[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled

On Fri, Oct 10, 2014 at 05:41:08PM +0100, Ian Jackson wrote:
> Wei Liu writes ("Re: [OSSTEST PATCH v2 11/12] ts-debian-install: add in 
> seclabel if XSM is enabled"):
> > On Fri, Oct 10, 2014 at 05:01:57PM +0100, Ian Jackson wrote:
> > > Surely it is a bug that this is necessary ?  xl shuld do the right
> > > thing by default.
> > 
> > Well, xl is doing the right thing. Xen denies starting a guest without a
> > seclabel. I think this is policy related, so it shouldn't be classified
> > as a bug.
> You haven't asked xl to `start a guest without a seclabel'.
> You have asked xl to `start a guest'.
> xl should do whatever is necessary to implement your wishes (assuming
> your wishes are reasonable, of course).

I agree. And it's reasonable for hypervisor to reject this request. I
think this is policy related.

> If guests have to have
> seclabels, xl should arrange to give them seclabels.  If you don't
> specify the seclabel, xl should figure out what seclabel to give them.

I don't see it this way as there's no documentation on what the
"default seclabel" is.

I think this is one is for Daniel.


> And most of this ought probably to be in libxl, probably, rather than
> xl.
> Ian.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.