[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 15/15] xsm: add a default policy to .init.data
On 6/9/16 11:53 AM, Daniel De Graaf wrote: > On 06/09/2016 12:15 PM, Jan Beulich wrote: >>>>> On 09.06.16 at 16:47, <dgdegra@xxxxxxxxxxxxx> wrote: >>> --- a/xen/common/Kconfig >>> +++ b/xen/common/Kconfig >>> @@ -132,6 +132,23 @@ config FLASK >>> >>> If unsure, say Y. >>> >>> +config XSM_POLICY >>> + bool "Compile Xen with a built-in security policy" >>> + default y >>> + depends on XSM >>> + ---help--- >>> + This includes a default XSM policy in the hypervisor so that the >>> + bootloader does not need to load a policy to get sane behavior >>> from an >>> + XSM-enabled hypervisor. If this is disabled, a policy must be >>> + provided by the bootloader or by Domain 0. Even if this is >>> enabled, a >>> + policy provided by the bootloader will override it. >>> + >>> + This requires that the SELinux policy compiler (checkpolicy) be >>> + available when compiling the hypervisor; if this tool is not >>> found, no >>> + policy will be added. >>> + >>> + If unsure, say Y. >>> + >>> config FLASK_AVC_STATS >>> def_bool y >>> depends on FLASK >> >> Placing this between FLASK and FLASK_AVC_STATS will break proper >> menuconfig representation of the latter afaict. >> >> Jan > > This option isn't visible in menuconfig. Should I make it visible? > I believe I actually had that as an outstanding question to you on the series that introduced that flag. -- Doug Goldstein Attachment:
signature.asc _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |