WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-users] Re: [Xen-devel] Loading ACM policy in XSM

Hi, George.

I triedd it as George said.

#ls /etc/xen/acm-security/policies/
client_v1-security_policy.xml
default-ul-security_policy.xml
managed_policies
security_policy.xsd
default-security_policy.xml
example
resource_labels
test-security_policy.xml

#xm list --label
Name                                      ID   Mem VCPUs      State
Time(s) Label
Domain-0                                   0  1024     2     r-----
86.1 ACM:example.client_v1:dom_SystemManagement

#xm create vm1.conf
Using config file "./vm1.conf".
Started domain vm1

#xm list --label
Name    ID Mem VCPUs State Time(s) Label
vm1      1 128  1 r----- 4.7  ACM:example.client_v1:dom_HomeBanking
Domain-0 0 1024 2 r----- 94.6 ACM:example.client_v1:dom_SystemManagement

It looks good.
Thank you for your help.


Syunsuke HAYASHI
> You need to make sure that xm and xend are setup for xen-api.  On my
> system I had to use the -xenapi config files in /etc/xen.
> 
> You could also create a managed_policies file by hand.  The format of
> the file is:
> 
> managed_policies = {
>     '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb35': (u'example.client_v1',
> 'ACM'),
>     '7bd38df8-3f0c-a97d-cf54-fcbd98f7cb36': (u'example.test', 'ACM'),
> }
> 
> On Tue, 2007-09-11 at 19:28 +0900, Syunsuke HAYASHI wrote: 
>> Hi
>> Thank you for the help.
>>
>> I have a question about how to make 'managed_policies'.
>> I understood that 'managed_policies was made from "xm setpolicy" command.
>> But I don't know how to call "xm setpolicy" from 'Xen-api'.
>>
>> How should I call it ?
>>
>> --------------------------------xm setpolicy----------------------------
>> #xm setpolicy ACM example.client_v1 --boot
>>
>> Error: xm needs to be configured to use the xen-api.
>> Usage: xm setpolicy <policytype> <policyfile> [options]
>> Set the policy of the system.
>>     Usage: xm setpolicy <policytype> <policy> [options]
>>
>>     Set the policy managed by xend.
>>
>>     The only policytype that is currently supported is 'ACM'.
>>
>>     The following options are defined
>>       --load     Load the policy immediately
>>       --boot     Have the system load the policy during boot
>>       --update   Automatically adapt the policy so that it will be
>>                  treated as an update to the current policy
>> --------------------------------------------------------------------------
>>
>> Thanks,
>>
>> Syunsuke HAYASHI
>>> I believe that your 'managed_policies' file is missing or empty.  Please
>>> look at /etc/xen/acm-security/policies/managed_policies.  If this is a
>>> new installation, I do not believe that ACM will create the
>>> 'managed_policies' file.
>>>
>>> George
>>>
>>> On Wed, 2007-08-29 at 13:26 +0900, Syunsuke HAYASHI wrote:
>>>> Hi,Stefan
>>>> Thank you for the help.
>>>>
>>>> I was not describing an ssidref=... in grub.conf.
>>>> I show grub.conf and dmesg when I execute "xm chgpolicy 
>>>> example.client_v1" command and reboot.
>>>>
>>>> ----------------------------grub.conf--------------------------------------
>>>> # grub.conf generated by anaconda
>>>> #
>>>> # Note that you do not have to rerun grub after making changes to this file
>>>> # NOTICE:  You have a /boot partition.  This means that
>>>> #          all kernel and initrd paths are relative to /boot/, eg.
>>>> #          root (hd0,0)
>>>> #          kernel /vmlinuz-version ro root=/dev/sda3
>>>> #          initrd /initrd-version.img
>>>> #boot=/dev/sda
>>>> default=0
>>>> timeout=5
>>>> splashimage=(hd0,0)/grub/splash.xpm.gz
>>>> hiddenmenu
>>>> title xen-unstable0827
>>>>      root (hd0,0)
>>>>      kernel /xen.gz dom0_mem=1024M
>>>>      module /vmlinuz-2.6.18-xen ro root=LABEL=/ rhgb
>>>>      module /initrd-2.6.18-xen.img
>>>>      module /example.client_v1.bin
>>>>
>>>>
>>>> -----------------------------dmesg----------------------------------------
>>>>   __  __            _____  ___                     _        _     _
>>>>   \ \/ /___ _ __   |___ / / _ \    _   _ _ __  ___| |_ __ _| |__ | | ___
>>>>    \  // _ \ '_ \    |_ \| | | |__| | | | '_ \/ __| __/ _` | '_ \| |/ _ \
>>>>    /  \  __/ | | |  ___) | |_| |__| |_| | | | \__ \ || (_| | |_) | |  __/
>>>>   /_/\_\___|_| |_| |____(_)___/    \__,_|_| |_|___/\__\__,_|_.__/|_|\___|
>>>>
>>>>   http://www.cl.cam.ac.uk/netos/xen
>>>>   University of Cambridge Computer Laboratory
>>>>
>>>>   Xen version 3.0-unstable (root@xxxxxxxxxxxxxxxxxxxx) (gcc version 
>>>> 4.1.2 20070502 (Red Hat 4.1.2-12)) Sun Aug 26 06:00:02 JST 2007
>>>>   Latest ChangeSet: Thu Aug 16 13:27:59 2007 +0100 15730:256160ff19b7
>>>>
>>>> (XEN) Command line: /xen.gz dom0_mem=1024M
>>>> (XEN) Video information:
>>>> (XEN)  VGA is text mode 80x25, font 8x16
>>>> (XEN)  VBE/DDC methods: V2; EDID transfer time: 2 seconds
>>>> (XEN) Disc information:
>>>> (XEN)  Found 1 MBR signatures
>>>> (XEN)  Found 1 EDD information structures
>>>> (XEN) Xen-e820 RAM map:
>>>> (XEN)  0000000000000000 - 000000000009f000 (usable)
>>>> (XEN)  000000000009f000 - 00000000000a0000 (reserved)
>>>> (XEN)  00000000000d6000 - 00000000000d8000 (reserved)
>>>> (XEN)  00000000000e0000 - 0000000000100000 (reserved)
>>>> (XEN)  0000000000100000 - 000000007fff0000 (usable)
>>>> (XEN)  000000007fff0000 - 000000007ffff000 (ACPI data)
>>>> (XEN)  000000007ffff000 - 0000000080000000 (ACPI NVS)
>>>> (XEN)  00000000fec00000 - 00000000fec10000 (reserved)
>>>> (XEN)  00000000fee00000 - 00000000fee01000 (reserved)
>>>> (XEN)  00000000fff80000 - 0000000100000000 (reserved)
>>>> (XEN) System RAM: 2047MB (2096700kB)
>>>> (XEN) Xen heap: 9MB (10168kB)
>>>> (XEN) Domain heap initialised: DMA width 32 bits
>>>> (XEN) PAE enabled, limit: 16 GB
>>>> (XEN) Processor #0 15:2 APIC version 20
>>>> (XEN) Processor #1 15:2 APIC version 20
>>>> (XEN) Processor #6 15:2 APIC version 20
>>>> (XEN) Processor #7 15:2 APIC version 20
>>>> (XEN) IOAPIC[0]: apic_id 2, version 17, address 0xfec00000, GSI 0-15
>>>> (XEN) IOAPIC[1]: apic_id 3, version 17, address 0xfec01000, GSI 16-31
>>>> (XEN) IOAPIC[2]: apic_id 4, version 17, address 0xfec02000, GSI 32-47
>>>> (XEN) IOAPIC[3]: apic_id 5, version 17, address 0xfec03000, GSI 48-63
>>>> (XEN) Enabling APIC mode:  Flat.  Using 4 I/O APICs
>>>> (XEN) Using scheduler: SMP Credit Scheduler (credit)
>>>> (XEN) Detected 3189.437 MHz processor.
>>>> (XEN) CPU0: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 1/1 eip 90000
>>>> (XEN) CPU1: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 2/6 eip 90000
>>>> (XEN) CPU2: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Booting processor 3/7 eip 90000
>>>> (XEN) CPU3: Intel(R) Xeon(TM) CPU 3.20GHz stepping 05
>>>> (XEN) Total of 4 processors activated.
>>>> (XEN) ENABLING IO-APIC IRQs
>>>> (XEN)  -> Using new ACK method
>>>> (XEN) ..MP-BIOS bug: 8254 timer not connected to IO-APIC
>>>> (XEN) Platform timer overflows in 234 jiffies.
>>>> (XEN) Platform timer is 3.579MHz ACPI PM Timer
>>>> (XEN) Brought up 4 CPUs
>>>> (XEN) Policy len  0x168, start at 3ffff000 - module 2.
>>>> (XEN) acm_set_policy_reference: Activating policy example.client_v1
>>>> (XEN) acm_init: Enforcing CHINESE WALL AND SIMPLE TYPE ENFORCEMENT boot 
>>>> policy.
>>>> (XEN) *** LOADING DOMAIN 0 ***
>>>> (XEN)  Xen  kernel: 32-bit, PAE, lsb
>>>> (XEN)  Dom0 kernel: 32-bit, PAE, lsb, paddr 0xc0100000 -> 0xc044fb7c
>>>> (XEN) PHYSICAL MEMORY ARRANGEMENT:
>>>> (XEN)  Dom0 alloc.:   000000003e000000->000000003f000000 (258048 pages 
>>>> to be allocated)
>>>> (XEN) VIRTUAL MEMORY ARRANGEMENT:
>>>> (XEN)  Loaded kernel: c0100000->c044fb7c
>>>> (XEN)  Init. ramdisk: c0450000->c0bba600
>>>> (XEN)  Phys-Mach map: c0bbb000->c0cbb000
>>>> (XEN)  Start info:    c0cbb000->c0cbb46c
>>>> (XEN)  Page tables:   c0cbc000->c0cc9000
>>>> (XEN)  Boot stack:    c0cc9000->c0cca000
>>>> (XEN)  TOTAL:         c0000000->c1000000
>>>> (XEN)  ENTRY ADDRESS: c0100000
>>>> (XEN) Dom0 has maximum 4 VCPUs
>>>> (XEN) Initrd len 0x76a600, start at 0xc0450000
>>>> (XEN) Scrubbing Free RAM: .........done.
>>>> (XEN) Xen trace buffers: disabled
>>>> (XEN) Std. Loglevel: Errors and warnings
>>>> (XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
>>>> (XEN) Xen is relinquishing VGA console.
>>>> (XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch 
>>>> input to Xen).
>>>> (XEN) Freed 88kB init memory.
>>>> (XEN) ioapic_guest_write: apic=0, pin=2, old_irq=-1, new_irq=0
>>>> (XEN) ioapic_guest_write: old_entry=00010000, new_entry=000009f0
>>>> (XEN) ioapic_guest_write: Attempt to add IO-APIC pin for in-use IRQ!
>>>> -------------------------------------------------------------------------
>>>> Is it good in this ?
>>>>
>>>> Syunsuke HAYASHI
>>>>  >
>>>>  > xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 08/27/2007 04:00:14 AM:
>>>>  >
>>>>  >  > Hi,
>>>>  >  > I have a problem about ACM module(hg.15730)
>>>>  >  > I want to label Domain-0.
>>>>  >  > I read xen user's manual v3.0 and "man xm" information.
>>>>  >  > ACM document mentions how to label Domain-0.
>>>>  >  > But I couldn't add the label when I tried the following steps.
>>>>  >  >
>>>>  >  >    (test1)
>>>>  >  >    #xm makepolicy example.client_v1
>>>>  >  >    #xm cfgbootpolicy example.client_v1
>>>>  >  >    #reboot
>>>>  >  >
>>>>  >  >    (test2)
>>>>  >  >    #xm setpolicy ACM example.client_v1
>>>>  >  >    #xm activatepolicy --boot
>>>>  >  >
>>>>  >  >    (result)
>>>>  >  >    [root@bx607 ~]# xm list --label
>>>>  >  >    Name     ID  Mem    VCPUs    State   Time(s) Label
>>>>  >  >    Domain-0  0  1024     4     r-----    105.1 unlabeled
>>>>  >  >
>>>>  >  > So,I tried to use "xm addlabel" command.
>>>>  >  >
>>>>  >  >    #xm makepolicy example.client_v1
>>>>  >  >    #xm addlabel dom_SystemManagement mgt Domain-0 example.client_v1
>>>>  >  >
>>>>  >  > But I couldn't again.
>>>>  >  >
>>>>  >  > Is there any good idea ?
>>>>  >
>>>>  > Is there an ssidref=... in the 'kernel' line in the grub title you 
>>>> are booting? Can you send this line and remove the ssidref=... and try 
>>>> again?
>>>>  > Otherwise if this is not the case, can you send the content of 'xm 
>>>> dmesg'?
>>>>  >
>>>>  >    Stefan
>>>>  >  >
>>>>  >  > Thanks,
>>>>  >  >
>>>>  >  > Syunsuke HAYASHI
>>>>  >  >
>>>>  >  >
>>>>  >  >
>>>>  >  >
>>>>  >  > _______________________________________________
>>>>  >  > Xen-devel mailing list
>>>>  >  > Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>>  >  > http://lists.xensource.com/xen-devel
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>> http://lists.xensource.com/xen-devel
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@xxxxxxxxxxxxxxxxxxx
>>> http://lists.xensource.com/xen-users


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>