Applying custom XSM policies
Xen also allows administrators to build and use their own, custom policy.
The default policy for Xen is available inside the tools/flask/policy directory within the Xen build directory. For instance, the policy rules for the dom0 guest are available inside modules/dom0.te.
Important note
Adjusting the Xen XSM policy is beyond the scope of this chapter. You will find instructions on how to create SELinux policies using the reference policy-style method in Chapter 15, Using the Reference Policy. The Xen XSM policy is based upon this style.
Building a custom policy is a matter of updating these files (make a backup before you do) and then rebuilding the policy itself:
$ make
The result of the policy build is a new xenpolicy-4.13.1 file. This file can be loaded directly using the xl loadpolicy command:
# xl loadpolicy /path/to/xenpolicy-4.13.1
This command is similar to the flask-loadpolicy command:
# flask-loadpolicy /path/to/xenpolicy...
