[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
From: Ian Campbell <ian.campbell@xxxxxxxxxx>
Date: Tue, 14 Oct 2014 08:26:11 +0100
Cc: dgdegra@xxxxxxxxxxxxx, Wei Liu <wei.liu2@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx
Delivery-date: Tue, 14 Oct 2014 07:26:28 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, 2014-10-10 at 18:26 +0100, Ian Jackson wrote:
> Wei Liu writes ("Re: [OSSTEST PATCH v2 11/12] ts-debian-install: add in 
> seclabel if XSM is enabled"):
> > On Fri, Oct 10, 2014 at 05:41:08PM +0100, Ian Jackson wrote:
> > > xl should do whatever is necessary to implement your wishes (assuming
> > > your wishes are reasonable, of course).
> > 
> > I agree. And it's reasonable for hypervisor to reject this request. I
> > think this is policy related.
> 
> Indeed, I have no objection to the hypervisor's policy setup.
> 
> > > If guests have to have seclabels, xl should arrange to give them
> > > seclabels.  If you don't specify the seclabel, xl should figure
> > > out what seclabel to give them.
> > 
> > I don't see it this way as there's no documentation on what the
> > "default seclabel" is.
> 
> Maybe it should be documented, or configurable.

It will have to be configurable since the user is at liberty to use
whatever policy they want, including writing their own from scratch, and
could give their domain labels any name they like, so there is no
universal sensible default. We could set a default relating to the
example policy which we ship but that is about all we can do.

There also needs to be an option to force the seclabel to be explicitly
specified for every domain, to allow people who have more complex setups
to not worry about some domain getting the default policy/permissions.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
  - From: Ian Jackson

References:
- Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
  - From: Ian Jackson
- Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
  - From: Wei Liu
- Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
  - From: Ian Jackson
- Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
  - From: Wei Liu
- Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [PATCH FOR-4.5] xen: arm: Do not enable EFI in dom0 since it is not yet supported.
Next by Date: Re: [Xen-devel] FW: PCI and VGA Passthrough regressions on Xen 4.4.1 vs 4.3.2
Previous by thread: Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
Next by thread: Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.