George Dunlap writes ("Re: Xen XSM/FLASK policy, grub defaults, etc."):
> The options proposed have included:Thanks for summarising! > 1. Making the tools not generate a FLASK policy unless FLASK is enabled in > the hypervisor being built. This is flaky because there’s no necessary > connection between the two builds. ... > Ultimately, I have the feeling that #1, although somewhat awkward, is going > to be the best solution: packagers can arrange that FLASK policies only be > installed when FLASK policies are created. People doing self-builds based on > distro packages will be covered; people doing home-grown self-builds with > non-default FLASK settings will need to take extra care to make sure the > tools do the right thing. For these home-grown self-builds, making `flask=enforcing' the default boot entry will make the resulting entry not boot. So ISTM that `flask=enforcing' cannot be in the default boot entry unless it's *known* that FLASK is enabled in the hypervisor. (Right now update-grub does not make the XSM entries the default, but clearly it would be better for it to do so if FLASK is enabled.) Adding the /boot/<xen>.config fallback to update-grub now risks accidentally going back to non-FLASK booting at some future point when the xen packager decides not to ship the .config any more... Ian.
