Xen project Mailing List

Re: [Xen-devel] [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Wed, 04 Jan 2012 13:28:22 -0500

Cc: Konrad Rzeszutek Wilk <konrad@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "Keir \(Xen.org\)" <keir@xxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

Delivery-date: Wed, 04 Jan 2012 18:29:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On 01/04/2012 11:54 AM, Ian Campbell wrote: > On Wed, 2012-01-04 at 16:49 +0000, Stefano Stabellini wrote: >> On Wed, 4 Jan 2012, Daniel De Graaf wrote: >>> The example policy doesn't really belong in docs because it needs to be >>> compiled to be usable, and this depends on a number of other files (all >>> files under tools/flask/policy/policy, to be exact). Compiling and >>> installing FLASK policy during the normal build process (conditional on >>> FLASK_ENABLE to avoid adding SELinux build tools to build dependencies?) >>> would be the best solution. The policy must be installed to /boot, not >>> /etc/xen, because the initial policy load happens prior to starting dom0. >> >> Like Ian said, I meant having the policy somewhere online where can be >> linked. However we only publish on xenbits what we have under docs ATM. >> It is unfortunate that the policy needs FLASK_ENABLE to be compiled >> because I am pretty sure that the automated build system that produces >> the docs that end up online does not support that option right now. > > Publishing the docs in this manner wouldn't require FLASK_ENABLE since > it doesn't need any tools, just "cp". Unless I've totally got the wrong > end of the stick and the policy needs processing before you can even > usefully read it? > > Ian. > You can read the policy files as-is; the xen.te and xen.if files contain most of what you would want to inspect. However, this is similar to reading shell scripts or other source files, which is not what I would expect from files copied into a docs folder. There are some tools for searching and understanding SELinux policy such as sesearch that work either on the binary policy file or on the macro-expanded policy.conf. Building policy.conf only requires m4, which is already required for bison as part of Xen's build process. This file is much less readable by humans, however, since it is the output of macro expansion. Also: the policy currently isn't built automatically even if FLASK_ENABLE=y; this is something that I think should be changed although I will wait to post a patch until we've decided what parts of the output should be used. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.