diff options
| author | Keir Fraser <keir.fraser@citrix.com> | 2007-12-05 09:44:20 +0000 |
|---|---|---|
| committer | Keir Fraser <keir.fraser@citrix.com> | 2007-12-05 09:44:20 +0000 |
| commit | 0ea4d2fb34ca99021271c8c16e8b3d87af3c5611 (patch) | |
| tree | b327efb2975bf3306c2e29c6baf3a1b4253bb83f /docs/man/xm.pod.1 | |
| parent | c568950276dd795803aab37ba4770288455e3451 (diff) | |
| download | xen-0ea4d2fb34ca99021271c8c16e8b3d87af3c5611.tar.gz xen-0ea4d2fb34ca99021271c8c16e8b3d87af3c5611.tar.bz2 xen-0ea4d2fb34ca99021271c8c16e8b3d87af3c5611.zip | |
Implement legacy XML-RPC interface for ACM commands.
This patch implements a (non Xen-API) legacy XML-RPC interface for the
ACM commands and funnels the calls into code introduced by the Xen-API
support for ACM security management. Since some of the functionality
has changed, also the xm applications have changed. In particular the
following old commands have been removed along with some tools the
have become obsolete now:
- loadpolicy (included in: setpolicy)
- makepolicy (included in: setpolicy)
- cfgbootpolicy (included in: setpolicy)
and the following commands been introduced:
- setpolicy
- getpolicy
- resetpolicy
All tools have been adapted to work in Xen-API and legacy XML-RPC
mode. Both modes support the same functionality.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Diffstat (limited to 'docs/man/xm.pod.1')
| -rw-r--r-- | docs/man/xm.pod.1 | 61 |
1 files changed, 24 insertions, 37 deletions
diff --git a/docs/man/xm.pod.1 b/docs/man/xm.pod.1 index 72932dee93..3e98fadc9c 100644 --- a/docs/man/xm.pod.1 +++ b/docs/man/xm.pod.1 @@ -821,15 +821,13 @@ security in Xen, you must compile Xen with ACM support enabled as described under "Configuring Security" below. There, you will find also examples of each subcommand described here. -=item B<setpolicy> ACM I<policy> I<[--load|--boot]> +=item B<setpolicy> ACM I<policy> Makes the given ACM policy available to xend as a I<xend-managed policy>. The policy is compiled and a mapping (.map) as well as a binary (.bin) -version of the policy is created. If the option I<--load> is provided -the policy is loaded into Xen. If the option I<--boot> is provided the -system is configure to be loaded with the policy at boot time. If these -options are not provided with the B<setpolicy> subcommand, the -B<activatepolicy> subcommand provides this functionality. +version of the policy is created. The policy is loaded and the system's +bootloader is prepared to boot the system with this policy the next time +it is started. =over 4 @@ -844,16 +842,13 @@ global policy root directory. =back -=item B<activatepolicy> I<[--load|--boot]> +=item B<resetpolicy> -Activates the xend-managed policy by loading it into Xen using the -I<--load> option or configures the system to boot with the -xend-managed policy during the next reboot as a result of the -I<--boot> option. The latter is only supported if the system is booted -with the grub boot loader and the default boot title is modified. -It copies the binary policy representation into the /boot directory and -adds a module line specifying the binary policy to the /boot/grub/menu.lst -or /boot/grub/grub.conf file. +Reset the system's policy to the default state where the DEFAULT policy +is loaded and enforced. This operation may fail if for example guest VMs are +running and and one of them uses a different label than what Domain-0 +does. It is best to make sure that no guests are running before issuing +this command. =item B<getpolicy> [--dumpxml] @@ -938,47 +933,39 @@ B<CONFIGURING SECURITY> In xen_source_dir/Config.mk set the following parameter: + XSM_ENABLE ?= y ACM_SECURITY ?= y + Then recompile and install xen and the security tools and then reboot: - cd xen_source_dir/xen; make clean; make; cp xen.gz /boot; - cd xen_source_dir/tools/security; make install; + cd xen_source_dir; make clean; make install reboot into Xen =back -B<SETTING A SECURITY POLICY> +B<RESETTING THE SYSTEM'S SECURITY> =over 4 -This step makes the policy available to xend and creates the client_v1.map and -client_v1.bin files in /etc/xen/acm-security/policies/example/chwall_ste. - - xm setpolicy ACM example.client_v1 +To set the system's security policy enforcement into its default state, +the follow command can be issued. Make sure that no guests are running +while doing this. -=back + xm resetpolicy -B<ACTIVATING THE XEND-MANAGED SECURITY POLICY> - -=over 4 - -This step activates the xend-manged policy as new security policy in Xen. -You can use the dumppolicy subcommand before and afterwards to see the -change in the Xen policy state. - - xm activatpolicy --load +After this command has successfully completed, the system's DEFAULT policy +is enforced. =back -B<CONFIGURING A BOOT SECURITY POLICY> +B<SETTING A SECURITY POLICY> =over 4 -This configures the boot loader to load the current xend-managed policy at -boot time. During system start, the ACM configures Xen with this policy and -Xen enforces this policy from then on. +This step sets the system's policy and automatically loads it into Xen +for enforcement. - xm activatepolicy --boot + xm setpolicy ACM example.client_v1 =back |