On 03/11/2016 04:07 AM, Jan Beulich wrote:
On 10.03.16 at 19:30, <dgde...@tycho.nsa.gov> wrote:
This change will cause the boot to fail if you do not specify an XSM
policy during boot; if you need to load a policy from dom0, use the
"flask=late" boot parameter.
And what mode is the system in until that happens? From the
command line doc, I understand it would be in not-enforcing
mode, but that seems contrary to the code (already before
your change) setting flask_enforcing to 1 in that case.
The FLASK code does not deny any actions until a policy has been loaded,
so the flask_enforcing value only takes effect then. With flask=late,
userspace code can also adjust the value (xl setenforce) before loading
the policy.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
