ia64/xen-unstable

view tools/security/install.txt @ 6946:e703abaf6e3d

Add behaviour to the remove methods to remove the transaction's path itself. This allows us to write Remove(path) to remove the specified path rather than having to slice the path ourselves.
author emellor@ewan
date Sun Sep 18 14:42:13 2005 +0100 (2005-09-18)
parents 3233e7ecfa9f
children 06d84bf87159
line source
1 ##
2 # install.txt <description to the xen access control architecture>
3 #
4 # Author:
5 # Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
6 #
7 #
8 # This file shows how to activate and install the access control
9 # framework.
10 ##
13 INSTALLING A SECURITY POLICY IN XEN
14 ===================================
16 By default, the access control architecture is disabled in Xen. To
17 enable the access control architecture in Xen follow the steps below.
18 This description assumes that you want to install the Chinese Wall and
19 Simple Type Enforcement policy. Some file names need to be replaced
20 below to activate the Chinese Wall OR the Type Enforcement policy
21 exclusively (chwall_ste --> {chwall, ste}).
23 1. enable access control in Xen
24 # cd "xen_root"
25 # edit/xemacs/vi Config.mk
27 change the line:
28 ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
30 to:
31 ACM_USE_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
33 # make all
34 # ./install.sh
36 2. compile the policy from xml to a binary format that can be loaded
37 into the hypervisor for enforcement
38 # cd tools/security
39 # make
41 manual steps (alternative to make boot_install):
42 #./secpol_xml2bin chwall_ste
43 #cp policies/chwall_ste/chwall_ste.bin /boot
44 #edit /boot/grub/grub.conf
45 add the follwoing line to your xen boot entry:
46 "module chwall_ste.bin"
48 alternatively, you can try our automatic translation and
49 installation of the policy:
50 # make boot_install
52 [we try hard to do the right thing to the right boot entry but
53 please verify boot entry in /boot/grub/grub.conf afterwards;
54 your xen boot entry should have an additional module line
55 specifying a chwall_ste.bin file with the correct directory
56 (e.g. "/" or "/boot").]
59 3. reboot into the newly compiled hypervisor
61 after boot
62 #xm dmesg should show an entry about the policy being loaded
63 during the boot process
65 #tools/security/secpol_tool getpolicy
66 should print the new chwall_ste binary policy representation