|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH for-4.7] flask/policy: don't audit version queries
On 5/4/16 12:20 PM, Daniel De Graaf wrote:
> Reported-by: Doug Goldstein <cardoe@xxxxxxxxxx>
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te
> b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..fed09a9 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,16 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# Version queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_extraversion xen_compile_info xen_capabilities xen_changeset
> + xen_pagesize xen_guest_handle xen_commandline xen_build_id
> +};
> +
>
> ###############################################################################
> #
> # Domain creation
>
Daniel,
Locally I did:
dontaudit domain_type xen_t:version {
xen_commandline xen_build_id
};
and that made the denies disappear for running "xl devd".
--
Doug Goldstein
Attachment:
signature.asc _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |