[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] flask/policy: don't audit commandline / build_id queries



On Thu, May 05, 2016 at 11:49:55AM -0500, Doug Goldstein wrote:
> From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> 
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> Signed-off-by: Doug Goldstein <cardoe@xxxxxxxxxx>

Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
> ---
>  tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
> b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..0b1c955 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,15 @@ allow domain_type xen_t:version {
>      xen_changeset xen_pagesize xen_guest_handle
>  };
>  
> +# These queries don't need auditing when denied.  They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs.  Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> +    xen_commandline xen_build_id
> +};
> +
>  
> ###############################################################################
>  #
>  # Domain creation
> -- 
> 2.7.3
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.