From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad@darnok.org>,
"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
"Keir (Xen.org)" <keir@xen.org>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: Re: [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands
Date: Wed, 04 Jan 2012 13:28:22 -0500 [thread overview]
Message-ID: <4F049A46.5080104@tycho.nsa.gov> (raw)
In-Reply-To: <1325696094.25206.321.camel@zakaz.uk.xensource.com>
On 01/04/2012 11:54 AM, Ian Campbell wrote:
> On Wed, 2012-01-04 at 16:49 +0000, Stefano Stabellini wrote:
>> On Wed, 4 Jan 2012, Daniel De Graaf wrote:
>>> The example policy doesn't really belong in docs because it needs to be
>>> compiled to be usable, and this depends on a number of other files (all
>>> files under tools/flask/policy/policy, to be exact). Compiling and
>>> installing FLASK policy during the normal build process (conditional on
>>> FLASK_ENABLE to avoid adding SELinux build tools to build dependencies?)
>>> would be the best solution. The policy must be installed to /boot, not
>>> /etc/xen, because the initial policy load happens prior to starting dom0.
>>
>> Like Ian said, I meant having the policy somewhere online where can be
>> linked. However we only publish on xenbits what we have under docs ATM.
>> It is unfortunate that the policy needs FLASK_ENABLE to be compiled
>> because I am pretty sure that the automated build system that produces
>> the docs that end up online does not support that option right now.
>
> Publishing the docs in this manner wouldn't require FLASK_ENABLE since
> it doesn't need any tools, just "cp". Unless I've totally got the wrong
> end of the stick and the policy needs processing before you can even
> usefully read it?
>
> Ian.
>
You can read the policy files as-is; the xen.te and xen.if files contain
most of what you would want to inspect. However, this is similar to reading
shell scripts or other source files, which is not what I would expect from
files copied into a docs folder.
There are some tools for searching and understanding SELinux policy such as
sesearch that work either on the binary policy file or on the macro-expanded
policy.conf. Building policy.conf only requires m4, which is already required
for bison as part of Xen's build process. This file is much less readable by
humans, however, since it is the output of macro expansion.
Also: the policy currently isn't built automatically even if FLASK_ENABLE=y;
this is something that I think should be changed although I will wait to post
a patch until we've decided what parts of the output should be used.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2012-01-04 18:28 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-13 20:38 [PATCH 0/8] New XSM hooks and updates Daniel De Graaf
2011-12-13 20:38 ` [PATCH 1/8] xsm/flask: Add missing unlock on error path Daniel De Graaf
2011-12-13 20:38 ` [PATCH 2/8] xsm/flask: report memory and IO ranges in audit messages Daniel De Graaf
2011-12-13 20:38 ` [PATCH 3/8] xsm: only log dummy override if not setting up dummy_xsm_ops Daniel De Graaf
2011-12-13 20:38 ` [PATCH 4/8] xsm: add remote_remap permission Daniel De Graaf
2011-12-13 20:38 ` [PATCH 5/8] xsm: Add missing access checks Daniel De Graaf
2011-12-13 20:38 ` [PATCH 6/8] xsm: fix up dummy ops Daniel De Graaf
2011-12-13 20:38 ` [PATCH 7/8] xsm: add checks on PCI configuration access Daniel De Graaf
2011-12-13 20:38 ` [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands Daniel De Graaf
2011-12-14 10:41 ` Ian Campbell
2011-12-15 16:46 ` Stefano Stabellini
2011-12-15 19:10 ` Daniel De Graaf
2011-12-15 20:56 ` Konrad Rzeszutek Wilk
2011-12-15 21:45 ` [PATCH] flask/policy: Update example policy Daniel De Graaf
2011-12-20 18:20 ` Ian Jackson
2011-12-15 21:57 ` [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands Daniel De Graaf
2012-01-04 10:47 ` Stefano Stabellini
2012-01-04 15:03 ` Daniel De Graaf
2012-01-04 15:05 ` [PATCH 1/2] docs: Update xsm-flask documentation Daniel De Graaf
2012-01-04 15:05 ` [PATCH 2/2] flask/policy: add missing manage_domain rules Daniel De Graaf
2012-01-10 16:05 ` [PATCH 1/2] docs: Update xsm-flask documentation Ian Jackson
2012-01-04 16:26 ` [PATCH 8/8] xl.pod.1: improve documentation of FLASK commands Ian Campbell
2012-01-04 16:49 ` Stefano Stabellini
2012-01-04 16:54 ` Ian Campbell
2012-01-04 18:28 ` Daniel De Graaf [this message]
2012-01-05 8:48 ` Ian Campbell
2012-01-05 11:19 ` Stefano Stabellini
2011-12-20 18:21 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F049A46.5080104@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=Ian.Campbell@citrix.com \
--cc=keir@xen.org \
--cc=konrad@darnok.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.