Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: xen 2.0 - adding selinux permissions
From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net>
Date: Wed, 24 Nov 2004 15:09:27 +0000
yes?
> As there is no real object for these okay, i must have misunderstood.
i envisage creating a xen_has_perm() and _that_ means adding
something to security/selinux/include/av_permissions.h
#define XEN_VM_CREATE 0x00000001UL
and creating a SECCLASS_XEN? /* Check whether a task is allowed to perform a xen virtual machine operation. */ int xen_has_perm(struct task_struct *tsk, u32 perms) { struct task_security_struct *tsec; tsec = tsk->security; return avc_has_perm(tsec->sid, tsec->sid, SECCLASS_XEN, perms, NULL, NULL); } what alternative to this approach is there? bearing in mind that the xen daemon (running in the xen master) offers access to the consoles of the guest operating systems. i _really_ want to be able to stop that access from happening, or at least control the circumstances under which access to the guest's consoles is allowed! at present, any program with access to port 8000 (on localhost or on the LAN depending on a config option) can start a guest OS, kill an existing one, access all consoles and start hacking away at the login prompt, that sort of thing... l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 24 Nov 2004 - 09:58:50 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |