similar to: [PATCH][XSM] missing entries to xsm_fixup_ops

- This minor patch implements the missing stub function security_label_to_details in the dummy module. This stub function is necessary to create domains with network interfaces for modules that do not implement the security_label_to_details function. Signed-off-by: George Coker <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list

- The patch does away with the autogenerated xsm.py file and introduces a config parameter in xend-config.sxp to determine the security module. The parameter is (xsm_module_name {acm, dummy, flask}). The default setting/option is dummy. .hgignore is also updated to stop ignoring xsm.py on commits. - The patch has created an xsconstant for XS_POLICY_FLASK and updated the toolchain to check the

Fix formatting of Flask AVC audit messages so that existing policy tools can parse them. After applying, ''xm dmesg | audit2allow'' yields the expected result. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil> --- xen/xsm/flask/avc.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)

This patch implements the Flask tools for the xen control plane (xm & xend). The patch also refactors the ACM toolchain so that a common security API (based on the existing ACM toolchain) is exported to xm and xend. To create a domain with the Flask module, add the following (for example) to a domain''s configuration file access_control =

Adds support for assigning a label to domains, obtaining and setting the current enforcing mode, and loading a policy with xl command and libxl header when the Flask XSM is in use. Adheres to the changes made by the patch to remove exposure of libxenctrl/libxenstore headers via libxl.h. tools/libxl/libxl_flask.c | 71 ++++++++++++++++++ tools/libxl/Makefile | 2

Adds support for assigning a label to domains, obtaining and setting the current enforcing mode, and loading a policy with xl command when the Flask XSM is in use. libxl.c | 1 libxl.idl | 3 - xl.h | 3 + xl_cmdimpl.c | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- xl_cmdtable.c | 18 +++++- 5 files changed, 187 insertions(+), 9

Hi , When cw is used, dom0 reboots. Though I set quest memory size. I want to study into the cause. Please teach how to examine it. #xm create vm1.conf <-- OK #xm create vm4.conf <-- NO ................... <-- system boot #last root pts/1 myPC Tue Sep 25 11:25 - crash (09:01) reboot system boot 2.6.18-xen Tue Sep 25 20:06 (-8:-16) ~~~~~~~~~~~

x86 pm : provide CC7/PC2 residency Sandy bridge introduces new MSR to get cc7/pc2 residency (core C-state 7/package C-state 2). Print the cc7/pc2 residency when on sandy bridge platform. Signed-off-by: Yang Zhang <yang.z.zhang@intel.com> diff -r 662dbf6ee71c tools/libxc/xc_pm.c --- a/tools/libxc/xc_pm.c Mon Oct 24 18:01:07 2011 +0100 +++ b/tools/libxc/xc_pm.c Fri Oct 28

While compiling XEN with XSM_ENABLE=y and FLASK_ENABLE=y, I received the following error. gcc -O1 -fno-omit-frame-pointer -m64 -g -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-value -Wdeclaration-after-statement -Wno-unused-but-set-variable -fno-builtin -fno-common -Wredundant-decls -iwithprefix include -Werror -Wno-pointer-arith -pipe

Alan Coopersmith (4): configure: Drop AM_MAINTAINER_MODE autogen.sh: Honor NOCONFIGURE=1 Print which option was in error along with usage message xsm 1.0.4 Emil Velikov (1): autogen.sh: use quoted string variables Gaetan Nadon (1): Remove obsolete Imake SIGNALRETURNSINT Mihail Konev (1): autogen: add default patch prefix Peter Hutterer (1):

Hi all, i want to know about the following things: 1.unloading XSM policy. -xl loadpolicy xenpolicy.24 to load the policy. For unloading is there any command is available.? 2. i want to know any analysis tool is available for XSM policy. 3. Apart from wiki.org/XSM any other tutorial is available for developing own XSM policy.? Thanks and regards, cooldharma06.

It was suggested to me that I forward this message to you. ---------- Forwarded Message ---------- Subject: privsep in ssh Date: Fri, 19 Sep 2003 12:22 From: Russell Coker <russell at coker.com.au> To: SE Linux <selinux at tycho.nsa.gov> Cc: Colin Watson <cjwatson at debian.org> #ifdef DISABLE_FD_PASSING if (1) { #else if (authctxt->pw->pw_uid == 0 ||

Hello all, I am trying to get a xenstore/oxenstore (oxenstore is mirage based) stubdom to get to work on Xen 4.2.1. I know that I need to set XSM/FLASK rules and so I have compiled 4.2.1 with XSM and FLASK. I already talked with Daniel de Graaf (on the mailinglists) and Steven Maresca on IRC about this thing. Daniel already wrote a XSM/FLASK ruleset in this thread:

hi all, just now i installed xenserver -6.0.2 in my machine. i have seen some Xen Security Modules (XSM) in xen hypervisor. i want to know any XSM things in Xenserver. If it is how i can test those things.? Suggest me some ideas. Regards, cooldharma06. :) _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users

This bug was fixed in "changeset 25432:d7318231cfe3" but the code was moved to a different file and patch fixes that file. The following patch is for xen-4.1-testing.hg. diff -r 3ce155e77f39 xen/arch/x86/domctl.c --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -873,7 +873,7 @@ long arch_do_domctl( break; } - ret = xsm_assign_device(d,

The FLASK security checks for resource ranges were not implemented correctly - only the permissions on the endpoints of a range were checked, instead of all items contained in the range. This would allow certain resources (I/O ports, I/O memory) to be used by domains in contravention to security policy. This also corrects a bug where adding overlapping resource ranges did not trigger an error.

[This is fairly far from the topic of the mailing-list: we may want to take further discussion to email or the tech list] Jeremy writes: > it violates the principle of > least suprises for the nfs user. ie. They may get access > denied when the UNIX perms say they should be granted access. Paul replies: > But wouldn't it also be a "surprise" when an NFS user finds

If libxl_create_logfile fails for some reason then libxl__create_qemu_logfile previously just carried on and dereferenced the uninitialised logfile. Check for the error from libxl_create_logfile, which has already logged for us. This was reported as Debian bug #784880. Reported-by: Russell Coker <russell at coker.com.au> Signed-off-by: Ian Campbell <ian.campbell at citrix.com> Cc:

Is it expected that running btrfsck more than once will keep reporting errors? Below is the end of a btrfsck output when run the second time. backpointer mismatch on [111942471680 32768] owner ref check failed [111942471680 32768] ref mismatch on [111942504448 40960] extent item 1, found 0 Incorrect local backref count on 111942504448 root 5 owner 160739 offset 3440640 found 0 wanted 1 back

I would like to understand how the "check password script" interacts with enabling/disabling password complexity checks. That is: if I configure     check password script = /usr/local/samba/sbin/crackcheck -d /var/cache/cracklib/cracklib_dict is this called *in addition* to the default complexity checking, or instead of it? And if I set     samba-tool domain passwordsettings set