ia64/xen-unstable

view tools/security/install.txt @ 8740:3d7ea7972b39

Update patches for linux 2.6.15.

Signed-off-by: Christian Limpach <Christian.Limpach@cl.cam.ac.uk>
author cl349@firebug.cl.cam.ac.uk
date Thu Feb 02 17:16:00 2006 +0000 (2006-02-02)
parents 8aac8746047b
children c7b9b8a64755
line source
1 ##
2 # install.txt <description to the xen access control architecture>
3 #
4 # Author:
5 # Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
6 #
7 #
8 # This file shows how to activate and install the access control
9 # framework.
10 ##
13 INSTALLING A SECURITY POLICY IN XEN
14 ===================================
16 By default, the access control architecture is disabled in Xen. To
17 enable the access control architecture in Xen follow the steps below.
18 This description assumes that you want to install the Chinese Wall and
19 Simple Type Enforcement policy. Some file names need to be replaced
20 below to activate the Chinese Wall OR the Type Enforcement policy
21 exclusively (chwall_ste --> {chwall, ste}).
23 1. enable access control in Xen
24 # cd "xen_root"
25 # edit/xemacs/vi Config.mk
27 change the lines:
28 ACM_SECURITY ?= n
29 ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY
31 to:
32 ACM_SECURITY ?= y
33 ACM_DEFAULT_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
35 # make all
36 # ./install.sh
38 2. compile the policy from xml to a binary format that can be loaded
39 into the hypervisor for enforcement
40 # cd tools/security
41 # make
43 manual steps (alternative to make boot_install):
44 # ./xensec_xml2bin -d policies/ chwall_ste
45 # cp policies/chwall_ste/chwall_ste.bin /boot
46 # edit /boot/grub/grub.conf
47 add the follwoing line to your xen boot entry:
48 "module /boot/chwall_ste.bin"
50 alternatively, you can try our automatic translation and
51 installation of the policy:
52 # make boot_install
54 [we try hard to do the right thing to the right boot entry but
55 please verify boot entry in /boot/grub/grub.conf afterwards;
56 your xen boot entry should have an additional module line
57 specifying a chwall_ste.bin file with the correct directory
58 (e.g. "/" or "/boot").]
61 3. reboot into the newly compiled hypervisor
63 after boot
64 # xm dmesg should show an entry about the policy being loaded
65 during the boot process
67 # xensec_tool getpolicy
68 should print the new chwall_ste binary policy representation