[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] XSM/FLASK questions



Hello all,
    I played with Xen 4.1.0, XSM/FLASK module to see whether it works well or 
not. I
changed the policy file to make dom0 cannot create a domU labeled with domHU_t
type.  The policy.conf generated using "make policy" command is as the
following:
    type domHU_t, domain_type;
    allow dom0_t domHU_t:domain {max_vcpus setdomainmaxmem

                                setaddrsize getdomaininfo hypercall

                                setvcpucontext scheduler unpause

                                getvcpuinfo getaddrsize getvcpuaffinity}; //I
removed "create"

   Then I added the label domHU_t for a domU in its configure file as the 
following:

   access_control = ['policy=,label=system_u:system_r:domHU_t']

After that I made install the FLASK policy using "make install" and rebooted 
with
flask_enforcing = 1. But when I started the domU using "xm create domU.cfg", it 
can
still create it successfully.
   Since I removed the "create" operation in the policy, why dom0 can still 
create a
domU labeled with domHU_t? any idea? thanks.


      Best Regards,
               Baozeng Ding


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.