[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [User Question] Correct XSM/FLASK ruleset for oxenstored



On 01/13/2013 01:17 AM, tech mailinglists wrote:
[...]
> 
> Hello all,
> 
> I am actually working on Dom0 disaggregation and wan't to use an oxenstored
> stubdomain. But I have a problem to write the needed XSM/FLASK rule/rules.
> So I understood that this rules are written like SELinux rules so a defined
> application has a defined right. And for oxenstored the domctl
> getdomaininfo right must be given. So I have builded the oxenstored stubdom
> already like explained here:
> http://www.openmirage.org/blog/xenstore-stub-domain and I am also running
> on Linux 3.7.1 with pv_ops enabled. So I just need help to get good
> XSM/FLASK files. Would be great to see an example for such a rule or
> something like that.
> 
> Best Regards****
> 
> Hello,
> 
> its a Question about XSM/FLASK and oxenstored, details in the messages
> above. I also have forwarded this to the xen-users mailinglist but got no
> reply and the documentation of XSM/FLASK in the wiki is very short so I am
> realy unsure how to do it right.
> 
> Best Regards
> 
> 

This is the xenstore domain policy that I have been using to test. It is
based on the patches currently in xen 4.3-unstable-staging and has only
been tested with the C xenstore stubdom, although I expect it to work with
the mirage oxenstored stubdom.

################################################################################
#
# Xenstore stubdomain
#
################################################################################
declare_singleton_domain(xenstore_t)
create_domain(dom0_t, xenstore_t)
manage_domain(dom0_t, xenstore_t)

# Xenstore requires the global VIRQ for domain destroy operations
allow dom0_t xenstore_t:domain set_virq_handler;
# Current xenstore stubdom uses the hypervisor console, not "xl console"
allow xenstore_t xen_t:xen writeconsole;
# Xenstore queries domaininfo on all domains
allow xenstore_t domain_type:domain getdomaininfo;

# As a shortcut, the following 3 rules are used instead of adding a domain_comms
# rule between xenstore_t and every domain type that talks to xenstore
create_channel(xenstore_t, domain_type, xenstore_t_channel)
allow event_type xenstore_t: event bind;
allow xenstore_t domain_type:grant { map_read map_write unmap };


-- 
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.