|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH for-4.7] flask/policy: don't audit version queries
On Wed, May 04, 2016 at 01:20:46PM -0400, Daniel De Graaf wrote:
> Reported-by: Doug Goldstein <cardoe@xxxxxxxxxx>
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Wait, why don't we give Doug a chance to respond about the
policy he is using. I am really not sure how we would deny
permission to these using the default policy.
Doug, can you confirm what/when you built the policy?
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te
> b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..fed09a9 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,16 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# Version queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_extraversion xen_compile_info xen_capabilities xen_changeset
> + xen_pagesize xen_guest_handle xen_commandline xen_build_id
> +};
> +
>
> ###############################################################################
> #
> # Domain creation
> --
> 2.5.5
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |