blob: ebdf84f7d4aeca47156209992d1b161d658253a9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
##
# install.txt <description to the xen access control architecture>
#
# Author:
# Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
# 03/18/2006 update: new labeling
#
#
# This file shows how to activate and install the access control
# framework for Xen.
##
INSTALLING A SECURITY POLICY IN XEN
===================================
By default, the access control architecture is disabled in Xen. To
enable the access control architecture in Xen follow the steps below.
This description assumes that you want to install the Chinese Wall and
Simple Type Enforcement policy. Some file names need to be replaced
below to activate the Chinese Wall OR the Type Enforcement policy
exclusively (chwall_ste --> {chwall, ste}).
0. build and install the xm man page. It includes the description of
available management commands for the security policy for Xen and
the labeling of domains. If not installed by default, you can make
and install the xm man page as follows:
# cd "xen_root"/doc
# make install
Then, use man xm to read it:
# man xm
1. enable access control in Xen
# cd "xen_root"
# edit/xemacs/vi Config.mk
change the lines:
ACM_SECURITY ?= n
to:
ACM_SECURITY ?= y
Now the hypervisor will boot into the policy that is specified
in the grub configuration. If you would like to boot into a
specific policy (even if you can't specify a boot policy but
need to set the policy later using the 'xensec_tool
loadpolicy'), then use the other config parameter to change
from NULL to any other default policy, e.g.:
ACM_DEFAULT_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
# make dist
# ./install.sh
2. Build acm and policy tools and create boot-able policy:
# cd tools/security
# make install
For description of the following commands, please see the xm
man page (docs/man1/xm.1). If it is not built, then you can
create it manually: cd "xen_root"/docs; make; man man1/xm.1
Step1: Building binary version of an example policy:
# xm makepolicy example.chwall_ste.client_v1
# xm cfgbootpolicy example.chwall_ste.client_v1
Please verify boot entry in /boot/grub/grub.conf (or menu.lst):
title Xen (2.6.16)
root (hd0,0)
kernel /xen.gz dom0_mem=2000000 console=vga
module /vmlinuz-2.6.16-xen ro root=/dev/VolGroup00/LogVol00 rhgb
module /initrd-2.6.165-xen-U.img
module /example.chwall_ste.client_v1.bin
3. reboot into the newly compiled hypervisor
after boot
# xm dmesg should show an entry about the policy being loaded
during the boot process
# xm dumppolicy
should print the new binary policy representation
including the policy name example.chwall_ste.client_v1
# xm list --label
should show security label names behind the running domains
For more information about how to use the security-enabled Xen, see
the examples.txt file in this directory.
|