|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] flask: change default state to enforcing
>>> On 11.03.16 at 16:39, <dgdegra@xxxxxxxxxxxxx> wrote: > On 03/11/2016 04:07 AM, Jan Beulich wrote: >>>>> On 10.03.16 at 19:30, <dgdegra@xxxxxxxxxxxxx> wrote: >>> This change will cause the boot to fail if you do not specify an XSM >>> policy during boot; if you need to load a policy from dom0, use the >>> "flask=late" boot parameter. >> >> And what mode is the system in until that happens? From the >> command line doc, I understand it would be in not-enforcing >> mode, but that seems contrary to the code (already before >> your change) setting flask_enforcing to 1 in that case. > > The FLASK code does not deny any actions until a policy has been loaded, > so the flask_enforcing value only takes effect then. With flask=late, > userspace code can also adjust the value (xl setenforce) before loading > the policy. So doesn't this leave the system again in an insecure state then? Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |