diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:21:13 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:21:13 +0000 |
commit | a15e8b800a7dc62b1edc4314856dbc8f5003a28a (patch) | |
tree | 16bfcb8584c6ec2e1b2be0016130514ed0111e76 /tools/flask/policy/policy/modules/xen/xen.te | |
parent | 99c53075b8320ec0dd0c53ba88bc8ab6f4a1a3cf (diff) | |
download | xen-a15e8b800a7dc62b1edc4314856dbc8f5003a28a.tar.gz xen-a15e8b800a7dc62b1edc4314856dbc8f5003a28a.tar.bz2 xen-a15e8b800a7dc62b1edc4314856dbc8f5003a28a.zip |
flask/policy: Add user and constraint examples
These examples show how to use constraints and the user field of the
security label to prevent communication between virtual machines of
different customers in a multi-tenant environment.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'tools/flask/policy/policy/modules/xen/xen.te')
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index ac52c3fd99..67dd0dfa88 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -22,22 +22,22 @@ attribute mls_priv; ################################################################################ # The hypervisor itself -type xen_t, xen_type, domain_type, mls_priv; +type xen_t, xen_type, mls_priv; # Domain 0 type dom0_t, domain_type, mls_priv; # Untracked I/O memory (pseudo-domain) -type domio_t, domain_type; +type domio_t, xen_type; # Xen heap (pseudo-domain) -type domxen_t, domain_type; +type domxen_t, xen_type; # Unlabeled objects -type unlabeled_t, domain_type; +type unlabeled_t, xen_type; # The XSM/FLASK security server -type security_t, domain_type; +type security_t, xen_type; # Unlabeled device resources # Note: don't allow access to these types directly; see below for how to label @@ -143,7 +143,11 @@ delegate_devices(dom0_t, domU_t) ################################################################################ # -# Constraints +# Policy constraints +# +# Neverallow rules will cause the policy build to fail if an allow rule exists +# that violates the expression. This is used to ensure proper labeling of +# objects. # ################################################################################ @@ -159,9 +163,19 @@ neverallow * ~event_type:event { create send status }; ################################################################################ # -# Labels for initial SIDs and system role +# Roles # ################################################################################ +# The object role (object_r) is used for devices, resources, and event channels; +# it does not need to be defined here and should not be used for domains. + +# The system role is used for utility domains and pseudo-domains role system_r; role system_r types { xen_type domain_type }; +# If you want to prevent domUs from being placed in system_r: +##role system_r types { xen_type dom0_t }; + +# The vm role is used for customer virtual machines +role vm_r; +role vm_r types { domain_type -dom0_t }; |