WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] some problems about addlabel

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] some problems about addlabel
From: 易秋萍 <yiqiuping1986@xxxxxxx>
Date: Wed, 16 Sep 2009 20:22:34 +0800 (CST)
Delivery-date: Wed, 16 Sep 2009 05:24:13 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hello,I am a student, and did only know little about xen.
These days I was learning something about ACM module. When I do a experiment,I come across a problem.

In the experiment, I have three security labels A-Bank, B-Bank and __UNLABELED__.At first, I only create an unlabeled domianU, so it have the default security label——__UNLABELED__. Then I want to add A-Bank to it, but at that time I have the error "VM's access to block device 'file:/home/qiu/...'denied" . Later,I found the domainU that labeled with A-Bank cannot access the resources labeled with __UNLABELED__, because the domainU labeled with A-Bank only have a A-Bank type of STE, so when I relabeled the domainU to A-Bank, the hypervisor find that if the aciton success, the domainU cannot access the resources (these labeled by __UNLABELED__)that it can  before, so it denied such operations.

Now,I want to know that if I want to success relabeling the unlabeled domainU to A-Bank, should I add a STE type ——__UNLABELED__, to the STE type of the A-Bank workload.  If so, the domainU labeled with A-Bank can access any resources labeled with __UNLABELED__, and I don't think that was security.
what do you think about the question? Thank you!




网易邮箱用户购物独享现金返还
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] some problems about addlabel, 易秋萍 <=