it make sense to have that as part of the 'man > xl' ? > I just sent an updated example policy that demonstrates most of the features that can be used without dom0 disaggregation. It has two main types for domU: domU_t is a domain that can communicate with any other domU_t isolated_domU_t can only communicate with dom0 There is also a resource type for device passthrough, configured for domU_t. To label the PCI device 3:2.0 for passthrough, run: ./tools/flask/utils/flask-label-pci 0000:03:02.0 system_u:object_r:nic_dev_t I'm not sure this belongs in "man xl" except for a mention of how to set the security label of a newly created domain. There is already a docs/misc/xsm-flask.txt that explains a bit about the policy creation; this may need to be updated to better explain how to use FLASK. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |