George S. Coker, II
2008-Sep-12 20:48 UTC
[Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
- This minor patch implements the missing stub function security_label_to_details in the dummy module. This stub function is necessary to create domains with network interfaces for modules that do not implement the security_label_to_details function. Signed-off-by: George Coker <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Stefan Berger
2008-Oct-06 16:21 UTC
Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
George,
is XSM/Flask known to work with a domU with an attached VIF? I find that
this patch here seems necessary, but want to confirm...
diff -r 782599274bf9 tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py Tue Sep 30
10:14:54 2008 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py Mon Oct 06
12:10:31 2008 -0400
@@ -35,7 +35,10 @@
return ssidref
def set_security_label(policy, label):
- return label
+ if label:
+ return label
+ else:
+ return ""
def ssidref2security_label(ssidref):
label = ssidref2label(ssidref)
Is the default policy you have provided allowing a DomU in the cases with
a VIF or without a VIF to start?
Also, is the following line from the VM configuration file correct to
start a VM while the default policy is enforced?
access_control=[''policy=,label=system_u:object_r:domU_t'']
Thanks.
Stefan
xen-devel-bounces@lists.xensource.com wrote on 09/12/2008 04:48:58 PM:
> "George S. Coker, II" <gscoker@alpha.ncsc.mil>
> Sent by: xen-devel-bounces@lists.xensource.com
>
> 09/12/2008 04:48 PM
>
> To
>
> xen-devel <xen-devel@lists.xensource.com>
>
> cc
>
> Subject
>
> [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module -
> implement missing stub
>
>
> - This minor patch implements the missing stub function
> security_label_to_details in the dummy module. This stub function is
> necessary to create domains with network interfaces for modules that do
not> implement the security_label_to_details function.
>
> Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
>
> [attachment "xsm-tools-dummy-update-091208.diff" deleted by
Stefan
> Berger/Watson/IBM] _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
George S. Coker, II
2008-Oct-06 19:36 UTC
Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
Although XSM/Flask does not yet support labeling of VIFs, It should work with an attached VIF. I think we have not been very careful in the handling of labels on VIFs, and your patch looks like it addresses that issue. The default policy will allow both cases. Yes, your access_control setting is correct. On 10/6/08 12:21 PM, "Stefan Berger" <stefanb@us.ibm.com> wrote:> > George, > > is XSM/Flask known to work with a domU with an attached VIF? I find that > this patch here seems necessary, but want to confirm... > > diff -r 782599274bf9 tools/python/xen/util/xsm/flask/flask.py > --- a/tools/python/xen/util/xsm/flask/flask.py Tue Sep 30 > 10:14:54 2008 +0100 > +++ b/tools/python/xen/util/xsm/flask/flask.py Mon Oct 06 > 12:10:31 2008 -0400 > @@ -35,7 +35,10 @@ > return ssidref > > def set_security_label(policy, label): > - return label > + if label: > + return label > + else: > + return "" > > def ssidref2security_label(ssidref): > label = ssidref2label(ssidref) > > Is the default policy you have provided allowing a DomU in the cases with a > VIF or without a VIF to start? > > Also, is the following line from the VM configuration file correct to start a > VM while the default policy is enforced? > > access_control=[''policy=,label=system_u:object_r:domU_t''] > > Thanks. > Stefan > > > > xen-devel-bounces@lists.xensource.com wrote on 09/12/2008 04:48:58 PM: > >> > "George S. Coker, II" <gscoker@alpha.ncsc.mil> >> > Sent by: xen-devel-bounces@lists.xensource.com >> > >> > 09/12/2008 04:48 PM >> > >> > To >> > >> > xen-devel <xen-devel@lists.xensource.com> >> > >> > cc >> > >> > Subject >> > >> > [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - >> > implement missing stub >> > >> > >> > - This minor patch implements the missing stub function >> > security_label_to_details in the dummy module. This stub function is >> > necessary to create domains with network interfaces for modules that do not >> > implement the security_label_to_details function. >> > >> > Signed-off-by: George Coker <gscoker@alpha.ncsc.mil> >> > >> > [attachment "xsm-tools-dummy-update-091208.diff" deleted by Stefan >> > Berger/Watson/IBM] _______________________________________________ >> > Xen-devel mailing list >> > Xen-devel@lists.xensource.com >> > http://lists.xensource.com/xen-devel <http://lists.xensource.com/xen-devel> >-- George S. Coker, II <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Stefan Berger
2008-Oct-06 21:55 UTC
Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - implement missing stub
"George S. Coker, II" <gscoker@alpha.ncsc.mil> wrote on 10/06/2008 03:36:09 PM:> "George S. Coker, II" <gscoker@alpha.ncsc.mil> > 10/06/2008 03:36 PM > > To > > Stefan Berger/Watson/IBM@IBMUS > > cc > > xen-devel <xen-devel@lists.xensource.com> > > Subject > > Re: [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - > implement missing stub > > > Although XSM/Flask does not yet support labeling of VIFs, It should > work with an attached VIF. I think we have not been very careful in > the handling of labels on VIFs, and your patch looks like it > addresses that issue. The default policy will allow both cases.With a domU that has no VIF, I see this here: (XEN) avc: denied { adjust } for domid=4 (XEN) scontext=system_u:object_r:domU_t tcontext=system_u:object_r:domU_t The VM also disappears. Stefan> > Yes, your access_control setting is correct. > > On 10/6/08 12:21 PM, "Stefan Berger" <stefanb@us.ibm.com> wrote:> > George, > > is XSM/Flask known to work with a domU with an attached VIF? I > find that this patch here seems necessary, but want to confirm... > > diff -r 782599274bf9 tools/python/xen/util/xsm/flask/flask.py > --- a/tools/python/xen/util/xsm/flask/flask.py Tue > Sep 30 10:14:54 2008 +0100 > +++ b/tools/python/xen/util/xsm/flask/flask.py Mon > Oct 06 12:10:31 2008 -0400 > @@ -35,7 +35,10 @@ > return ssidref > > def set_security_label(policy, label): > - return label > + if label: > + return label > + else: > + return "" > > def ssidref2security_label(ssidref): > label = ssidref2label(ssidref) > > Is the default policy you have provided allowing a DomU in the cases > with a VIF or without a VIF to start? > > Also, is the following line from the VM configuration file correct > to start a VM while the default policy is enforced? > > access_control=[''policy=,label=system_u:object_r:domU_t''] > > Thanks. > Stefan > > > > xen-devel-bounces@lists.xensource.com wrote on 09/12/2008 04:48:58 PM: > > > "George S. Coker, II" <gscoker@alpha.ncsc.mil> > > Sent by: xen-devel-bounces@lists.xensource.com > > > > 09/12/2008 04:48 PM > > > > To > > > > xen-devel <xen-devel@lists.xensource.com> > > > > cc > > > > Subject > > > > [Xen-devel][XSM][Patch] Minor XSM tools patch to dummy module - > > implement missing stub > > > > > > - This minor patch implements the missing stub function > > security_label_to_details in the dummy module. This stub function is > > necessary to create domains with network interfaces for modules thatdo not> > implement the security_label_to_details function. > > > > Signed-off-by: George Coker <gscoker@alpha.ncsc.mil> > > > > [attachment "xsm-tools-dummy-update-091208.diff" deleted by Stefan > > Berger/Watson/IBM] _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel <http://lists.xensource.com/xen-devel>> > -- > George S. Coker, II <gscoker@alpha.ncsc.mil>_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel