From: Wei Liu <wei.liu2@citrix.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Wei Liu <wei.liu2@citrix.com>, xen-devel@lists.xen.org
Subject: Re: [PATCH RFC] flask/policy: use naming convention xenpolicy-$VERSION
Date: Mon, 15 Sep 2014 16:02:38 +0100 [thread overview]
Message-ID: <20140915150238.GC8376@zion.uk.xensource.com> (raw)
In-Reply-To: <5416FDD3.6080308@tycho.nsa.gov>
On Mon, Sep 15, 2014 at 10:55:15AM -0400, Daniel De Graaf wrote:
> On 09/15/2014 09:27 AM, Wei Liu wrote:
> >The original scheme is to use xenpolicy.$VERSION. Change it to
> >xenpolicy-$VERSION This naming convention resembles the one used in
> >Linux.
>
> I belive the Linux naming convention for SELinux binary policy is still
> /etc/selinux/$NAME/policy/policy.$VERSION; however, this naming decision
> is distribution-specific and not overly important to Xen.
>
> Xen does not use the Linux kernel policy revision numbers to provide
> backwards comparability - unlike Linux, the Xen policy is distributed with
> the Xen kernel, and the hypervisor does not provide the ability to load
> policies compiled for older or newer hypervisors (to be precise, it does not
> allow policies with a different set of permissions). The policy output
> version number has stayed at 24 since the introduction of the FLASK security
> server, and I would not expect this to change unless there is a reason to port
> a new policy feature from SELinux.
>
I see. Thanks for clarifying this.
> >Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> >Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> >---
> >to Daniel:
> >
> >We plan to add in a new test case for XSM in OSSTest, which uses Grub to
> >generate boot entry. The boot entry generation relies on a naming
> >convention to look up files. In short, we need to agree on one naming
> >convention, not necessary the one I propose here (though I think it's
> >quite sensible to follow the one Linux uses).
> >
> >It's important for us to reach an agreement before I can write any patch
> >for upstream grub. Comments are welcome.
>
> I agree this is a good idea. I would propose using the Xen hypervisor version
> number in order to support multiple hypervisor versions each paired with their
> own security policy: xenpolicy-$(XEN_FULLVERSION); perhaps with symlinks as is
> done with the hypervisor. Wiring up the Makefile to produce this may be tricky,
> since the Xen version is in xen/Makefile and not somewhere in tools/.
>
xenpolicy-$(XEN_FULLVERSION) sounds plausible. I will look into this.
Wei.
> --
> Daniel De Graaf
> National Security Agency
prev parent reply other threads:[~2014-09-15 15:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-15 13:27 [PATCH RFC] flask/policy: use naming convention xenpolicy-$VERSION Wei Liu
2014-09-15 14:55 ` Daniel De Graaf
2014-09-15 15:02 ` Wei Liu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140915150238.GC8376@zion.uk.xensource.com \
--to=wei.liu2@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.