WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - impl

To: Stefan Berger <stefanb@xxxxxxxxxx>
Subject: Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
Date: Mon, 06 Oct 2008 15:36:09 -0400
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 06 Oct 2008 12:37:16 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <OFAAA7BF12.F524767B-ON852574DA.005939EC-852574DA.0059CD5A@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Ackn6sgdq1IORP2kn0aVLJj67OOKTg==
Thread-topic: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
User-agent: Microsoft-Entourage/12.12.0.080729

Although XSM/Flask does not yet support labeling of VIFs, It should work with an attached VIF.  I think we have not been very careful in the handling of labels on VIFs, and your patch looks like it addresses that issue.  The default policy will allow both cases.

Yes, your access_control setting is correct.

On 10/6/08 12:21 PM, "Stefan Berger" <stefanb@xxxxxxxxxx> wrote:


George,

  is XSM/Flask known to work with a domU with an attached VIF? I find that this patch here seems necessary, but want to confirm...

diff -r 782599274bf9 tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py                Tue Sep 30 10:14:54 2008 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py                Mon Oct 06 12:10:31 2008 -0400
@@ -35,7 +35,10 @@
     return ssidref
 
 def set_security_label(policy, label):
-    return label
+    if label:
+        return label
+    else:
+        return ""
 
 def ssidref2security_label(ssidref):
     label = ssidref2label(ssidref)

Is the default policy you have provided allowing a DomU in the cases with a VIF or without a VIF to start?

Also, is the following line from the VM configuration file correct to start a VM while the default policy is enforced?

access_control=['policy=,label=system_u:object_r:domU_t']

Thanks.
   Stefan



xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/12/2008 04:48:58 PM:

> "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
> Sent by: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
>
> 09/12/2008 04:48 PM

>
> To

>
> xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>

>
> cc

>
> Subject

>
> [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module -
> implement missing stub

>
>
> - This minor patch implements the missing stub function
> security_label_to_details in the dummy module.  This stub function is
> necessary to create domains with network interfaces for modules that do not
> implement the security_label_to_details function.
>
> Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>
>
> [attachment "xsm-tools-dummy-update-091208.diff" deleted by Stefan
> Berger/Watson/IBM] _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
<http://lists.xensource.com/xen-devel>


--
George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>