[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands

On Wed, 2012-01-04 at 18:28 +0000, Daniel De Graaf wrote:
> On 01/04/2012 11:54 AM, Ian Campbell wrote:
> > On Wed, 2012-01-04 at 16:49 +0000, Stefano Stabellini wrote:
> >> On Wed, 4 Jan 2012, Daniel De Graaf wrote:
> >>> The example policy doesn't really belong in docs because it needs to be
> >>> compiled to be usable, and this depends on a number of other files (all
> >>> files under tools/flask/policy/policy, to be exact). Compiling and
> >>> installing FLASK policy during the normal build process (conditional on
> >>> FLASK_ENABLE to avoid adding SELinux build tools to build dependencies?)
> >>> would be the best solution. The policy must be installed to /boot, not
> >>> /etc/xen, because the initial policy load happens prior to starting dom0.
> >>
> >> Like Ian said, I meant having the policy somewhere online where can be
> >> linked. However we only publish on xenbits what we have under docs ATM.
> >> It is unfortunate that the policy needs FLASK_ENABLE to be compiled
> >> because I am pretty sure that the automated build system that produces
> >> the docs that end up online does not support that option right now.
> > 
> > Publishing the docs in this manner wouldn't require FLASK_ENABLE since
> > it doesn't need any tools, just "cp". Unless I've totally got the wrong
> > end of the stick and the policy needs processing before you can even
> > usefully read it?
> > 
> > Ian.
> > 
> You can read the policy files as-is; the xen.te and xen.if files contain
> most of what you would want to inspect. However, this is similar to reading
> shell scripts or other source files, which is not what I would expect from
> files copied into a docs folder.

In that case I think the best approach would be to reference the file
via the mercurial webterface e.g.

> There are some tools for searching and understanding SELinux policy such as
> sesearch that work either on the binary policy file or on the macro-expanded
> policy.conf. Building policy.conf only requires m4, which is already required
> for bison as part of Xen's build process. This file is much less readable by
> humans, however, since it is the output of macro expansion.

Doesn't sound like something that it would be useful to publish, but
does sound very useful if you've actually got the flask tools installed

> Also: the policy currently isn't built automatically even if FLASK_ENABLE=y;
> this is something that I think should be changed although I will wait to post
> a patch until we've decided what parts of the output should be used.

It sounds like we don't need to use any parts but in any case we may as
well arrange for it to be built and worry about any docs usage of it


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.