From: Ian Campbell <ian.campbell@citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: dgdegra@tycho.nsa.gov, Wei Liu <wei.liu2@citrix.com>,
xen-devel@lists.xen.org
Subject: Re: [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
Date: Tue, 14 Oct 2014 08:26:11 +0100 [thread overview]
Message-ID: <1413271571.1497.5.camel@citrix.com> (raw)
In-Reply-To: <21560.5857.765851.730435@mariner.uk.xensource.com>
On Fri, 2014-10-10 at 18:26 +0100, Ian Jackson wrote:
> Wei Liu writes ("Re: [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled"):
> > On Fri, Oct 10, 2014 at 05:41:08PM +0100, Ian Jackson wrote:
> > > xl should do whatever is necessary to implement your wishes (assuming
> > > your wishes are reasonable, of course).
> >
> > I agree. And it's reasonable for hypervisor to reject this request. I
> > think this is policy related.
>
> Indeed, I have no objection to the hypervisor's policy setup.
>
> > > If guests have to have seclabels, xl should arrange to give them
> > > seclabels. If you don't specify the seclabel, xl should figure
> > > out what seclabel to give them.
> >
> > I don't see it this way as there's no documentation on what the
> > "default seclabel" is.
>
> Maybe it should be documented, or configurable.
It will have to be configurable since the user is at liberty to use
whatever policy they want, including writing their own from scratch, and
could give their domain labels any name they like, so there is no
universal sensible default. We could set a default relating to the
example policy which we ship but that is about all we can do.
There also needs to be an option to force the seclabel to be explicitly
specified for every domain, to allow people who have more complex setups
to not worry about some domain getting the default policy/permissions.
Ian.
next prev parent reply other threads:[~2014-10-14 7:26 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-24 21:04 [OSSTEST PATCH v2 00/12] XSM test cases for OSSTest Wei Liu
2014-09-24 21:04 ` [OSSTEST PATCH v2 01/12] README: list chiark-utils-bin as requirement Wei Liu
2014-10-10 15:28 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 02/12] gitignore: ignore images directory Wei Liu
2014-10-10 15:28 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 03/12] ts-xen-build-prep: install checkpolicy Wei Liu
2014-10-10 15:28 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 04/12] ts-xen-build: build with XSM support if requested Wei Liu
2014-10-10 15:29 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 05/12] mfi-common: create build-$arch-xsm job Wei Liu
2014-10-10 15:32 ` Ian Jackson
2014-10-10 15:38 ` Wei Liu
2014-09-24 21:04 ` [OSSTEST PATCH v2 06/12] Debian.pm: pass in XSM configuration to bootloader setup routines Wei Liu
2014-10-10 15:39 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 07/12] Debian.pm: load flask policy in uboot Wei Liu
2014-10-10 15:39 ` Ian Jackson
2014-10-10 15:55 ` Wei Liu
2014-10-10 16:06 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 08/12] ts-xen-install: install Xen with XSM support if requested Wei Liu
2014-10-10 15:51 ` Ian Jackson
2014-10-10 16:27 ` Wei Liu
2014-10-10 16:38 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 09/12] mfi-common: use XSM build if job name contains -xsm suffix Wei Liu
2014-10-10 15:53 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 10/12] make-flight: create XSM test jobs Wei Liu
2014-10-10 16:00 ` Ian Jackson
2014-10-13 18:41 ` Wei Liu
2014-10-14 15:41 ` Ian Jackson
2014-10-14 16:10 ` Wei Liu
2014-09-24 21:04 ` [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled Wei Liu
2014-10-10 16:01 ` Ian Jackson
2014-10-10 16:29 ` Wei Liu
2014-10-10 16:41 ` Ian Jackson
2014-10-10 17:11 ` Wei Liu
2014-10-10 17:26 ` Ian Jackson
2014-10-10 17:31 ` Wei Liu
2014-10-14 7:26 ` Ian Campbell [this message]
2014-10-14 14:04 ` Ian Jackson
2014-09-24 21:04 ` [OSSTEST PATCH v2 12/12] ts-debian-hvm-install: " Wei Liu
2014-10-10 16:03 ` Ian Jackson
2014-10-10 16:36 ` Wei Liu
2014-10-10 17:25 ` Ian Jackson
2014-10-10 12:14 ` [OSSTEST PATCH v2 00/12] XSM test cases for OSSTest Wei Liu
2014-10-10 14:20 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1413271571.1497.5.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).