[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] flask/policy: use naming convention xenpolicy-$VERSION

On 09/15/2014 09:27 AM, Wei Liu wrote:

The original scheme is to use xenpolicy.$VERSION. Change it to
xenpolicy-$VERSION This naming convention resembles the one used in
Linux.


I belive the Linux naming convention for SELinux binary policy is still
/etc/selinux/$NAME/policy/policy.$VERSION; however, this naming decision
is distribution-specific and not overly important to Xen.

Xen does not use the Linux kernel policy revision numbers to provide
backwards comparability - unlike Linux, the Xen policy is distributed with
the Xen kernel, and the hypervisor does not provide the ability to load
policies compiled for older or newer hypervisors (to be precise, it does not
allow policies with a different set of permissions).  The policy output
version number has stayed at 24 since the introduction of the FLASK security
server, and I would not expect this to change unless there is a reason to port
a new policy feature from SELinux.


Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
to Daniel:

We plan to add in a new test case for XSM in OSSTest, which uses Grub to
generate boot entry. The boot entry generation relies on a naming
convention to look up files. In short, we need to agree on one naming
convention, not necessary the one I propose here (though I think it's
quite sensible to follow the one Linux uses).

It's important for us to reach an agreement before I can write any patch
for upstream grub. Comments are welcome.


I agree this is a good idea.  I would propose using the Xen hypervisor version
number in order to support multiple hypervisor versions each paired with their
own security policy: xenpolicy-$(XEN_FULLVERSION); perhaps with symlinks as is
done with the hypervisor.  Wiring up the Makefile to produce this may be tricky,
since the Xen version is in xen/Makefile and not somewhere in tools/.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.