[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [OSSTEST PATCH v2 11/12] ts-debian-install: add in seclabel if XSM is enabled



Ian Campbell writes ("Re: [OSSTEST PATCH v2 11/12] ts-debian-install: add in 
seclabel if XSM is enabled"):
> On Fri, 2014-10-10 at 18:26 +0100, Ian Jackson wrote:
> > Maybe it should be documented, or configurable.
> 
> It will have to be configurable since the user is at liberty to use
> whatever policy they want, including writing their own from scratch, and
> could give their domain labels any name they like, so there is no
> universal sensible default. We could set a default relating to the
> example policy which we ship but that is about all we can do.

Yes, indeed.

> There also needs to be an option to force the seclabel to be explicitly
> specified for every domain, to allow people who have more complex setups
> to not worry about some domain getting the default policy/permissions.

Indeed.  In the case where this forces creation failure it would be
nice to detect it a bit earlier than when the hypervisor says `no'.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.