17.24. Security

17.24. Security

17.24. Security

17.24.1. Removing a Domain Security Label

You can use xm to remove a domain security label:

 
xm rmlabel [domain-id] [configfile] 

This removes the acm_policy label entry from the configfile.

17.24.2. Creating a Resource Security Label

You can use xm to create a resource security label:

 
xm addlabel [labelname] res [resource] [policy] 

17.24.3. Removing a Resource Security Label

You can use xm to remove a Resource Security label:

 
mx rmlabel [domain-id] res [resource] 

This removes the global resource file.

17.24.4. Configuring Access Control

Red Hat Virtualization access control consists of two major components. The Access Control Policy (ACP) defines access rules and security labels. When domains request access resources, to communicate The Access Control Module (ACM) interprets the policy and handles access control decisions. The ACM determines access rights from the domain security label. Then the ACP enables the security labels and access rules and assigns them to domains and resources. The ACP uses two different ways of label management:

Label Description

Simple Type Enforcement

The ACP interprets the labels and assigns access requests to domains that require virtual (or physical access). The security policy controls access between domains and assigns the proper labels to the respective domain. By default, access to domains with Simple Type Enforcement domains is not enabled.

Chinese Wall

The Chinese Wall security policy controls and responds to access requests from a domain.

Table 17.6. ACP Label Management

A policy is a separated list of names that translates into a local path and points to the policy XML file (relative to the global policy root directory). For instance, the domain file chinese_wall.client_V1 pertains to the the policy file /example/chinese_wall.client_v1.xml.

Red Hat Virtualization includes these parameters that allow you to manage security policies and assign labels to domains:

17.24.5. Creating a Policy

You can use xm to create a binary policy:

 
 xm makepolicy [policy]

This creates the binary policy and saves it as binary file [policy.bin].

17.24.6. Loading a Policy

You can use xm to load a binary policy:

 
xm loadpolicy [policy.bin] 

17.24.7. Creating a Policy for Boot Configuration

You can use xm to make a binary policy and add it to the boot configuration file:

 
xm cfgbootpolicy [kernelversion] 

This copies the binary policy into the /boot directory and modifies the corresponding line in the /boot/grub/menu.1st file.

17.24.8. Creating a Label

You can use xm to create a label:

 
xm addlabel [configfile] [policy]

Adds a security label with to a domain configfile. It also verifies that the respective policy definition matches the corresponding label name.

17.24.9. Displaying Policy Labels

You can use xm to view policy labels:

xm labels [policy] [type=dom | res | any] 

This displays labels of a type you specify (default is dom) that you define when you create the policy.

17.24.10. Displaying Domain Security Labels

You can use xm to view security labels for a domain:

 
xm getlabel domain-id [configfile] 

17.24.11. Displaying Resource Security Labels

You can use xm to view security labels for a resource:

 
xm getlabel res [resource] 

17.24.12. Configuring Access Control Secuirty

To enable the Red Hat Virtualization access security, you must modify these parameters in the xen_source__dir/Config.mk

ACM_SECURITY ?= y
ACM_DEFAULT_SECURITY_POLICY ? =
ACM_CHINESE_WALL__AND_SIMPLE_TYPE_ENFORCEMENT_POLICY

17.24.13. Compiling a Security Policy

This example demonstrates how to successfully compile a security policy:

 
xm makepolicy chinesewall_ste.client_v1 

This creates client_v1.map and client_v1.bin files in the /etc/xen/acm-security/policies/example/chinesewall_ste directory.

17.24.14. Loading the Security Policy

You can use xm to activates the client_v1.bin :

 
xm loadpolicy example.chwall_ste.client_v1 

17.24.15. Configuring a Boot Security Policy

You can use xm to configure the boot loader to load client_v1.bin :

 
xm cfgbootpolicy chinesewall_ste.client_v1 

This causes the ACM to use this label to boot Red Hat Virtualization.

17.24.16. Displaying Security Labels

You can use xm to view the defined labels:

xm labels  chinesewall_ste.client_v1 type=dom 

The output displays all policies with dom:

dom_StorageDomain
dom_SystemManagement
dom_NetworkDomain
dom_QandA
dom_R&D

17.24.17. Attaching a Security Label

You can use xm to attach a security label to a domain configuration file (this example uses the SoftwareDev label):

 
xm addlabel myconfig.xm dom_SoftwareDev 

Attaching the security label ensures that the domain does not share data with other non-SoftwareDev user domains. This example includes the myconfig.xm configuration file represents a domain that runs workloads related to the SoftwareDev's infrastructure.

Edit your respective configuration file and verify that the addlabel command correctly added the access_control entry (and associated parameters) to the end of the file:

kernel = "/boot/vmlinuz — 2.6.16 —xen"
ramdisk="/boot/U1_SoftwareDev_ramdisk.img"
memory = 164
name = "SoftwareDev"
vif = [ '' ]
dhcp = "dhcp"
access_control = [policy=example.chwall_ste.client_v1, label=dom_SoftwareDev]

If anything does not appear correct, make the necessary modifications and save the file.