projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: aff2988) | patch
xsm, flask: sample flask policy
authorKeir Fraser <keir.fraser@citrix.com>
Thu, 4 Sep 2008 10:26:25 +0000 (11:26 +0100)
committerKeir Fraser <keir.fraser@citrix.com>
Thu, 4 Sep 2008 10:26:25 +0000 (11:26 +0100)
commit3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8
tree9ad863524d59aff303bf67434c3dec8b45bae7bctree | snapshot
parentaff2988ad524ed3835bd0c402f8ec25264db61eacommit | diff
xsm, flask: sample flask policy

- The patch includes a policy for xen that can be booted into
  enforcing mode and supports creation and management of
  paravirtualized guests.  The policy follows the dom0/domU usage
  model, extension to other models or the addition of management or IO
  permissions should be much more straightforward now. The option
  flask_enforcing=1 can be passed on the xen line in grub to boot
  into enforcing mode.

- The policy provides a basic policy for booting the platform and
  creating a domU with the label system_u:object_r:domU_t.  The policy
  can be easily extended to support new types by modifying the xen.te
  source file.

- The policy includes some basic macros which may be helpful in
  extending the policy.

- The policy is compatible with and requires the most recent XSM
  patch, xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the
  SELinux policy compiler which may/may not be installed on all
  systems.  Users must go into the tools/flask/policy directory and
  explicitly compile the policy.

Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
21 files changed:
tools/flask/policy/Makefile [new file with mode: 0644] blob
tools/flask/policy/Rules.modular [new file with mode: 0644] blob
tools/flask/policy/Rules.monolithic [new file with mode: 0644] blob
tools/flask/policy/policy/constraints [new file with mode: 0644] blob
tools/flask/policy/policy/flask/Makefile [new file with mode: 0644] blob
tools/flask/policy/policy/flask/access_vectors [new file with mode: 0644] blob
tools/flask/policy/policy/flask/initial_sids [new file with mode: 0644] blob
tools/flask/policy/policy/flask/mkaccess_vector.sh [new file with mode: 0644] blob
tools/flask/policy/policy/flask/mkflask.sh [new file with mode: 0644] blob
tools/flask/policy/policy/flask/security_classes [new file with mode: 0644] blob
tools/flask/policy/policy/global_booleans [new file with mode: 0644] blob
tools/flask/policy/policy/global_tunables [new file with mode: 0644] blob
tools/flask/policy/policy/mcs [new file with mode: 0644] blob
tools/flask/policy/policy/mls [new file with mode: 0644] blob
tools/flask/policy/policy/modules.conf [new file with mode: 0644] blob
tools/flask/policy/policy/modules/xen/xen.if [new file with mode: 0644] blob
tools/flask/policy/policy/modules/xen/xen.te [new file with mode: 0644] blob
tools/flask/policy/policy/support/loadable_module.spt [new file with mode: 0644] blob
tools/flask/policy/policy/support/misc_macros.spt [new file with mode: 0644] blob
tools/flask/policy/policy/systemuser [new file with mode: 0644] blob
tools/flask/policy/policy/users [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.