On 6/9/16 11:53 AM, Daniel De Graaf wrote: > On 06/09/2016 12:15 PM, Jan Beulich wrote: >>>>> On 09.06.16 at 16:47, <dgde...@tycho.nsa.gov> wrote: >>> --- a/xen/common/Kconfig >>> +++ b/xen/common/Kconfig >>> @@ -132,6 +132,23 @@ config FLASK >>> >>> If unsure, say Y. >>> >>> +config XSM_POLICY >>> + bool "Compile Xen with a built-in security policy" >>> + default y >>> + depends on XSM >>> + ---help--- >>> + This includes a default XSM policy in the hypervisor so that the >>> + bootloader does not need to load a policy to get sane behavior >>> from an >>> + XSM-enabled hypervisor. If this is disabled, a policy must be >>> + provided by the bootloader or by Domain 0. Even if this is >>> enabled, a >>> + policy provided by the bootloader will override it. >>> + >>> + This requires that the SELinux policy compiler (checkpolicy) be >>> + available when compiling the hypervisor; if this tool is not >>> found, no >>> + policy will be added. >>> + >>> + If unsure, say Y. >>> + >>> config FLASK_AVC_STATS >>> def_bool y >>> depends on FLASK >> >> Placing this between FLASK and FLASK_AVC_STATS will break proper >> menuconfig representation of the latter afaict. >> >> Jan > > This option isn't visible in menuconfig. Should I make it visible? >
I believe I actually had that as an outstanding question to you on the series that introduced that flag. -- Doug Goldstein
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
