17.24.1. Removing a Domain Security Label
You can use xm to remove a domain security label:
xm rmlabel [domain-id] [configfile]
This removes the acm_policy label entry from the
configfile.
17.24.2. Creating a Resource Security Label
You can use xm to create a resource security label:
xm addlabel [labelname] res [resource] [policy]
17.24.3. Removing a Resource Security Label
You can use xm to remove a Resource Security label:
mx rmlabel [domain-id] res [resource]
This removes the global resource file.
17.24.4. Configuring Access Control
Red Hat Virtualization access control consists of two major components. The
Access Control Policy (ACP) defines access rules and security labels. When
domains request access resources, to communicate The Access Control Module
(ACM) interprets the policy and handles access control decisions. The ACM
determines access rights from the domain security label. Then the ACP enables
the security labels and access rules and assigns them to domains and
resources. The ACP uses two different ways of label management:
| Label |
Description |
|
Simple Type Enforcement
|
The ACP interprets the labels and assigns access requests to domains that
require virtual (or physical access). The security policy controls access
between domains and assigns the proper labels to the respective domain.
By default, access to domains with Simple Type Enforcement domains is not
enabled.
|
|
Chinese Wall
|
The Chinese Wall security policy controls and responds to access requests
from a domain.
|
Table 17.6. ACP Label Management
A policy is a separated list of names that translates into a local path and
points to the policy XML file (relative to the global policy root directory).
For instance, the domain file chinese_wall.client_V1
pertains to the the policy file
/example/chinese_wall.client_v1.xml.
Red Hat Virtualization includes these parameters that allow you to manage
security policies and assign labels to domains:
17.24.5. Creating a Policy
You can use xm to create a binary policy:
xm makepolicy [policy]
This creates the binary policy and saves it as binary file
[policy.bin].
17.24.6. Loading a Policy
You can use xm to load a binary policy:
xm loadpolicy [policy.bin]
17.24.7. Creating a Policy for Boot Configuration
You can use xm to make a binary policy and add it
to the boot configuration file:
xm cfgbootpolicy [kernelversion]
This copies the binary policy into the /boot directory and
modifies the corresponding line in the /boot/grub/menu.1st
file.
17.24.8. Creating a Label
You can use xm to create a label:
xm addlabel [configfile] [policy]
Adds a security label with to a domain configfile. It also verifies that the
respective policy definition matches the corresponding label name.
17.24.9. Displaying Policy Labels
You can use xm to view policy labels:
xm labels [policy] [type=dom | res | any]
This displays labels of a type you specify (default is dom)
that you define when you create the policy.
17.24.10. Displaying Domain Security Labels
You can use xm to view security labels for a
domain:
xm getlabel domain-id [configfile]
17.24.11. Displaying Resource Security Labels
You can use xm to view security labels for a
resource:
xm getlabel res [resource]
17.24.12. Configuring Access Control Secuirty
To enable the Red Hat Virtualization access security, you must modify these
parameters in the xen_source__dir/Config.mk
ACM_SECURITY ?= y
ACM_DEFAULT_SECURITY_POLICY ? =
ACM_CHINESE_WALL__AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
17.24.13. Compiling a Security Policy
This example demonstrates how to successfully compile a security policy:
xm makepolicy chinesewall_ste.client_v1
This creates client_v1.map and client_v1.bin
files in the
/etc/xen/acm-security/policies/example/chinesewall_ste directory.
17.24.14. Loading the Security Policy
You can use xm to activates the
client_v1.bin :
xm loadpolicy example.chwall_ste.client_v1
17.24.15. Configuring a Boot Security Policy
You can use xm to configure the boot loader to load
client_v1.bin :
xm cfgbootpolicy chinesewall_ste.client_v1
This causes the ACM to use this label to boot Red Hat Virtualization.
17.24.16. Displaying Security Labels
You can use xm to view the defined labels:
xm labels chinesewall_ste.client_v1 type=dom
The output displays all policies with dom:
dom_StorageDomain
dom_SystemManagement
dom_NetworkDomain
dom_QandA
dom_R&D
17.24.17. Attaching a Security Label
You can use xm to attach a security label to a
domain configuration file (this example uses the
SoftwareDev label):
xm addlabel myconfig.xm dom_SoftwareDev
Attaching the security label ensures that the domain does not share data with
other non-SoftwareDev user domains. This example includes
the myconfig.xm configuration file represents a domain that
runs workloads related to the SoftwareDev's infrastructure.
Edit your respective configuration file and verify that the
addlabel command correctly added the
access_control entry (and associated parameters) to the end
of the file:
kernel = "/boot/vmlinuz — 2.6.16 —xen"
ramdisk="/boot/U1_SoftwareDev_ramdisk.img"
memory = 164
name = "SoftwareDev"
vif = [ '' ]
dhcp = "dhcp"
access_control = [policy=example.chwall_ste.client_v1, label=dom_SoftwareDev]
If anything does not appear correct, make the necessary modifications and save
the file.
