[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands

On Thu, 5 Jan 2012, Ian Campbell wrote:
> On Wed, 2012-01-04 at 18:28 +0000, Daniel De Graaf wrote:
> > On 01/04/2012 11:54 AM, Ian Campbell wrote:
> > > On Wed, 2012-01-04 at 16:49 +0000, Stefano Stabellini wrote:
> > >> On Wed, 4 Jan 2012, Daniel De Graaf wrote:
> > >>> The example policy doesn't really belong in docs because it needs to be
> > >>> compiled to be usable, and this depends on a number of other files (all
> > >>> files under tools/flask/policy/policy, to be exact). Compiling and
> > >>> installing FLASK policy during the normal build process (conditional on
> > >>> FLASK_ENABLE to avoid adding SELinux build tools to build dependencies?)
> > >>> would be the best solution. The policy must be installed to /boot, not
> > >>> /etc/xen, because the initial policy load happens prior to starting 
> > >>> dom0.
> > >>
> > >> Like Ian said, I meant having the policy somewhere online where can be
> > >> linked. However we only publish on xenbits what we have under docs ATM.
> > >> It is unfortunate that the policy needs FLASK_ENABLE to be compiled
> > >> because I am pretty sure that the automated build system that produces
> > >> the docs that end up online does not support that option right now.
> > > 
> > > Publishing the docs in this manner wouldn't require FLASK_ENABLE since
> > > it doesn't need any tools, just "cp". Unless I've totally got the wrong
> > > end of the stick and the policy needs processing before you can even
> > > usefully read it?
> > > 
> > > Ian.
> > > 
> > 
> > You can read the policy files as-is; the xen.te and xen.if files contain
> > most of what you would want to inspect. However, this is similar to reading
> > shell scripts or other source files, which is not what I would expect from
> > files copied into a docs folder.
> 
> In that case I think the best approach would be to reference the file
> via the mercurial webterface e.g.
> http://xenbits.xen.org/hg/xen-unstable.hg/file/tip/tools/flask/policy/policy/modules/xen/xen.te
> 
> > There are some tools for searching and understanding SELinux policy such as
> > sesearch that work either on the binary policy file or on the macro-expanded
> > policy.conf. Building policy.conf only requires m4, which is already 
> > required
> > for bison as part of Xen's build process. This file is much less readable by
> > humans, however, since it is the output of macro expansion.
> 
> Doesn't sound like something that it would be useful to publish, but
> does sound very useful if you've actually got the flask tools installed
> etc.
> 
> > Also: the policy currently isn't built automatically even if FLASK_ENABLE=y;
> > this is something that I think should be changed although I will wait to 
> > post
> > a patch until we've decided what parts of the output should be used.
> 
> It sounds like we don't need to use any parts but in any case we may as
> well arrange for it to be built and worry about any docs usage of it
> later.

Yeah, if we build it when FLASK_ENABLE=y at least we could simplify the
"Xen XSM:FLASK policy" subchapter and we could say in the xl manpage
that the user should be able to find a ready to use policy named
"xenpolicy" under the /boot directory.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.