WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel][FLASK][PATCH] sample flask policy

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel][FLASK][PATCH] sample flask policy
From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
Date: Wed, 03 Sep 2008 19:07:38 -0400
Delivery-date: Wed, 03 Sep 2008 16:10:00 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AckOGdu3Gh82SHoNEd2qjwAWy5GONg==
Thread-topic: [Xen-devel][FLASK][PATCH] sample flask policy
User-agent: Microsoft-Entourage/11.4.0.080122
- The patch includes a policy for xen that can be booted into enforcing mode
and supports creation and management of paravirtualized guests.  The policy
follows the dom0/domU usage model, extension to other models or the addition
of management or IO permissions should be much more straightforward now.
The option flask_enforcing=1 can be passed on the xen line in grub to boot
into enforcing mode.

- The policy provides a basic policy for booting the platform and creating a
domU with the label system_u:object_r:domU_t.  The policy can be easily
extended to support new types by modifying the xen.te source file.

- The policy includes some basic macros which may be helpful in extending
the policy.

- The policy is compatible with and requires the most recent XSM patch,
xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the SELinux
policy compiler which may/may not be installed on all systems.  Users must
go into the tools/flask/policy directory and explicitly compile the policy.


Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>

Attachment: flask-policy-090308.diff
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel][FLASK][PATCH] sample flask policy, George S. Coker, II <=