Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled

[Wei Liu <wei.liu2@xxxxxxxxxx>]

On Fri, Oct 10, 2014 at 05:41:08PM +0100, Ian Jackson wrote:
> Wei Liu writes ("Re: [OSSTEST PATCH v2 11/12] ts-debian-install: add in 
> seclabel if XSM is enabled"):
> > On Fri, Oct 10, 2014 at 05:01:57PM +0100, Ian Jackson wrote:
> > > Surely it is a bug that this is necessary ?  xl shuld do the right
> > > thing by default.
> > 
> > Well, xl is doing the right thing. Xen denies starting a guest without a
> > seclabel. I think this is policy related, so it shouldn't be classified
> > as a bug.
> 
> You haven't asked xl to `start a guest without a seclabel'.
> 
> You have asked xl to `start a guest'.
> 
> xl should do whatever is necessary to implement your wishes (assuming
> your wishes are reasonable, of course).

I agree. And it's reasonable for hypervisor to reject this request. I
think this is policy related.

> If guests have to have
> seclabels, xl should arrange to give them seclabels.  If you don't
> specify the seclabel, xl should figure out what seclabel to give them.
> 

I don't see it this way as there's no documentation on what the
"default seclabel" is.

I think this is one is for Daniel.

Wei.

> And most of this ought probably to be in libxl, probably, rather than
> xl.
> 
> Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel