Bryan D. Payne
2006-Jun-26 22:14 UTC
[Xen-devel] [PATCH][ACM] python tools and support for resource labeling
This patch adds new xm subcommands to support working with resource labels. The new subcommands are ''xm resources'', ''xm rmlabel'', ''xm getlabel'' and ''xm dry-run''. In addition, the ''xm addlabel'' subcommand now uses an updated syntax to support labeling both domains and resources. See the xm man page for details on each subcommand. Beyond the new subcommands, this patch allows users to immediately see when security checks will fail by pushing some basic security checking into the beginning of ''xm create'' and ''xm block-attach''. ACM security attributes for block devices are added to XenStore in order to support the final security enforcement, which will be performed in the kernel and included in a separate patch. Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com> Signed-off-by: Reiner Sailer <sailer@us.ibm.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Ewan Mellor
2006-Jun-28 15:05 UTC
Re: [Xen-devel] [PATCH][ACM] python tools and support for resource labeling
On Mon, Jun 26, 2006 at 06:14:15PM -0400, Bryan D. Payne wrote:> This patch adds new xm subcommands to support working with resource > labels. The new subcommands are ''xm resources'', ''xm rmlabel'', ''xm > getlabel'' and ''xm dry-run''. In addition, the ''xm addlabel'' subcommand > now uses an updated syntax to support labeling both domains and > resources. See the xm man page for details on each subcommand. > > Beyond the new subcommands, this patch allows users to immediately see > when security checks will fail by pushing some basic security checking > into the beginning of ''xm create'' and ''xm block-attach''. ACM security > attributes for block devices are added to XenStore in order to support > the final security enforcement, which will be performed in the kernel > and included in a separate patch. > > Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com> > Signed-off-by: Reiner Sailer <sailer@us.ibm.com>Looks good! I''ve applied that, thanks. Ewan. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Ewan Mellor
2006-Jun-28 16:38 UTC
Re: [Xen-devel] [PATCH][ACM] python tools and support for resource labeling
On Wed, Jun 28, 2006 at 04:05:59PM +0100, Ewan Mellor wrote:> On Mon, Jun 26, 2006 at 06:14:15PM -0400, Bryan D. Payne wrote: > > > This patch adds new xm subcommands to support working with resource > > labels. The new subcommands are ''xm resources'', ''xm rmlabel'', ''xm > > getlabel'' and ''xm dry-run''. In addition, the ''xm addlabel'' subcommand > > now uses an updated syntax to support labeling both domains and > > resources. See the xm man page for details on each subcommand. > > > > Beyond the new subcommands, this patch allows users to immediately see > > when security checks will fail by pushing some basic security checking > > into the beginning of ''xm create'' and ''xm block-attach''. ACM security > > attributes for block devices are added to XenStore in order to support > > the final security enforcement, which will be performed in the kernel > > and included in a separate patch. > > > > Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com> > > Signed-off-by: Reiner Sailer <sailer@us.ibm.com> > > Looks good! I''ve applied that, thanks.It seems I spoke too soon! The code uses xml.marshal.generic to parse the resource label file, but that module isn''t in the base Python distribution -- it''s a separate library. Could you come up with an alternative scheme here? I''d _really_ like to avoid introducing a new dependency. I''ve commented that code out for now. Cheers, Ewan. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Bryan D Payne
2006-Jun-28 18:49 UTC
Re: [Xen-devel] [PATCH][ACM] python tools and support for resource labeling
> It seems I spoke too soon! The code uses xml.marshal.generic to parsethe> resource label file, but that module isn''t in the base Pythondistribution --> it''s a separate library. > > Could you come up with an alternative scheme here? I''d _really_ like toavoid> introducing a new dependency. I''ve commented that code out for now.Ok, no problem. I''m putting together a fix for that now and will resubmit an updated version of the patch. Cheers, bryan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel