view .hg-to-bk @ 18437:294fc8fc4ba0

xsm, flask: sample flask policy

- The patch includes a policy for xen that can be booted into
enforcing mode and supports creation and management of
paravirtualized guests. The policy follows the dom0/domU usage
model, extension to other models or the addition of management or IO
permissions should be much more straightforward now. The option
flask_enforcing=1 can be passed on the xen line in grub to boot
into enforcing mode.

- The policy provides a basic policy for booting the platform and
creating a domU with the label system_u:object_r:domU_t. The policy
can be easily extended to support new types by modifying the xen.te
source file.

- The policy includes some basic macros which may be helpful in
extending the policy.

- The policy is compatible with and requires the most recent XSM
patch, xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the
SELinux policy compiler which may/may not be installed on all
systems. Users must go into the tools/flask/policy directory and
explicitly compile the policy.

Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
author Keir Fraser <keir.fraser@citrix.com>
date Thu Sep 04 11:26:25 2008 +0100 (2008-09-04)
parents f3123052268f
children c6c0f98bf7d3 ba107a7380bc
line source
1 #!/bin/sh
2 exit 0