On 03/09/2021 20:06, Daniel P. Smith wrote: > On Linux when SELinux is put into permissive mode the descretionary access > controls are still in place. Whereas for Xen when the enforcing state of flask > is set to permissive, all operations for all domains would succeed, i.e. it > does not fall back to the default access controls. To provide a means to mimic > a similar but not equivalent behavior, a flask op is present to allow a > one-time switch back to the default access controls, aka the "dummy policy". > > While this may be desirable for an OS, Xen is a hypervisor and should not > allow > the switching of which security policy framework is being enforced after boot. > This patch removes the flask op to enforce the desired XSM usage model > requiring a reboot of Xen to change the XSM policy module in use. > > Signed-off-by: Daniel P. Smith <dpsm...@apertussolutions.com>
Acked-by: Andrew Cooper <andrew.coop...@citrix.com>