All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Wei Liu <wei.liu2@citrix.com>, xen-devel@lists.xen.org
Subject: Re: [PATCH RFC] flask/policy: use naming convention xenpolicy-$VERSION
Date: Mon, 15 Sep 2014 10:55:15 -0400	[thread overview]
Message-ID: <5416FDD3.6080308@tycho.nsa.gov> (raw)
In-Reply-To: <1410787666-31276-1-git-send-email-wei.liu2@citrix.com>

On 09/15/2014 09:27 AM, Wei Liu wrote:
> The original scheme is to use xenpolicy.$VERSION. Change it to
> xenpolicy-$VERSION This naming convention resembles the one used in
> Linux.

I belive the Linux naming convention for SELinux binary policy is still
/etc/selinux/$NAME/policy/policy.$VERSION; however, this naming decision
is distribution-specific and not overly important to Xen.

Xen does not use the Linux kernel policy revision numbers to provide
backwards comparability - unlike Linux, the Xen policy is distributed with
the Xen kernel, and the hypervisor does not provide the ability to load
policies compiled for older or newer hypervisors (to be precise, it does not
allow policies with a different set of permissions).  The policy output
version number has stayed at 24 since the introduction of the FLASK security
server, and I would not expect this to change unless there is a reason to port
a new policy feature from SELinux.

> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
> to Daniel:
>
> We plan to add in a new test case for XSM in OSSTest, which uses Grub to
> generate boot entry. The boot entry generation relies on a naming
> convention to look up files. In short, we need to agree on one naming
> convention, not necessary the one I propose here (though I think it's
> quite sensible to follow the one Linux uses).
>
> It's important for us to reach an agreement before I can write any patch
> for upstream grub. Comments are welcome.

I agree this is a good idea.  I would propose using the Xen hypervisor version
number in order to support multiple hypervisor versions each paired with their
own security policy: xenpolicy-$(XEN_FULLVERSION); perhaps with symlinks as is
done with the hypervisor.  Wiring up the Makefile to produce this may be tricky,
since the Xen version is in xen/Makefile and not somewhere in tools/.

-- 
Daniel De Graaf
National Security Agency

  reply	other threads:[~2014-09-15 14:55 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-15 13:27 [PATCH RFC] flask/policy: use naming convention xenpolicy-$VERSION Wei Liu
2014-09-15 14:55 ` Daniel De Graaf [this message]
2014-09-15 15:02   ` Wei Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5416FDD3.6080308@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.