On Thu, 2015-05-14 at 12:58 +0100, Wei Liu wrote:
> On Thu, May 14, 2015 at 11:33:45AM +0100, Ian Campbell wrote:
> > system_u:system_r:domU_t is defined in the default policy and makes as
> > much sense as anything for a default.
> >
> > This change required moving the call to domain_create_info_setdefault
> > to be before the ssid_label is translated into ssidref, which also
> > moves it before some other stuff which consumes things from c_info,
> > which is correct since setdefault should always be called first. Apart
> > from the SSID handling there should be no functional change (since
> > setdefault doesn't actually act on anything which that other stuff
> > uses).
> >
> > There is no need to set exec_ssid_label since the default is to leave
> > the domain using the ssid_label after build.
> >
> > I haven't done anything with the device model ssid.
> >
> > Signed-off-by: Ian Campbell <ian.campb...@citrix.com>
> > Cc: Daniel De Graaf <dgde...@tycho.nsa.gov>
> > Cc: wei.l...@citrix.com
> > ---
> > docs/man/xl.cfg.pod.5 | 4 +++-
> > tools/libxl/libxl_create.c | 11 ++++++++---
> > 2 files changed, 11 insertions(+), 4 deletions(-)
> >
> > diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> > index 8e4154f..fcca1cc 100644
> > --- a/docs/man/xl.cfg.pod.5
> > +++ b/docs/man/xl.cfg.pod.5
> > @@ -437,7 +437,9 @@ UUID will be generated.
> >
> > =item B<seclabel="LABEL">
> >
> > -Assign an XSM security label to this domain.
> > +Assign an XSM security label to this domain. By default a domain is
> > +assigned the label B<system_u:system_r:domU_t>, which is defined in
> > +the default policy.
> >
> > =item B<init_seclabel="LABEL">
> >
> > diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
> > index f0da7dc..4dd2ec2 100644
> > --- a/tools/libxl/libxl_create.c
> > +++ b/tools/libxl/libxl_create.c
> > @@ -42,6 +42,11 @@ int libxl__domain_create_info_setdefault(libxl__gc *gc,
> > libxl_defbool_setdefault(&c_info->run_hotplug_scripts, true);
> > libxl_defbool_setdefault(&c_info->driver_domain, false);
> >
> > + if (!c_info->ssid_label) {
> > + c_info->ssid_label = libxl__strdup(NOGC,
> > "system_u:system_r:domU_t");
> > + LOG(INFO, "Using default ssid_label: %s", c_info->ssid_label);
>
> I don't think this is right. For one, the label you hardcoded here
> is defined in the policy we ship. It doesn't necessarily exist in the
> policy that is loaded by system admin.
Personally I think that's fine, you either use the default, or you make
sure your custom policy has a domU_t role (a very reasonable thing to
have) or you specify something custom for every domain.
> Another thing, as Julien said, is that this generates a warning in Xen
> that is not compiled with XSM support.
>
> By definition if you don't label a domain, it should be labeled as
> "unlabeled". We already do the right thing.
So how come osstest is failing? What should we do instead?
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
