[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel][FLASK][PATCH] sample flask policy


  • To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
  • Date: Wed, 03 Sep 2008 19:07:38 -0400
  • Delivery-date: Wed, 03 Sep 2008 16:10:00 -0700
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AckOGdu3Gh82SHoNEd2qjwAWy5GONg==
  • Thread-topic: [Xen-devel][FLASK][PATCH] sample flask policy

- The patch includes a policy for xen that can be booted into enforcing mode
and supports creation and management of paravirtualized guests.  The policy
follows the dom0/domU usage model, extension to other models or the addition
of management or IO permissions should be much more straightforward now.
The option flask_enforcing=1 can be passed on the xen line in grub to boot
into enforcing mode.

- The policy provides a basic policy for booting the platform and creating a
domU with the label system_u:object_r:domU_t.  The policy can be easily
extended to support new types by modifying the xen.te source file.

- The policy includes some basic macros which may be helpful in extending
the policy.

- The policy is compatible with and requires the most recent XSM patch,
xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the SELinux
policy compiler which may/may not be installed on all systems.  Users must
go into the tools/flask/policy directory and explicitly compile the policy.


Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>

Attachment: flask-policy-090308.diff
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.