Xen project Mailing List

Re: [Xen-devel] [PATCH RFC] flask/policy: use naming convention xenpolicy-$VERSION

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Mon, 15 Sep 2014 16:02:38 +0100

Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx

Delivery-date: Mon, 15 Sep 2014 15:02:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, Sep 15, 2014 at 10:55:15AM -0400, Daniel De Graaf wrote: > On 09/15/2014 09:27 AM, Wei Liu wrote: > >The original scheme is to use xenpolicy.$VERSION. Change it to > >xenpolicy-$VERSION This naming convention resembles the one used in > >Linux. > > I belive the Linux naming convention for SELinux binary policy is still > /etc/selinux/$NAME/policy/policy.$VERSION; however, this naming decision > is distribution-specific and not overly important to Xen. > > Xen does not use the Linux kernel policy revision numbers to provide > backwards comparability - unlike Linux, the Xen policy is distributed with > the Xen kernel, and the hypervisor does not provide the ability to load > policies compiled for older or newer hypervisors (to be precise, it does not > allow policies with a different set of permissions). The policy output > version number has stayed at 24 since the introduction of the FLASK security > server, and I would not expect this to change unless there is a reason to port > a new policy feature from SELinux. > I see. Thanks for clarifying this. > >Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx> > >Cc: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> > >--- > >to Daniel: > > > >We plan to add in a new test case for XSM in OSSTest, which uses Grub to > >generate boot entry. The boot entry generation relies on a naming > >convention to look up files. In short, we need to agree on one naming > >convention, not necessary the one I propose here (though I think it's > >quite sensible to follow the one Linux uses). > > > >It's important for us to reach an agreement before I can write any patch > >for upstream grub. Comments are welcome. > > I agree this is a good idea. I would propose using the Xen hypervisor version > number in order to support multiple hypervisor versions each paired with their > own security policy: xenpolicy-$(XEN_FULLVERSION); perhaps with symlinks as is > done with the hypervisor. Wiring up the Makefile to produce this may be > tricky, > since the Xen version is in xen/Makefile and not somewhere in tools/. > xenpolicy-$(XEN_FULLVERSION) sounds plausible. I will look into this. Wei. > -- > Daniel De Graaf > National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.