This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] INFO for the subsequent Xen access control patches [1-8][ACM

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] INFO for the subsequent Xen access control patches [1-8][ACM]
From: Reiner Sailer <sailer@xxxxxxxxxx>
Date: Tue, 11 Apr 2006 22:25:06 -0400
Cc: sailer@xxxxxxxxxx
Delivery-date: Tue, 11 Apr 2006 19:25:30 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
The [ACM] patches in the subsequent e-mails enhance / improve the Xen access control framework along the lines described in an earlier preview posting (see message: http://lists.xensource.com/archives/html/xen-devel/2006-02/msg00885.html). They provide:

* Labeling support for resume/migration/live-migration by introducing an access control parameter (consisting of a policy name and a label name)
into the domain configuration. Policy and label name are valid across
resume / migrate and are checked against the currently enforced policy
at resume or migration time. If they do not match, then resume/migration

* Integration of the Xen access control framework into Xen management
by moving from shell-based to Python-based tools and by integrating them
into the 'xm' command.

* Simplified policy management by moving from 2 files (policy
definition, label definition) to 1 file containing both policy and label

* Introduction of a unique policy name for each policy/label definition.
This name must change if the content of the policy changes. The policy
name is used to ensure that the 'xm' tools and the hypervisor work on
the same policy, i.e., interpret the security information for domains

If you would like to explore the new commands and  learn about required
configuration steps, then the new 'Access Control Subcommands' section
of the 'xm' man page is a good place to start.

Comments and suggestions welcome.


Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] INFO for the subsequent Xen access control patches [1-8][ACM], Reiner Sailer <=