[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] flask/policy: don't audit commandline / build_id queries
commit 1fb8dc56e7d5284f8006ded76f8452f18ad9b0d2 Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> AuthorDate: Fri May 6 12:03:28 2016 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Fri May 6 12:03:28 2016 +0200 flask/policy: don't audit commandline / build_id queries Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Signed-off-by: Doug Goldstein <cardoe@xxxxxxxxxx> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx> Release-acked-by: Wei Liu <wei.liu2@xxxxxxxxxx> --- tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bef33b0..0b1c955 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -155,6 +155,15 @@ allow domain_type xen_t:version { xen_changeset xen_pagesize xen_guest_handle }; +# These queries don't need auditing when denied. They can be +# encountered in normal operation by xl or by reading sysfs files in +# Linux, so without this they will show up in the logs. Since these +# operations return valid responses (like "denied"), hiding the denials +# should not break anything. +dontaudit domain_type xen_t:version { + xen_commandline xen_build_id +}; + ############################################################################### # # Domain creation -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |