[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Questions about the in-tree Flask policy

On Mon, Sep 22, 2014 at 04:23:01PM -0400, Daniel De Graaf wrote:
> >I tried to look at the policy file(s), only to find out that there's a
> >bunch of files that have excessive amount of information. I'm certainly
> >not an XSM expert and have no intention to become one at the moment. :-)
> True, and you shouldn't have to be an expert to report errors (your current
> report was exactly what was needed to fix the policy).
> In the future, any AVC denied messages in the output when under normal test
> operation (i.e. not when a VM is misbehaving) should be treated as a bug in
> the XSM policy even when it doesn't cause real failures.  Usually, the answer

Cool, this is exactly what I needed to know. :-)

> is to add the permission to the proper part of the policy, and the denial
> will cause operations to break (like the above errors).  In some other cases,
> such as cacheflush, the process continues but was not able to perform an
> important operation.  If this is something that can be easily added to the
> test script as a failure condition, that would be helpful (but this is
> certainly not a prerequisite for adding the tests in the first place).

Off the top of my head I couldn't figure out a quick way to add in this
kind of failure condition. Let's leave it for the moment.


> -- 
> Daniel De Graaf
> National Security Agency

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.