On 06/09/2016 12:15 PM, Jan Beulich wrote:
On 09.06.16 at 16:47, <dgde...@tycho.nsa.gov> wrote:
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -132,6 +132,23 @@ config FLASK
If unsure, say Y.
+config XSM_POLICY
+ bool "Compile Xen with a built-in security policy"
+ default y
+ depends on XSM
+ ---help---
+ This includes a default XSM policy in the hypervisor so that the
+ bootloader does not need to load a policy to get sane behavior from an
+ XSM-enabled hypervisor. If this is disabled, a policy must be
+ provided by the bootloader or by Domain 0. Even if this is enabled, a
+ policy provided by the bootloader will override it.
+
+ This requires that the SELinux policy compiler (checkpolicy) be
+ available when compiling the hypervisor; if this tool is not found, no
+ policy will be added.
+
+ If unsure, say Y.
+
config FLASK_AVC_STATS
def_bool y
depends on FLASK
Placing this between FLASK and FLASK_AVC_STATS will break proper
menuconfig representation of the latter afaict.
Jan
This option isn't visible in menuconfig. Should I make it visible?
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
