[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled

On Fri, 2014-10-10 at 18:26 +0100, Ian Jackson wrote:
> Wei Liu writes ("Re: [OSSTEST PATCH v2 11/12] ts-debian-install: add in 
> seclabel if XSM is enabled"):
> > On Fri, Oct 10, 2014 at 05:41:08PM +0100, Ian Jackson wrote:
> > > xl should do whatever is necessary to implement your wishes (assuming
> > > your wishes are reasonable, of course).
> > 
> > I agree. And it's reasonable for hypervisor to reject this request. I
> > think this is policy related.
> Indeed, I have no objection to the hypervisor's policy setup.
> > > If guests have to have seclabels, xl should arrange to give them
> > > seclabels.  If you don't specify the seclabel, xl should figure
> > > out what seclabel to give them.
> > 
> > I don't see it this way as there's no documentation on what the
> > "default seclabel" is.
> Maybe it should be documented, or configurable.

It will have to be configurable since the user is at liberty to use
whatever policy they want, including writing their own from scratch, and
could give their domain labels any name they like, so there is no
universal sensible default. We could set a default relating to the
example policy which we ship but that is about all we can do.

There also needs to be an option to force the seclabel to be explicitly
specified for every domain, to allow people who have more complex setups
to not worry about some domain getting the default policy/permissions.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.