direct-io.hg

view tools/security/install.txt @ 11330:3e54734e55f3

[IA64] Remove extraneous verbose output to clean up Fedora boot.

Signed-off-by: Aron Griffis <aron@hp.com>
author awilliam@xenbuild.aw
date Wed Aug 23 13:26:46 2006 -0600 (2006-08-23)
parents c7b9b8a64755
children
line source
1 ##
2 # install.txt <description to the xen access control architecture>
3 #
4 # Author:
5 # Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
6 # 03/18/2006 update: new labeling
7 #
8 #
9 # This file shows how to activate and install the access control
10 # framework for Xen.
11 ##
14 INSTALLING A SECURITY POLICY IN XEN
15 ===================================
17 By default, the access control architecture is disabled in Xen. To
18 enable the access control architecture in Xen follow the steps below.
19 This description assumes that you want to install the Chinese Wall and
20 Simple Type Enforcement policy. Some file names need to be replaced
21 below to activate the Chinese Wall OR the Type Enforcement policy
22 exclusively (chwall_ste --> {chwall, ste}).
24 0. build and install the xm man page. It includes the description of
25 available management commands for the security policy for Xen and
26 the labeling of domains. If not installed by default, you can make
27 and install the xm man page as follows:
28 # cd "xen_root"/doc
29 # make install
30 Then, use man xm to read it:
31 # man xm
33 1. enable access control in Xen
34 # cd "xen_root"
35 # edit/xemacs/vi Config.mk
37 change the lines:
38 ACM_SECURITY ?= n
39 to:
40 ACM_SECURITY ?= y
42 Now the hypervisor will boot into the policy that is specified
43 in the grub configuration. If you would like to boot into a
44 specific policy (even if you can't specify a boot policy but
45 need to set the policy later using the 'xensec_tool
46 loadpolicy'), then use the other config parameter to change
47 from NULL to any other default policy, e.g.:
48 ACM_DEFAULT_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
50 # make dist
51 # ./install.sh
53 2. Build acm and policy tools and create boot-able policy:
54 # cd tools/security
55 # make install
57 For description of the following commands, please see the xm
58 man page (docs/man1/xm.1). If it is not built, then you can
59 create it manually: cd "xen_root"/docs; make; man man1/xm.1
61 Step1: Building binary version of an example policy:
62 # xm makepolicy example.chwall_ste.client_v1
63 # xm cfgbootpolicy example.chwall_ste.client_v1
65 Please verify boot entry in /boot/grub/grub.conf (or menu.lst):
66 title Xen (2.6.16)
67 root (hd0,0)
68 kernel /xen.gz dom0_mem=2000000 console=vga
69 module /vmlinuz-2.6.16-xen ro root=/dev/VolGroup00/LogVol00 rhgb
70 module /initrd-2.6.165-xen-U.img
71 module /example.chwall_ste.client_v1.bin
73 3. reboot into the newly compiled hypervisor
75 after boot
76 # xm dmesg should show an entry about the policy being loaded
77 during the boot process
79 # xm dumppolicy
80 should print the new binary policy representation
81 including the policy name example.chwall_ste.client_v1
83 # xm list --label
84 should show security label names behind the running domains
86 For more information about how to use the security-enabled Xen, see
87 the examples.txt file in this directory.