Xen devel - Oct 2008 - [PATCH] [Flask] Fix to default policy to get simple VM running

This fix gets to the default Flask/XSM policy gets a simple guest VM
(Ramdisk only, no VIF) running.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

I''ve been looking into this issue as a result of your earlier post and
I
have only been able to reproduce your error when manipulating the memory
reservations for a domU.  The sample flask policy is a basic policy that
only supports pv guests, so its not surprising that you''ve uncovered a
limitation of this policy.  Nonetheless, your patch should go in.

It''s a little unclear how many guests you are running or what resources
are
committed against the domUs.  How many domUs are you trying to supporting?
Do you only get the error with more than a few domUs?

On 10/7/08 3:03 PM, "Stefan Berger" <stefanb@us.ibm.com> wrote:
> This fix gets to the default Flask/XSM policy gets a simple guest VM
> (Ramdisk only, no VIF) running.
> 
> Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
> 
-- 
George S. Coker, II <gscoker@alpha.ncsc.mil>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

"George S. Coker, II" <gscoker@alpha.ncsc.mil> wrote on
10/07/2008
03:28:05 PM:
> 
> I''ve been looking into this issue as a result of your earlier post
and I
> have only been able to reproduce your error when manipulating the memory
> reservations for a domU.  The sample flask policy is a basic policy that
> only supports pv guests, so its not surprising that you''ve
uncovered a
> limitation of this policy.  Nonetheless, your patch should go in.
> 
> It''s a little unclear how many guests you are running or what
resources
are
> committed against the domUs.  How many domUs are you trying to 
supporting?
> Do you only get the error with more than a few domUs?
Just starting a single domU required me to add this rule. 2 more rules are 
needed to start a domU with networking enabled - see 2nd patch.

   Stefan
> 
> On 10/7/08 3:03 PM, "Stefan Berger" <stefanb@us.ibm.com>
wrote:
> 
> > This fix gets to the default Flask/XSM policy gets a simple guest VM
> > (Ramdisk only, no VIF) running.
> > 
> > Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
> > 
> 
> -- 
> George S. Coker, II <gscoker@alpha.ncsc.mil>
> 
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Would you send me your config file for this guest?

On 10/7/08 3:33 PM, "Stefan Berger" <stefanb@us.ibm.com> wrote:
> 
> "George S. Coker, II" <gscoker@alpha.ncsc.mil> wrote on
10/07/2008 03:28:05
> PM:
>> > 
>> > I''ve been looking into this issue as a result of your
earlier post and I
>> > have only been able to reproduce your error when manipulating the
memory
>> > reservations for a domU.  The sample flask policy is a basic
policy that
>> > only supports pv guests, so its not surprising that
you''ve uncovered a
>> > limitation of this policy.  Nonetheless, your patch should go in.
>> > 
>> > It''s a little unclear how many guests you are running or
what resources are
>> > committed against the domUs.  How many domUs are you trying to
supporting?
>> > Do you only get the error with more than a few domUs?
> 
> Just starting a single domU required me to add this rule. 2 more rules are
> needed to start a domU with networking enabled - see 2nd patch.
> 
>    Stefan 
> 
>> > 
>> > On 10/7/08 3:03 PM, "Stefan Berger"
<stefanb@us.ibm.com> wrote:
>> > 
>>> > > This fix gets to the default Flask/XSM policy gets a
simple guest VM
>>> > > (Ramdisk only, no VIF) running.
>>> > > 
>>> > > Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
>>> > > 
>> > 
>> > -- 
>> > George S. Coker, II <gscoker@alpha.ncsc.mil>
>> > 
>> > 
> 
-- 
George S. Coker, II <gscoker@alpha.ncsc.mil>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

"George S. Coker, II" <gscoker@alpha.ncsc.mil> wrote on
10/07/2008
03:57:54 PM:

> Subject
> 
> Re: [PATCH] [Flask] Fix to default policy to get simple VM running
> 
> 
> Would you send me your config file for this guest?
Here it is:

kernel = "/boot/vmlinuz-2.6.18.8-xen"
ramdisk = "/xen/initrd_domU/U1_ramdisk.img"
memory = 256
name = "UserDomain0"
root = "/dev/ram0 xencons=tty ro"
vif = [''backend=0'']
access_control = [''policy=,label=system_u:object_r:domU_t'']

    Stefan


> 
> On 10/7/08 3:33 PM, "Stefan Berger" <stefanb@us.ibm.com>
wrote:
> 
> "George S. Coker, II" <gscoker@alpha.ncsc.mil> wrote on
10/07/2008
> 03:28:05 PM:
> > 
> > I''ve been looking into this issue as a result of your earlier
post and
I
> > have only been able to reproduce your error when manipulating the 
memory
> > reservations for a domU.  The sample flask policy is a basic policy 
that
> > only supports pv guests, so its not surprising that you''ve
uncovered a
> > limitation of this policy.  Nonetheless, your patch should go in.
> > 
> > It''s a little unclear how many guests you are running or what
resources are
> > committed against the domUs.  How many domUs are you trying to 
supporting?
> > Do you only get the error with more than a few domUs? 
> 
> Just starting a single domU required me to add this rule. 2 more 
> rules are needed to start a domU with networking enabled - see 2nd 
patch. 
> 
>   Stefan 
> 
> > 
> > On 10/7/08 3:03 PM, "Stefan Berger"
<stefanb@us.ibm.com> wrote:
> > 
> > > This fix gets to the default Flask/XSM policy gets a simple guest
VM
> > > (Ramdisk only, no VIF) running.
> > > 
> > > Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
> > > 
> > 
> > -- 
> > George S. Coker, II <gscoker@alpha.ncsc.mil>
> > 
> > 
> 
> -- 
> George S. Coker, II <gscoker@alpha.ncsc.mil>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel